Android Single Sign On
Enabling Single Sign On for Android devices through VMware Identity Manager leverages the AirWatch Tunnel Client on an enrolled device to access enterprise applications configured for this feature. This section details the steps to configure Single Sign On to the Salesforce1 application using Identity Manager, AirWatch Tunnel and Network Traffic Rules.
Workspace ONE - Android SSO
Log into the VMware Identity Management console
1. Enable AirWatch Tunnel
- Click System.
- Click Enterprise Integration.
- Click AirWatch Tunnel
- Click Configuration
- Change the setting to Override.
- Enable AirWatch Tunnel
- Click Configure
Enable Basic Per-App Tunnel
- Set Proxy (Windows & Linux) to Disabled
- Set Per-App Tunnel (Linux Only) to Enabled
- Select Basic from the drop down.
- Click Next to continue
Configure Details
In this page you will need to fill in the Host Names, URLs and Ports that correspond to the specific server(s) assigned to you for this workshop.
- Enter a hostname. NOTE: This value can be any fully qualified domain name as it will not be directly accessed by the device.
- Enter 8443 in the Port field for Per App Tunneling
- Click Next
Create AW Tunnel Profile
- Click "+" to add a new profile
- Select Android as the platform from the drop down menu.
- Select Create new profile as the action from the drop down menu.
- Type in a name for the profile that will be created i.e. "Android SSO"
- Click Next to continue.
This will create a profile in the Devices > Profiles > List View page that is assigned to "All Devices" Assignment Group with the Deployment method set to "On-Demand".
Per App Tunneling Settings
- Set the Access Logs option to Disabled
- Set the NSX Communications option to Disabled
- Click Next to continue
Confirm AirWatch Tunnel Settings
1. Confirm Configuration Details. Click Save
2. Click the Advanced tab
2. Edit VPN Profile
- Click Devices
- Click Profiles
- Click List View
- Select the pencil icon next to the Android SSO profile
Add Version
Click "Add Version" to make changes to the profile
Publish Profile
- Change Assignment Type from On Demand to Auto
- Enter "All Devices ([email protected])" in Assigned Groups
- Click Save & Publish
3. Add Salesforce Application
- Click the + Add button on the top right corner of the console
- Select Public Application
Add App from URL
- Set Platform to Android
- Set Source to Enter URL
- Open a New tab in your Browser
- Navigate to https://play.google.com
Search Play Store
- Open a new tab in Firefox
- Go to "play.google.com"
- Enter "Salesforce" in the search bar
- Click the Salesforce1 application
- Highlight the URL, right click, select Copy
- Click the AirWatch Console tab
Application Assignment
- Select "All Devices ([email protected])" for the Assigned Groups
- Click Deployment tab to continue
Enable Per App VPN
- Set Push Mode to Auto
- Enable checkbox to "Use VPN"
- Select "Android SSO" from the Per-App VPN Profile list
- Click Save & Publish
Publish Application
Click Publish
4. Configure Network Traffic Rules
- Click "Groups & Settings"
- Click "All Settings"
Set Default Action
- Click System
- Click Enterprise Integration
- Click AirWatch Tunnel
- Click Network Traffic Rules
- Set the Default Action from Tunnel to "Bypass"
- Click "Save"
Create Network Traffic Rule for Salesforce
- Click "+ Add" to add an application to the Rule
- Set the Action to "Proxy"
- Enter HTTPS Proxy: "certproxy.vmwareidentity.com:5262"
- Enter your Workspace ONE tenant hostname in the Destination Hostname field (i.e. firstNameLastName.vmwareidentity.com)
- Click "Save"
- Click "Publish Rules"
Enter Security PIN
Enter 4 Digit Security PIN to confirm Publish Rules
5. Configure Identity Manager for Android SSO
- Click + to open a new tab in Firefox
- Enter the URL of your Identity Manager instance. The URL is in the email that was sent to you when you started the lab. It will have the format of "https://{firstname lastname####}.vmwareidentity.com" where the section in the {} will be your first name then last name then a random 4 digit number.
Login to Identity Manager
- Enter your username in the "username" field. Your VMware Identity Manager username is in the email that was sent to you when you started the lab.
- Enter your password in the "password" field. This is the password you set earlier in the lab when you clicked on the link in the email.
- Click Sign in
Navigate to the Identity Providers Page
- Go to Identity & Access Management
- Click on Identity Providers
- Select the Built-In adapter
Navigate to the Built-In Adapter
- Scroll down until you see "Mobile SSO (for Android)" in the Authentication Methods section
- Click the gear icon
Upload Android SSO Adapter
- Check the box to "Enable Certificate Adapter"
- Click "Select File" next to Root and Intermediate Certificates
- Navigate to Downloads
- Select "TunnelDeviceRoot.cer"
- Click "Open"
- Click "Save"
Confirm Adapter Update
After save, confirm status for Mobile SSO (for Android) is "Enabled"
6. Create Access Policy for Salesforce
- Go to "Identity & Access Management"
- Select "Policies"
- Click "Add Policy"
Add Policy for Salesforce
Complete the following steps if you have not done so in earlier sections of the lab. Ensure that Salesforce has been added to the Catalog in Workspace ONE.
- Enter "Salesforce" for the Policy Name
- Click "Select" to choose the applications the policy will apply to
Select Salesforce Application
- Check the box to select Salesforce
- Click Save
Note: If you do not see the application in the list of available apps. Go to Catalog. Select "Add Application" , select "...from the cloud application catalog". Scroll down to the Salesforce App and select.
Create Access Policy
- Under Policy Rules click the "+" to add new policy
- Select "ALL RANGES" for Network Range
- Select "Android" for where the user is accessing from
- Select "Mobile SSO (for Android)" for the Authentication method
- Click OK
- Click Save on the Salesforce Access Policy
7. Enroll Android Device
Download the AirWatch Agent on your Device
Click "Open"
Server Details
1. Select Server Details
Enter Environment Details
- Enter "hol.awmdm.com" in the hostname field
- Enter the groupID assigned to you at the beginning of the workshop
- Click "Continue"
Enter Username and Password
- Enroll the device to the "imauser" account added earlier
- Enter "VMware1!" in the Password field
- Click Continue
Part 2: Secure
Click Continue
Grant Permissions to AirWatch
Click Continue
Activate Device Administrator
Click Activate
Grant Permission
Click Continue
Part 3: Configure
Click Continue
Install Managed Applications
- Click "Play Store"
- Click "Install"
- Return to the AirWatch Agent to complete enrollment
Complete Enrollment
Click Exit
Enrolled Agent
After enrollment is completed, ensure all managed profiles and applications are downloaded.
Validate Android SSO
Note: The AirWatch Tunnel application must be present on the end user's device, but does not have to be a managed application. It can be downloaded by the user from the Play Store.
- Launch the Play Store
- Enter "AirWatch Tunnel" in the search bar
- Select the application & click "Install"
Allow Tunnel Connection
- Launch the application on your device.
- Click "OK" to Accept the Connection Request
- Return to the home screen
Launch Salesforce Application
- Launch Salesforce1 Application
- Click "I Agree" to accept the User Agreement
Select Use Custom Domain
- Select "Use Custom Domain"
- Type in your custom domain name "yourDomain-dev-ed.my.salesforce.com"
- Click Continue
Select Domain
- Select "corp.local" domain
- Click "Next"
Confirm Successful Login
Confirm that your login is successful using the Mobile SSO (for Android) adapter.
0 Comments
Add your comment