Android Single Sign On

Enabling Single Sign On for Android devices through VMware Identity Manager leverages the AirWatch Tunnel Client on an enrolled device to access enterprise applications configured for this feature. This section details the steps to configure Single Sign On to the Salesforce1 application using Identity Manager, AirWatch Tunnel and Network Traffic Rules.

Workspace ONE - Android SSO

Log into the VMware Identity Management console

1. Enable AirWatch Tunnel

  1. Click System.
  2. Click Enterprise Integration.
  3. Click AirWatch Tunnel
  4. Click Configuration
  5. Change the setting to Override.
  6. Enable AirWatch Tunnel
  7. Click Configure

Enable Basic Per-App Tunnel

Enable Basic Per-App Tunnel
  1. Set Proxy (Windows & Linux) to Disabled
  2. Set Per-App Tunnel (Linux Only) to Enabled
  3. Select Basic from the drop down.
  4. Click Next to continue

Configure Details

In this page you will need to fill in the Host Names, URLs and Ports that correspond to the specific server(s) assigned to you for this workshop.

  1. Enter a hostname. NOTE: This value can be any fully qualified domain name as it will not be directly accessed by the device.
  2. Enter 8443 in the Port field for Per App Tunneling
  3. Click Next

Select AirWatch Tunnel Certificate Settings

Select Authentication

  1. Set the Per-App Tunnel Authentication setting to Default
  2. Click Next

Create AW Tunnel Profile

  1. Click "+" to add a new profile
  2. Select Android as the platform from the drop down menu.
  3. Select Create new profile as the action from the drop down menu.
  4. Type in a name for the profile that will be created i.e. "Android SSO"
  5. Click Next to continue.

This will create a profile in the Devices > Profiles > List View page that is assigned to "All Devices" Assignment Group with the Deployment method set to "On-Demand".

Per App Tunneling Settings

  1. Set the Access Logs option to Disabled
  2. Set the NSX Communications option to Disabled
  3. Click Next to continue

Confirm AirWatch Tunnel Settings

1. Confirm Configuration Details. Click Save

2. Click the Advanced tab

Export Tunnel Device Root Certificate  

  1. Scroll down to the Authentication Sub-heading for Per-App Tunneling
  2. Select "Export Certificate"
  3. "Save File" to your the Downloads folder
  4. Click "Ok"

2. Edit VPN Profile

  1. Click Devices
  2. Click Profiles
  3. Click List View
  4. Select the pencil icon next to the Android SSO profile

Add Version

Add Version

Click "Add Version" to make changes to the profile

Publish Profile

  1. Change Assignment Type from On Demand to Auto
  2. Enter "All Devices ([email protected])" in Assigned Groups
  3. Click Save & Publish

3. Add Salesforce Application

3. Add Salesforce Application
  1. Click the + Add button on the top right corner of the console
  2. Select Public Application

Add App from URL

  1. Set Platform to Android
  2. Set Source to Enter URL
  3. Open a New tab in your Browser
  4. Navigate to

Search Play Store

  1. Open a new tab in Firefox
  2. Go to ""
  3. Enter "Salesforce" in the search bar
  4. Click the Salesforce1 application
  5. Highlight the URL, right click, select Copy
  6. Click the AirWatch Console tab

Paste URL in AirWatch

  1. Enter URL, right click, select Paste
  2. Click Next

Application Info

  1. Enter "Salesforce1" in the Name field
  2. Click Assignment tab to continue

Application Assignment

  1. Select "All Devices ([email protected])" for the Assigned Groups
  2. Click Deployment tab to continue

Enable Per App VPN

  1. Set Push Mode to Auto
  2. Enable checkbox to "Use VPN"
  3. Select "Android SSO" from the Per-App VPN Profile list
  4. Click Save & Publish

Publish Application

4. Configure Network Traffic Rules

4. Configure Network Traffic Rules
  1. Click "Groups & Settings"
  2. Click "All Settings"

Set Default Action

  1. Click System
  2. Click Enterprise Integration
  3. Click AirWatch Tunnel
  4. Click Network Traffic Rules
  5. Set the Default Action from Tunnel to "Bypass"
  6. Click "Save"

Create Network Traffic Rule for Salesforce

  1. Click "+ Add" to add an application to the Rule
  2. Set the Action to "Proxy"
  3. Enter HTTPS Proxy: ""
  4. Enter your Workspace ONE tenant hostname in the Destination Hostname field (i.e.
  5. Click "Save"
  6. Click "Publish Rules"

Enter Security PIN

Enter 4 Digit Security PIN to confirm Publish Rules

5. Configure Identity Manager for Android SSO

5. Configure Identity Manager for Android SSO
  1. Click + to open a new tab in Firefox
  2. Enter the URL of your Identity Manager instance.   The URL is in the email that  was sent to you when you started the lab.   It will have the format of "https://{firstname lastname####}" where the section in the {} will be your first name then last name then a random 4 digit number.

Login to Identity Manager

Login to Identity Manager
  1. Enter your username in the "username" field.   Your VMware Identity Manager username is in the email that was sent to you when you started the lab.
  2. Enter your password in the "password" field.   This is the password you set earlier in the lab when you clicked on the link in the email.
  3. Click Sign in

Navigate to the Identity Providers Page

Navigate to the Identity Providers Page
  1. Go to Identity & Access Management
  2. Click on Identity Providers
  3. Select the Built-In adapter

Navigate to the Built-In Adapter

Navigate to the Built-In Adapter
  1. Scroll down until you see "Mobile SSO (for Android)" in the Authentication Methods section
  2. Click the gear icon

Upload Android SSO Adapter

  1. Check the box to "Enable Certificate Adapter"
  2. Click "Select File" next to Root and Intermediate Certificates
  3. Navigate to Downloads
  4. Select "TunnelDeviceRoot.cer"
  5. Click "Open"
  6. Click "Save"

Confirm Adapter Update

Confirm Adapter Update

After save, confirm status for Mobile SSO (for Android) is "Enabled"

6. Create Access Policy for Salesforce

6. Create Access Policy for Salesforce
  1. Go to "Identity & Access Management"
  2. Select "Policies"
  3. Click "Add Policy"

Add Policy for Salesforce

Add Policy for Salesforce

Complete the following steps if you have not done so in earlier sections of the lab. Ensure that Salesforce has been added to the Catalog in Workspace ONE.

  1. Enter "Salesforce" for the Policy Name
  2. Click "Select" to choose the applications the policy will apply to

Select Salesforce Application

Select Salesforce Application
  1. Check the box to select Salesforce
  2. Click Save

Note: If you do not see the application in the list of available apps. Go to Catalog. Select "Add Application" , select "...from the cloud application catalog". Scroll down to the Salesforce App and select.

Create Access Policy

  1. Under Policy Rules click the "+" to add new policy
  2. Select "ALL RANGES" for Network Range
  3. Select "Android" for where the user is accessing from
  4. Select "Mobile SSO (for Android)" for the Authentication method
  5. Click OK
  6. Click Save on the Salesforce Access Policy

Ensure the policy saves successfully

Confirm the Salesforce policy saves successfully

7. Enroll Android Device

7. Enroll Android Device

Download the AirWatch Agent on your Device

Click "Open"

Server Details

Server Details

1. Select Server Details

Enter Environment Details

Enter Environment Details
  1. Enter "" in the hostname field
  2. Enter the groupID assigned to you at the beginning of the workshop
  3. Click "Continue"

Enter Username and Password

Enter Username and Password
  1. Enroll the device to the "imauser" account added earlier
  2. Enter "VMware1!" in the Password field
  3. Click Continue

Part 2: Secure

Part 2: Secure

Click Continue

Grant Permissions to AirWatch

Grant Permissions to AirWatch

Click Continue

Activate Device Administrator

Activate Device Administrator

Click Activate

Grant Permission

Grant Permission

Click Continue

Part 3: Configure

Part 3: Configure

Click Continue

Install Managed Applications

  1. Click "Play Store"
  2. Click "Install"
  3. Return to the AirWatch Agent to complete enrollment

Complete Enrollment

Complete Enrollment

Click Exit

Enrolled Agent

Enrolled Agent

After enrollment is completed, ensure all managed profiles and applications are downloaded.

Validate Android SSO

Note: The AirWatch Tunnel application must be present on the end user's device, but does not have to be a managed application. It can be downloaded by the user from the Play Store.

  1. Launch the Play Store
  2. Enter "AirWatch Tunnel" in the search bar
  3. Select the application & click "Install"

Allow Tunnel Connection

Allow Tunnel Connection
  1. Launch the application on your device.
  2. Click "OK" to Accept the Connection Request
  3. Return to the home screen

Launch Salesforce Application

Launch Salesforce Application
  1. Launch Salesforce1 Application
  2. Click "I Agree" to accept the User Agreement

Select Use Custom Domain

Select Use Custom Domain
  1. Select "Use Custom Domain"
  2. Type in your custom domain name ""
  3. Click Continue

Select Domain

Select Domain
  1. Select "corp.local" domain
  2. Click "Next"

Confirm Successful Login

Confirm Successful Login

Confirm that your login is successful using the Mobile SSO (for Android) adapter.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.