Setting up Workspace ONE Single Sign-on (SSO) and Conditional Access

VMware Identity Manager as part of Workspace ONE, provides Single Sign-On (SSO) capabilities for iOS, Android, Windows 10 and macOS.

The following guide details how to set this up for all four operating systems.  Mobile SSO is also required for leveraging Workspace ONE UEM (aka Airwatch) device compliance.  This allows the administrator to ensure that users can only access applications if their device is compliant.

I’ve also provided a number of resources if you’re integrating Workspace ONE UEM, VMware Identity Manager with Okta too.

Integrate applications with the VMware Identity Manager to enable single sign-on (SSO)

First off ensure you’ve connected your on-premises Active Directory to your Workspace ONE UEM and vIDM tenant as per the following:

  • Workspace ONE UEM – via the Airwatch Cloud Connector (ACC)
  • vIDM – via the Identity Manager Connector

This is illustrated as follows:

ACC and ESC

Then integrate both Workspace ONE UEM and Identity Manager.  From Workspace ONE UEM 1902 or later, you can do this by enabling HUB services as per the following instructions. See this VMware docs article for further information.

There are a range of great online guides detailing how you can setup a number of applications within VMware Identity manager.  Check out the following guides:

  • VMware Identity Manager Integration with Salesforce (January 2019 v2) – link
  • Integrate Salesforce with vIDM (from the VMware LiveFire team) – link
  • Integrating Salesforce with VMware Identity Manager: VMware Workspace ONE Operational Tutorial (April 2019) – link
  • Federating Office 365 with vIDM (from the VMware LiveFire team) – link

With this enabled, you can login to VMware Identity Manager from a web browser from your PC and then test SSO into a range of SaaS based applications.

appcatalog

Mobile Single Sign-On Wizard

Much of the setup of setting up SSO can be completed using the Mobile Single Sign-On Wizard. This is available by logging into the Workspace ONE UEM console then selecting Getting Started – Workspace ONE – Mobile Single Sign-On and Configure.

I’ve found this wizard will configure many of the settings below, however you can then verify this configuration using the step by step instructions below.  For example I found that my SCEP settings for Windows and MacOS needed to be changed to Certificate (Cloud Deployment) and they were not automatically configured.

Setting up iOS SSO

For iOS device authentication, VMware Identity Manager uses an identity provider that is built in to the VMware Identity Manager (vIDM) service to provide access to mobile SSO authentication. This authentication method for iOS devices uses a Key Distribution Center (KDC) without the use of a connector or a third-party system. Kerberos authentication provides users, who are successfully signed in to their domain, access to their Workspace ONE apps portal without additional credential prompts.

Enable the Workspace ONE UEM Certificate Authority

One option is to use a Microsoft Certificate Authority, or alternatively us the built in Workspace ONE UEM Certificate Authority.

  1. Select Groups And Settings – All Settings – System – Enterprise Integration – VMware Identity Manager – Configuration.  Click on the Enable button.enable-ws1uem-cert-provisioningYou’ll then be shown that the certificate provisioning is enable as shown:certificate
  2. Select Export to export the Issue Certificate and save this to your computer.  We’ll use this later for iOS, Android, Windows 10 and macOS.

Configure Mobile SSO (for iOS) Authentication Method

Note: Ensure you’ve setup the ability to manage Apple devices by creating an APNS certificate as per this guide.

  1. Open the VMware Identity Manager console and select  Identity & Access ManagementAuthentication Methods.   Click the pencil for Mobile SSO (for iOS).auth-methods
  2. Select Enable KDC Authentication as shown.  The Realm will be automatically populated as shown in the following example:mobile-SSO
  3. Click on the Select File button to browse and then upload the issuer certificate you exported from Workspace ONE UEM (Airwatch).
  4. When the certificate is uploaded it will be shown as follows:mobile-SSO
  5. Select Save
  6. Navigate to Identity & Access Management – Manage – Identity Providers.  Select the Built-In Identity Provider.  Browse to Authentication Methods and select Mobile SSO (for iOS) and Device Compliance (with Airwatch) as shown in the following example:built-in-idp
  7. Select Save
  8. If you open the Built-In Identity Provider (you just saved), browse to KDC Certificate Export and select Download Certificate.  This is the certificate you’ll distribute to iOS devices using Workspace ONE in the steps below.kdc-certificate
  9. Navigate to Identity & Access Management – Policies and modify the default access policy to include Mobile SSO (for iOS) as shown below. Save this new Policy Rule.iOS - Policy
  10. Click Save

Create an Apple iOS Profile to deploy Identity Provider Settings

  1. Within the Workspace ONE UEM administration console, navigate to Devices – Profiles & Resources – Profiles.  Select Add – Add Profile – iOS.
  2. In the General tab:
    • Provide a name such as iOS Kerberos SSO
    • Select Smart Groups and select your group of devices. ie. All Devices 
  3. Change to the Credentials tab and upload the KDC Certificate you downloaded in Step 8) above. ie. KDC-root-cert.cer
  4. Change to the SCEP section and select the following options:iOS-SCEP
  5. Change to the Single Sign-On tab.
    • For the account name enter Kerberos.
    • For the Kerberos Principal Name, click + and select {EnrollmentUser}.
    • For the realm name, enter in the realm name of your tenant.  (In my case VIDMPREVIEW.COM, but most likely VMWAREIDENTITY.COM)
    • Under renewal certificate, select SCEP #1.
    • For URL Prefixes, enter in the full name of your tenant and applications which need SSO capability.  In my lab I entered Salesforce which then allowed me to select com.salesforce.com (for the Salesforce app).  I also selected com.apple.mobilesafari for the Safari browser.  See the following example:sso-page
  6. Select Save and Publish.

Verifying iOS SSO

With the settings applied to an iOS device, you can see these settings under Settings – General – Device Management – Device Manager as shown below.

You should then be able to login to Workspace ONE (via the application) or Safari on your iOS, then select your applicable SaaS application and successfully sign-in without being prompted for a password !   SSO with mobile applications will also now work too.

Setting up Android SSO

Note: Ensure you’ve setup Android Enterprise Integration with Workspace ONE as per this video.

There is a great guide titled Android Mobile Single Sign-On to VMware Workspace ONE, however I’ve detailed the steps I followed below to setup SSO with Android.

Setup VMware Tunnel Configuration

  1. In the Workspace ONE UEM administration console, navigate to Groups and Settings – All Settings – System – Enterprise Integration – VMware Tunnel.
  2. The first time you configure VMware Tunnel, select Configuration.  If required, change the current setting from Inherit to Override.
  3. Now select Configure and follow the configuration wizard.
  4. In the Configuration Type page, enable Per-App Tunnel (Linux Only). Click Next. Leave Basic as the VPN configuration type as shown below:Android-VMware-Tunnel
  5. Click Next
  6. In the Details page, enter a dummy value in the text box, as this field is not required for the single sign-on configuration. For example:Android-VMware-Tunnel-2
  7. Click Next
  8. On the Per-App Tunnel SSL Certificate window, do NOT select the Use Public SSL Certificate checkbox (as shown below).  Click NextAndroid-VMware-Tunnel-3
  9. On the Authentication window, ensure Per-App Tunnel Authentication is selected:
    Android-VMware-Tunnel-4
  10. If promoted with Please wait while the Authentication settings load. Are you sure you wish to continue? Click OK
  11. Leave the Miscellaneous tab as default, click Next to continue
  12. Review the final settings (see and example below)Android-VMware-Tunnel-Summary
  13. Click Save to finish
  14. Navigate to the Advanced tab within the VMware Tunnel configuration page and download the Root certificate using the Export button. This will be used later to configure the settings within VMware Identity Manager.Tunnel cert

Create an Android Profile to deploy Identity Provider Settings

  1. Within the Workspace ONE UEM administration console, navigate to Devices – Profiles & Resources – Profiles.  Select Add – Add Profile – Android.
  2. In the General tab:
    • Provide a name such as Android SSO
    • Select Smart Groups and select your group of devices. ie. All Devices 
  3. Select VPN and click Configure.
  4. You can accept the defaults.  I simply changed the Connection Name to Android Mobile SSO. See the following as an example:Android-SSO-VPN-Settings
  5. Click Save and Publish

Publish the VMware VMware Tunnel application

The VMware Tunnel application is required for Android SSO. Therefore we’ll publish this application to everyone’s Android device as per the following steps:

  1. In the Workspace ONE UEM console, navigate to Apps & Books – Applications – List View.
  2. Select the Public tab
  3. Select Add Application, select the Platform as Android
  4. Enter VMware Tunnel as the name of the application and click Next
  5. Select the application name and click Approve and click Approve again
  6. Select Keep approved when app requests new permissions and click Save
  7. Click Save & Assign
  8. Click Add Assignment
  9. Complete the Assignment configuration using the following example.  You may wish to select Auto as the application delivery method, so the Tunnel app is deployed to all devices.VMware-Tunnel-ManagedApp
  10. Click Add and then Click Save & Publish.
  11. Click Publish

Enable Per-App VPN for Android Apps

  1. In the Workspace ONE UEM console, navigate to Apps & Books – Applications – List View.
  2. Select either the Internal or Public tab
  3. Select Add Application, select the Platform as Android
  4. Enter the name of the application and click Next
  5. Select the application name and click Select if prompted to approve the application
  6. Click Save & Assign
  7. Click Add Assignment
  8. Complete the Assignment configuration using the following example.  Ensure the App Tunneling option is enabled.Salesforce-Add-Assignment
  9. Click Add and then Click Save & Publish.

 

Configure Network Traffic Rules

  1. In the Workspace ONE UEM console, navigate to Groups and Settings – All Settings – System – Enterprise Integration – VMware Tunnel – Network Traffic Rules.
  2. Verify or create the following Deployment Details and Server Authentication:

    tunnel-configuration

  3. Within the Device Traffic Rules page, first enable all the Apps that you want to use Android SSO. For example Salesforce as shown below.

    device-traffic-rules

  4. Next set the following:
    • Set the Action type to Proxy
    • Configure Web Proxy option to point to the appropriate CertProxy address.  You can then enter the appropriate hostname and port 5626 if you’re using a SaaS vIDM tenant.  For example:
      • certproxy.vmwareidentity.com:5262
      • certproxy.vmwareidentity.asia:5262
      • certproxy.vmwareidentity.com.au:5262
      • In my case it was certproxy.vidempreview.com:5262
    • Likewise for the Destination Hostname, you would enter the appropriate vIDM tenant name such as <tenant>.vmwareidentity.<top-leveldomain>. For example:
      • <tenant>.vmwareidentity.com
      • <tenant>.vmwareidentity.asia
      • <tenant>.vmwareidentity.com.au:5262
      • In my case it was td-darrylm.vidempreview.com
  5. Click Save and Publish

 

Configure Identity Manager to utilise Mobile SSO for Android

  1. Open the Identity Manager console and select Identity & Access Management – Authentication Methods – Mobile SSO (for Android). Click the Pencil icon to configure this feature.
  2. Select Enable Certificate Adapter
  3. Click on the Select File button to browse and then upload the issuer certificate you exported from Workspace ONE UEM (Airwatch).  Click OK to accept the uploaded certificate.  You should then see settings similar to the following:MobileSSO-Android
  4. Select Save
  5. Navigate to Identity & Access Management – Mange – Identity Providers.  Select the Built-In Identity Provider.  Browse to Authentication Methods and select Mobile SSO (for Android) and Device Compliance (with Airwatch) as shown in the following example:Android-SSO-BuiltIn-IDP
  6. Select Save
  7. For reference I’ve provided a screen capture of my final Identity Provider configuration with all four operating systems enabled with SSO:

  8. OK, now navigate to Identity & Access Management – Policies and modify the default access policy to include Mobile SSO (for Android) as shown below. Save this new Policy Rule.Android - Policy

Verifying Android SSO

Start the VMware Tunnel application and you’ll see the application applications you enabled with App Tunnel listed:

You should then be able to login to Workspace ONE (via the application), then select your applicable SaaS application and successfully sign-in without being prompted for a password.

Enabling Conditional Access

The compliance checking policy rule in VMware Identity Manager works in an authentication chain with Mobile SSO for iOS, Mobile SSO for Android, and Certificate cloud deployment (for Windows 10 and macOS – see below).  This allows you to ensure that only compliant devices are then able to get access to applications as outlined above.

iOS and Android Conditional Access

Since we’ve set a policy rule for iOS and Android we can easily edit these again and include the requirement that the devices are compliant from a Workspace ONE UEM perspective. I called this policy Managed Devices Only and included the applications which should be applied such as Salesforce. See the following policies as an example:

Compliance Rules

This only allows the user to access Salesforce if their device is enrolled in Workspace ONE UEM AND their device is compliant.  If you test this with the detailed Workspace ONE compliance rules, you can block user access if their device was jailbroken/rooted, had blacklisted applications installed etc.  See the following articles for further details:

  • Managing Access Policies to Apply to Users – link
  • Configure Access Policy Rule – link

 

Windows 10 and macOS Conditional Access

For Windows 10 and macOS, we’ll leverage the Workspace ONE UEM built in Certificate Authority to deploy a user certificate to the operating systems.

  1. Download the KDC certificate from the Workspace ONE UEM console under Groups & Settings – All settings – System – Enterprise Integration – VMware Identity Manager – Configuration. If it is not enabled then enable it and then download.  NOTE: this certificate can only be generated at customer type OGcert - uem
  2. Go to VMware Identity Manager Console, select the Identity & Access Management tab, select  Manage –  Authentication Methods.
  3. In the Authentication Methods section, click the  Certificate  (Cloud Deployment)
  4. Check the box for Enable Certificate Adapter
  5. Select the button Select File and upload the Root CA certificate that you obtained from Workspace ONE UEM console in Step 1
  6. You will see Uploaded CA Certificates. CN=<OGNAME>.  In my case it’s listed as CN=VMwaredarrylmcert - cloud
  7. The following table provides a detailed breakdown on the various options available:
    Option Description
    Enablecertificateadapter Select the check box to enable certificate authentication.
    *Root and intermediate CA certificates Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM.
    Uploaded CA certificates The uploaded certificate files are listed in the Uploaded Ca Certificates section of the form.
    Use email if no UPN incertificate If the user principal name (UPN) does not exist in the certificate, select this check box to use the emailAddress attribute as the Subject Alternative Name extension to validate users’ accounts.
    Certificatepolicies accepted Create a list of object identifiers that are accepted in the certificate policies extensions.

    Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click  Add another value  to add additional OIDs.

    Enable cert revocation Select the check box to enable certificate revocation checking. Revocation checking prevents users who have revoked user certificates from authenticating.
    Use CRL from certificates Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate the status of a certificate, revoked or not revoked.
    CRL Location Enter the server file path or the local file path from which to retrieve the CRL.
    Enable OCSP Revocation Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.
    Use CRL in case of OCSP failure If you configure both CRL and OCSP, you can check this box to fall back to using CRL if OCSP checking is not available.
    Send OCSP Nonce Select this check box if you want the unique identifier of the OCSP request to be sent in the response.
    OCSP URL If you enabled OCSP revocation, enter the OCSP server address for revocation checking.
    OCSP responder’s signingcertificate Enter the path to the OCSP certificate for the responder, /path/to/file.cer.
    Enable consent form before authentication Select this check box to include a consent form page to appear before users log in to their Workspace ONE portal using certificate authentication.
    Consent form content Type the text that displays in the consent form in this text box.
  8. Click  Save
  9. I then edited my Managed Devices Only Policy and included Windows 10 and macOS. See the following policies as an example:Managed Devices - All OSs
  10. As suggested by Jon Towels, it’s recommended to have a Fallback method for each of your policies in case certificate authentication is not available. For example, allowing the user to use a username/password to ensure they can still get access to IT services.  For example:fallback
  11. I’d also recommend reviewing the advanced settings for each of your policies and changing the default custom error message as shown below.  This provides the end user a more tailored message to inform them why they cannot access the resource unless their device is enrolled into Workspace ONE:custom-message

Deploy User Certificate for Windows 10 Conditional Access

  1. Now return to Workspace ONE UEM console and go to Devices – Profiles & Resources -Profiles.
  2. For Windows 10, click on Add – Add Profile
  3. Select Windows
  4. Select Windows Desktop
  5. Select User Profile
  6. Configure the General Page
  7. Configure SCEP Payload as follows:
  8. Credential Source – AirWatch Certificate Authority
    • Credential Source: AirWatch Certificate Authority
    • Certificate Authority: AirWatch Certificate Authority
    • Certificate Template:  Certificate (Cloud Deployment)
    • Issuer: CN=<Any Name>
  9. See the following screen capture of the settings as an example:Win10 - UserCert
  10. Click Save
  11. When the Windows 10 PC is enrolled a user certificate is deployed as shown below:Win10 - cert

Deploy User Certificate for macOS Conditional Access

The process for macOS is almost identity to Windows 10 outlined in the previous section.

  1. In the Workspace ONE UEM console and go to Devices – Profiles & Resources -Profiles.
  2. For Windows 10, click on Add – Add Profile
  3. Select macOS
  4. Select Windows Desktop
  5. Select User Profile
  6. Configure the General Page
  7. Click SCEP and configure the settings as follows: 
  8. Credential Source – AirWatch Certificate Authority
    • Credential Source: AirWatch Certificate Authority
    • Certificate Authority: AirWatch Certificate Authority
    • Certificate Template:  Certificate (Cloud Deployment)
    • Select Allow Access to all applications
  9. See the following screen capture of the settings as an example:macOS - UserCert
  10. Click Save
  11. When the Mac is enrolled an MDM profile is shown as follows:macOS

You should now be only able to access applications if your device is compliant in Workspace ONE UEM.  Below are some example compliance rules I used for my testing:

Compliance Rules Example

That’s it!  Your users can access their applications easily (using SSO) and you can ensure that this occurs only if their device is enrolled and compliant.

What about Okta?

There are many Workspace ONE clients that see the mutual benefits of both solutions. There are already a range of excellent articles available which detail how you can integrate Workspace ONE UEM, VMware Identity Manager and Okta.  Please check out these excellent articles:

  • Configure Conditional Access Policies in Workspace ONE with Okta – link.
  • Enhancing your Zero Trust Architecture with Okta Identity Cloud and Workspace ONE by Pete Lindley (VMware) – link
  • (New paper 11 March 2019) Integrating VMware Workspace ONE with Okta (Beta) – link  (You’ll need a My VMware Account. You can sign-up for a free ID from here).
  • Integrating Okta: VMware Workspace ONE Operational Tutorial (Techzone) – link

 

You now setup Workspace ONE UEM SSO and Conditional Access!

If you have any questions on Workspace ONE, I’d recommend checking out the Workspace ONE community forum.  If you would like further information, you can also contact me directly via my blog contact page.

Darryl

 

References / Acknowledgements:

  • Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch) by Justin Johnson (VMware) – link  (I used Justin’s for the iOS SSO section and updated some items, used default IDP etc)
  • Configuring Mobile Single Sign-On for iOS (from the Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE) – link
  • Andrew Price (Specialist Systems Engineering. End User Computing, VMware Australia) – who provided our team with a step by step guide to setup Android SSO (which is detailed above)
  • I read this great blog post after posting this article above.  It’s titled Device Compliance with Identity Manager – the less obvious implementation details by Arsen Bandurian – link
Article Updated 26 March 2019:  To note Fallback method for vIDM Policy.
Article Updated 18th April 2019: Additional info on connectors and custom error message.
Article Updated 16 June 2019: Additional Okta integration information
Article Updated 1 August 2019:  Include new Android screens for 1907 release

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s