Integrate AirWatch and Identity Manager

1. Setup AirWatch for API Integration with Identity Manager

1.1. Navigate to All Settings

Navigate to All Settings
  1. Click Groups & Settings
  2. Click All Settings

1.2. Add an API key for Identity Manager Admin

  1. Click System
  2. Click Advanced
  3. Click API
  4. Click REST API
  5. Select Override
  6. Click +Add
  7. In the new "Service" row, enter the name Identity Manager Admin
  8. Select the API Key and copy it to the clipboard by using Ctrl-C

1.3. Launch Notepad++

Launch Notepad++
  1. Click the Start button
  2. Click Notepad++

1.4. Create a new file in Notepad++

Create a new file in Notepad++
  1. Click File
  2. Click New

1.5. Paste the Admin API Key into Notepad++

Enter Ctrl-V which will paste the API Key into Notepad++

1.6. Add an API Key for Identity Manager User

  1. Click +Add
  2. In the new "Service" row, enter the name Identity Manager User
  3. Select the API Key and copy it to the clipboard by using Ctrl-C
  4. Click Save

1.7. Paste the User API Key into Notepad++

On a newline in Notepad++, enter Ctrl-V

1.8. Navigate to the Add Admin page

  1. Click Add
  2. Click Admin

1.9. Add Admin Account

Add Admin Account
  1. Enter your VMware Identity Manager Username.   This is the username you used to login to VMware Identity Manager in a previous step.  
  2. Enter VMware1! in the "Password" field
  3. Enter VMware1! in the "Confirm Password" field
  4. Enter your First Name in the "First Name" field
  5. Enter your Last Name in the "Last Name" field
  6. Enter your Email Address in the "Email Address" field
  7. Click on the Roles tab

1.10. Configure Admin Roles

Configure Admin Roles
  1. Click in the "Organization Group" field and select your Organization Group
  2. Click in the "Role" field and select Console Administrator
  3. Click on the API tab

1.11. Configure Admin Authentication

Configure Admin Authentication
  1. Click the Certificates tab
  2. Enter VMware1! in the "Certificate Password" field
  3. Click Save

1.12. Edit the Admin Account

  1. Click Accounts
  2. Click Administrators
  3. Click List View
  4. Click on the Edit Icon

1.13. Export the Admin Certificate

Export the Admin Certificate
  1. Click the API tab
  2. Enter VMware1! in the "Certificate Password" field
  3. Click the Export Client Certiifcate button, then click OK on the Save File pop-up
  4. Click Save

2. Setup AirWatch for iOS Kerberos Authentication with Identity Manager

2.1. Navigate to All Settings

Navigate to All Settings
  1. Click Groups & Settings
  2. Click All Settings

2.2. Enable the Certificate

  1. Click System
  2. Click Enterprise Integration
  3. Click VMware Identity Manager
  4. Click Enable

2.3. Export the Certificate

  1. Click Export
  2. The "Save File" dialog will pop-up, click OK

The Certificate will be saved in the "Downloads" folder.

 

3. Configure Identity Manager for iOS Kerberos Integration and API Integration with AirWatch

3.1. Switch to VMware Identity Manger Console

Switch to VMware Identity Manger Console

Click on the "VMware Workspace One" tab

3.2. Navigate to Directories Settings

  1. Click Identity & Access Management
  2. Confirm that the Directory and Users have been synced.

3.3. Navigate to the Identity Providers page

  1. Click Identity Providers
  2. Click Built-in

3.4. Navigate to the Built-in Kerberos Configuration Page

  1. Scroll down the window until you find "Mobile SSO for iOS".
  2. Click on the gear icon

3.5. Configure Built-in Kerberos

  1. Check the "Enable KDC Authenticatoin
  2. Click Select File
  3. Select the "Downloads" folder
  4. Select the "VidmAirWatchRootCertificate.cer" file
  5. Click Open
  6. Click OK in the confirmation dialog box

 

3.6. Save the Kerberos Auth Settings

Save the Kerberos Auth Settings
  1. Confirm the Certificate was uploaded.
  2. Click Save

4. Download the KDC Server Root certificate

  1. Scroll down to the bottom of the page
  2. Click Download Certificate
  3. Click OK
  4. Click Save after the Certificate Download is complete

4.1. Navigate to Identity & Access Management Setup page

  1. Click Identity & Access Management
  2. Click Setup

4.2. Upload the API Certificate

  1. Click AirWatch
  2. Click Upload Certificate

4.3. Select the Certificate

Select the Certificate
  1. Click Downloads in the left pane
  2. Select the certificate download from the AirWatch console.
  3. Click Open

4.4. Configure API Integration

  1. Enter https://hol.awmdm.com into the AirWatch API URL field
  2. Enter VMware1! in the Certificate Password field
  3. Paste the Admin API Key from Notepad++ into the AirWatch Admin API Key (the first value in Notepad)
  4. Paste the Admin Enrolled User API Key from Notepad++ into the AirWatch Enrolled User API Key (the second value in Notepad)
  5. Enter your AirWatch Group ID into the AirWatch Group ID field - See the Lab Guidance chapter at the beginning of the lab if you don't know how to find this.
  6. Click Save

4.5. Enable Username/Password Authentication

  1. Scroll to the bottom of the Settings page
  2. Select Enable in the "User Password Authentication through AirWatch" section
  3. Click Save

4.6. Enable Unified Catalog

In the "Unified Catalog" section, do the following:

  1. Select Enable
  2. Click Save

4.7. Navigate to the Default Access Policy

  1. Click Identity & Access Management
  2. Click Policies
  3. Click default_access_policy_set

4.8. Configure the Default Access Policy

Select the + icon to configure a new policy.

4.9. Configure the new Policy Rule

Configure the new Policy Rule
  1. Select ALL RANGES in the Network Range dropdown
  2. Select iOS in the device type dropdown
  3. Select Mobile SSO (for iOS) from the Authentication Method dropdown
  4. Confirm that the "Re-authenticate" time is 8 hours
  5. Click OK

4.10. Update the Policy Rules order and Save

  1. Move the new Policy Rule to the top by clicking on the double arrow icon and dragging it to the top of the list
  2. Click Save

4.11. Navigate to the Default Access Policy

4.12. Add a new Policy Rule

Add a new Policy Rule

Click on the "+" sign to add a new rule

4.13. Policy Settings

Policy Settings
  1. Select ALL RANGES for the applied network ranges.
  2. Select Web Browser in the 2nd drop done for user client.
  3. Set Authentication Method to Password (AirWatch Connector).
  4. Select OK.

4.14. Save the Policy Settings

Save the Policy Settings
  1. Click and drag the handle to move the Web Browser rule you just created to the 2nd in the list.
  2. Click Save.

4.15. Navigate to Identity Providers

  1. Click Identity Providers
  2. Click Built-in

4.16. Enable All Users and All Ranges

  1. In the "Users" section, confirm that the check box next to "corp.local" is checked
  2. In the "Network" section, check the box for "ALL RANGES"

4.17. Configure the Password (AirWatch Connector) Authentication Method

Click the gear icon for "Password (AirWatch Connector)"

4.18. Enable the Password (AirWatch Connector) Authentication Method

Enable the Password (AirWatch Connector) Authentication Method
  1. Confirm that "ACC Password Authentication" is enabled.
  2. Click Save

4.19. Save the Identity Providers Settings

5. Validate the Username/Password Authentication

5.1. Open Firefox Settings Menu

Open the Firefox settings menu by clicking on the "hamburger" menu.

5.2. Open a New Private Window

Open a New Private Window

Click New Private Window

5.3. Navigate to Identity Manager

Navigate to Identity Manager

In the URL field enter the address of your Identity Manager tenant.   It should be first name last name four numbers then .vmwareidentity.com.

5.4. Select the Domain in Identity Manager

Select the Domain in Identity Manager

If the configuration was done correctly you should be prompted to "Select your domain" and the "corp" domain should be shown.

Click Next

5.5. Sign In with a domain account

Sign In with a domain account
  1. Enter imauser
  2. Enter VMware1!
  3. Click Sign in

5.6. Successful Login Validation

The App Catalog in Identity Manager should be displayed.   This validates that Identity Manager was able to use AirWatch Cloud Connector to authenticate the user against Active Directory.

Close this instance of Firefox by clicking on the "X" in the upper right corner.

6. Configure the iOS Kerberos Single Sign-On Profile

6.1. Switch to the AirWatch Console

Switch to the AirWatch Console

Click on the AirWatch tab in Firefox

6.2. Close the Settings Page

Close the Settings Page

If necessary, close the "Settings" page that was left open on a previous step by clicking on the X

6.3. Create a Credentials Profile

Create a Credentials Profile
  1. Click Devices
  2. Click Profiles
  3. Click List View
  4. Hover the mouse over Add
  5. Click Add Profile

6.4. Select Apple iOS platform

Select Apple iOS platform

Click Apple iOS

6.5. Profile General Settings

  1. Click General
  2. Enter "iOS Identity KDC Cert" in the "Name" field
  3. Click in the "Assigned Groups" field and a list of Groups will appear.    Click All Devices ([email protected])

6.6. Configure the Credentials Payload

6.7. Upload the KDC Certificate

6.8. Select the KDC Certificate to Upload

Select the KDC Certificate to Upload
  1. Click Browse
  2. Click Downloads
  3. Select the KDC-root-cert.cer file by clicking on it
  4. Click Open

6.9. Configure the SCEP Payload

  1. Click <--> SCEP
  2. Click Configure

6.10. Confirm SCEP Settings

Confirm that the AirWatch Certificate Authority is configured

6.11. Create the Single Sign-On Payload

  1. Click Single Sign-On
  2. Click Configure

6.12. Configure the Single Sign-On Payload

  1. Enter a friendly name like testsso in the "Account Name" field
  2. Enter {EnrollmentUser} in the "Kerberos Principal Name" field
  3. Enter VMWAREIDENTITY.COM in the "Realm" field
  4. Select SCEP #1 from the "Renewal Certificate" drop down
  5. Enter the VMware Identity Manager URL (https://{firstnamelastname1234}.vmwareidentity.com) int the "URL" field
  6. Click on the Add button twice in the "Applications" section
  7. Enter the following Bundle ID's:
    - com.apple.mobilesafari
    - com.salesforce.chatter
    - com.air-watch.appcenter
  8. Click Save & Publish

6.13. Publish the Profile

7. Validate iOS Kerberos Single Sign-On

7.1. Enroll an iOS Device

Enroll an iOS device into your Organization Group in hol.awmdm.com.   Enroll as the Directory User user imauser with the password VMware1!.

7.2. Open Settings

Open Settings

Click Settings

7.3. Navigate to General Settings, Digital Workspace

Navigate to General Settings, Digital Workspace
  1. Click General
  2. Scroll down until you see "Device Management" and then click on it

7.4. Open the Digital Workspace profile

Open the Digital Workspace profile

Click Digital Workspace

7.5. View More Details

View More Details

Click More Details

7.6. Open the Singe Sign On Account

Open the Singe Sign On Account

You should see the single sign on account that you added in the Profile created in the previous section.

Click testsso

7.7. Verify Settings

Verify Settings

Verify that the Principal Name, Realm, URL Prefix Matches and Eligible App IDs are all correct.

7.8. Clear the Safari Cache

Clear the Safari Cache

Navigate back to the main Settings page.

  1. Click Safari
  2. Click Clear History and Website Data

7.9. Launch Safari on the iOS device.

Launch Safari on the iOS device.

Click the Safari icon

7.10. Navigate to Identity Manager in Safari

Navigate to Identity Manager in Safari
  1. Enter the URL of your Identity Manager tenant in the URL bar.
  2. Click Go

7.11. Workspace One Single Sign-On

Workspace One Single Sign-On

Notice that Identity Manager is signing you in without requiring any authentication.

7.12. Identity Manager Application Catalog

Identity Manager Application Catalog

You are now signed into Workspace One.  There are no applications visible because they haven't been added in Identity Manager or AirWatch.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.