Setting up Mobile SSO Manually

In a perfect world, we would like you to use the wizards to configure Mobile SSO because it greatly reduces the number of steps required to complete the UEM Integration AND perform the integration. The wizard will also create API Keys that are not subject to standard rate limiting.

For whatever reason that you are unable to use the wizard or the wizard did not complete successfully, you can use the blog as a guideline to complete the missing steps.

On a high level, we will need to perform the following steps:

Configure Workspace ONE Access in UEM

  1. In Groups & Settings -> All Settings -> Enterprise Integration -> Workspace ONE Access -> Configuration
  2. Enter your Access URL along with a System Domain username/password (with a super admin role).
  3. Save the Configuration

Note: Do NOT enable Active Directory Basic if you plan on using a Workspace ONE Access Connector (recommended) or you are creating users in Workspace ONE Access via a SCIM Connector .

Troubleshooting:

If this is unsuccessful. The following are things you can try:

  • Ensure you are using System Domain credentials and NOT active directory
  • Verify your system domain user is a Super Admin
  • Verify the Built-in IDP in Workspace ONE Access includes the System Directory and Password (Local Directory) is checked
  • Verify in your access policies that Password (Local Directory) is used as a fallback for your platform.
    • Try moving Password (Local Directory) up to the top temporarily.
  • Delete your existing AirWatch Configuration in Workspace ONE Access using the API. (I’ll post steps to complete this at a later date).

Create a Service Account

  1. In Accounts -> Administrators
  2. Create a new “Basic” administrator with the role “Console Administrator” (or AirWatch Administrator) for your Organization Group.
  3. Under API, select certificates and create a password
  4. Save the User and then export the certificate for the user.

Create API Keys

  1. In Groups & Settings -> All Settings -> System -> Advanced -> API -> Rest API
  2. Create two new API Keys. One will be admin and the other will be Enrollment User

Configure Workspace ONE UEM in Workspace ONE Access

  1. In the Workspace ONE Access console, go to Identity & Access Management -> Setup -> VMware Workspace ONE UEM
  2. Enter your Workspace ONE UEM API URL, ie. https://as135.awmdm.com
  3. Upload the certificate you previously created for the service account along with the password
  4. Enter your Admin API Key
  5. Enter your Enrollment User API Key
  6. Enter your top Group ID
  7. Click Save
  8. In the catalog section, enter your device services URL, ie. https://ds135.awmdm.com
  9. Enable Device Compliance
  10. Click Save

Setting up Mobile SSO for IOS

There are 4 parts to configuring Mobile SSO when the wizards are not used.
• Exporting the AirWatch CA Certificate
• Exporting the KDC Certificate
• Enable the Mobile SSO (for IOS) Authentication Method
• Create your IOS Profile in Workspace ONE UEM

Exporting the AirWatch CA Certificate

  1. In Workspace ONE UEM, go to Groups & Settings -> All Settings -> Enterprise Integration -> Workspace ONE Access -> Configuration
  2. Scroll down and Click Export and save the certificate.

Export the KDC Certificate

  1. In the Workspace ONE Access Console, go to Identity & Access Management -> Identity Providers
  2. Click on your Built-In Identity Provider
  3. Scroll down and click “Download Certificate”

Enable Mobile SSO (for IOS) Authentication Method

  1. In the Workspace ONE Access Console, go to Identity & Access Management -> Authentication Methods
  2. Click Configure for Mobile SSO (for IOS)
  3. Click Enable KDC Authentication
  4. Upload the certificate you downloaded from UEM (in Exporting the AirWatch CA Certificate)
  5. Click Save

Create your IOS Profile in Workspace ONE UEM

  1. In Workspace ONE UEM, go to Devices -> Profiles and Resources -> Profiles
  2. Click Add -> Add Profile -> IOS
  3. Profile a Name and assign a Smart Group (ie. IOS Devices).
  4. Under Credentials -> Upload the certificate we downloaded from Workspace ONE Access (in Exporting the KDC Certificate)
  5. Under SCEP -> Select “AirWatch Certificate Authority” -> “AirWatch Certificate Authority” -> “Single Sign-On”
  6. Under Single-Sign-On:
    1. Provide a Name: ie. “iOS Mobile SSO”
    1. Kerberos Principal Name -> {EnrollmentUser}”
    1. Realm -> VMWAREIDENTITY.COM (or “WORKSPACEONEACCESS.COM” or “VIDMPREVIEW.COM”)
    1. URLs -> Enter your Workspace One Access URL ie. https://dsas.vmwareidentity.com
    1. Applications -> Leave BLANK for now.
  7. Save and Publish

Note:  If you receive the following error “When trying to provision the Mobile SSO profile you receive an error that the PrincipalName contains an invalid value.”, this means that you probably have UEM usernames that contain email addresses.  Unfortunately, in IOS, you can not have the @ sign as part of the principal name.  in the case, we will need to create a transform to parse the prefix of the email address and use that in the certificate payload.

  1. In Groups and Settings -> All Settings -> Devices and Users -> General -> Lookup Fields
  2. Add Custom Field
  3. Create a name such as EmailNickName and use a regex such as “.+?(?=@)”
  1. You can then use “EmailNickName” in your Certificate Payload

Mobile SSO for Android

There are 5 parts to configuring Mobile SSO when the wizards are not used.

  • Configure the Tunnel Client and Export Tunnel Certificate
  • Enable the Mobile SSO (for Android) Authentication Method
  • Create your Android Profile in Workspace ONE UEM
  • Configure Android Apps to use Tunnel
  • Configure Device Traffic Rules

Configure the Tunnel Client

When you are configuring Android Mobile SSO, it requires you to configure the Tunnel Client. You do not need to deploy UAG.  Its also important to know that Mobile SSO will not work if you have configured another VPN client on the device.

  1. In Workspace ONE UEM, go to Groups and Settings -> All Settings -> Enterprise Integration -> VMware Tunnel
  2. Under Deployment Type, select Basic
  3. Under Hostname, select a dummy hostname. Do Not USE your Workspace ONE Access URL.
  4. Under Port, use 8443
  5. Under Service Authentication, use the default AirWatch CA
  6. Under Client Authentication, use the default AirWatch CA
    1. Export the certificate.

Enable the Mobile SSO (for Android) Authentication Method

  1. In the Workspace ONE Access Console, go to Identity & Access Management -> Authentication Method
  2. Click edit for Mobile SSO (for Android)
  3. Enable the Certificate Adapter
  4. Upload the Tunnel Certificate we just downloaded
  5. Under User Identifier Search, select “upn|email|subject”
  6. Click Save

Create your Android Profile in Workspace ONE UEM

  1. In Workspace ONE UEM, go to Devices -> Profiles and Resources -> Profiles
  2. Click Add -> Add Profile -> Android
  3. Profile a Name and assign a Smart Group (ie Android Devices).
  4. Under VPN, click Configure
  5. Save and Publish

Configure Android Apps to use Tunnel

  1. In Workspace ONE UEM, go to Apps & Books -> Applications -> Native
  2. Modify your Android Apps to use the Tunnel Profile

Configure Device Traffic Rules

  1. In Workspace ONE UEM, go to Groups and Settings -> All Settings -> Enterprise Integration -> VMware Tunnel
  2. Click Edit under Device Traffic Rules

Under Applications, select your Applications you assigned the Tunnel Profile

  1. Under Action, Select Proxy
  2. Under Web Proxy, enter: “certproxy.vmwareidentity.com:5262” or (certproxy.vidmpreivew.com:5262 or certproxy.workspaceoneaccess.com:5262) depending on where your tenant is deployed.

Do not use “cert-proxy”

  1. Click Save and Publish

Note: Android Mobile SSO requires the Tunnel Client on the Device. Make sure this application is deployed to the device.


One thought on “Setting up Mobile SSO Manually

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s