Integrate AirWatch and Identity Manager
1. Setup AirWatch for API Integration with Identity Manager
1.1. Navigate to All Settings
- Click Groups & Settings
- Click All Settings
1.2. Add an API key for Identity Manager Admin
- Click System
- Click Advanced
- Click API
- Click REST API
- Select Override
- Click +Add
- In the new "Service" row, enter the name Identity Manager Admin
- Select the API Key and copy it to the clipboard by using Ctrl-C
1.3. Launch Notepad++
- Click the Start button
- Click Notepad++
1.4. Create a new file in Notepad++
- Click File
- Click New
1.5. Paste the Admin API Key into Notepad++
Enter Ctrl-V which will paste the API Key into Notepad++
1.6. Add an API Key for Identity Manager User
- Click +Add
- In the new "Service" row, enter the name Identity Manager User
- Select the API Key and copy it to the clipboard by using Ctrl-C
- Click Save
1.9. Add Admin Account
- Enter your VMware Identity Manager Username. This is the username you used to login to VMware Identity Manager in a previous step.
- Enter VMware1! in the "Password" field
- Enter VMware1! in the "Confirm Password" field
- Enter your First Name in the "First Name" field
- Enter your Last Name in the "Last Name" field
- Enter your Email Address in the "Email Address" field
- Click on the Roles tab
1.10. Configure Admin Roles
- Click in the "Organization Group" field and select your Organization Group
- Click in the "Role" field and select Console Administrator
- Click on the API tab
1.11. Configure Admin Authentication
- Click the Certificates tab
- Enter VMware1! in the "Certificate Password" field
- Click Save
1.12. Edit the Admin Account
- Click Accounts
- Click Administrators
- Click List View
- Click on the Edit Icon
1.13. Export the Admin Certificate
- Click the API tab
- Enter VMware1! in the "Certificate Password" field
- Click the Export Client Certiifcate button, then click OK on the Save File pop-up
- Click Save
2. Setup AirWatch for iOS Kerberos Authentication with Identity Manager
2.1. Navigate to All Settings
- Click Groups & Settings
- Click All Settings
2.2. Enable the Certificate
- Click System
- Click Enterprise Integration
- Click VMware Identity Manager
- Click Enable
3. Configure Identity Manager for iOS Kerberos Integration and API Integration with AirWatch
3.1. Switch to VMware Identity Manger Console
Click on the "VMware Workspace One" tab
3.2. Navigate to Directories Settings
- Click Identity & Access Management
- Confirm that the Directory and Users have been synced.
3.4. Navigate to the Built-in Kerberos Configuration Page
- Scroll down the window until you find "Mobile SSO for iOS".
- Click on the gear icon
3.5. Configure Built-in Kerberos
- Check the "Enable KDC Authenticatoin
- Click Select File
- Select the "Downloads" folder
- Select the "VidmAirWatchRootCertificate.cer" file
- Click Open
- Click OK in the confirmation dialog box
3.6. Save the Kerberos Auth Settings
- Confirm the Certificate was uploaded.
- Click Save
4. Download the KDC Server Root certificate
- Scroll down to the bottom of the page
- Click Download Certificate
- Click OK
- Click Save after the Certificate Download is complete
4.1. Navigate to Identity & Access Management Setup page
- Click Identity & Access Management
- Click Setup
4.3. Select the Certificate
- Click Downloads in the left pane
- Select the certificate download from the AirWatch console.
- Click Open
4.4. Configure API Integration
- Enter https://hol.awmdm.com into the AirWatch API URL field
- Enter VMware1! in the Certificate Password field
- Paste the Admin API Key from Notepad++ into the AirWatch Admin API Key (the first value in Notepad)
- Paste the Admin Enrolled User API Key from Notepad++ into the AirWatch Enrolled User API Key (the second value in Notepad)
- Enter your AirWatch Group ID into the AirWatch Group ID field - See the Lab Guidance chapter at the beginning of the lab if you don't know how to find this.
- Click Save
4.5. Enable Username/Password Authentication
- Scroll to the bottom of the Settings page
- Select Enable in the "User Password Authentication through AirWatch" section
- Click Save
4.6. Enable Unified Catalog
In the "Unified Catalog" section, do the following:
- Select Enable
- Click Save
4.7. Navigate to the Default Access Policy
- Click Identity & Access Management
- Click Policies
- Click default_access_policy_set
4.9. Configure the new Policy Rule
- Select ALL RANGES in the Network Range dropdown
- Select iOS in the device type dropdown
- Select Mobile SSO (for iOS) from the Authentication Method dropdown
- Confirm that the "Re-authenticate" time is 8 hours
- Click OK
4.10. Update the Policy Rules order and Save
- Move the new Policy Rule to the top by clicking on the double arrow icon and dragging it to the top of the list
- Click Save
4.12. Add a new Policy Rule
Click on the "+" sign to add a new rule
4.13. Policy Settings
- Select ALL RANGES for the applied network ranges.
- Select Web Browser in the 2nd drop done for user client.
- Set Authentication Method to Password (AirWatch Connector).
- Select OK.
4.14. Save the Policy Settings
- Click and drag the handle to move the Web Browser rule you just created to the 2nd in the list.
- Click Save.
4.16. Enable All Users and All Ranges
- In the "Users" section, confirm that the check box next to "corp.local" is checked
- In the "Network" section, check the box for "ALL RANGES"
4.17. Configure the Password (AirWatch Connector) Authentication Method
Click the gear icon for "Password (AirWatch Connector)"
4.18. Enable the Password (AirWatch Connector) Authentication Method
- Confirm that "ACC Password Authentication" is enabled.
- Click Save
5. Validate the Username/Password Authentication
5.2. Open a New Private Window
Click New Private Window
5.3. Navigate to Identity Manager
In the URL field enter the address of your Identity Manager tenant. It should be first name last name four numbers then .vmwareidentity.com.
5.4. Select the Domain in Identity Manager
If the configuration was done correctly you should be prompted to "Select your domain" and the "corp" domain should be shown.
Click Next
5.5. Sign In with a domain account
- Enter imauser
- Enter VMware1!
- Click Sign in
6. Configure the iOS Kerberos Single Sign-On Profile
6.1. Switch to the AirWatch Console
Click on the AirWatch tab in Firefox
6.2. Close the Settings Page
If necessary, close the "Settings" page that was left open on a previous step by clicking on the X
6.3. Create a Credentials Profile
- Click Devices
- Click Profiles
- Click List View
- Hover the mouse over Add
- Click Add Profile
6.4. Select Apple iOS platform
Click Apple iOS
6.5. Profile General Settings
- Click General
- Enter "iOS Identity KDC Cert" in the "Name" field
- Click in the "Assigned Groups" field and a list of Groups will appear. Click All Devices ([email protected])
6.8. Select the KDC Certificate to Upload
- Click Browse
- Click Downloads
- Select the KDC-root-cert.cer file by clicking on it
- Click Open
6.12. Configure the Single Sign-On Payload
- Enter a friendly name like testsso in the "Account Name" field
- Enter {EnrollmentUser} in the "Kerberos Principal Name" field
- Enter VMWAREIDENTITY.COM in the "Realm" field
- Select SCEP #1 from the "Renewal Certificate" drop down
- Enter the VMware Identity Manager URL (https://{firstnamelastname1234}.vmwareidentity.com) int the "URL" field
- Click on the Add button twice in the "Applications" section
- Enter the following Bundle ID's:
- com.apple.mobilesafari
- com.salesforce.chatter
- com.air-watch.appcenter - Click Save & Publish
7. Validate iOS Kerberos Single Sign-On
7.1. Enroll an iOS Device
Enroll an iOS device into your Organization Group in hol.awmdm.com. Enroll as the Directory User user imauser with the password VMware1!.
7.2. Open Settings
Click Settings
7.3. Navigate to General Settings, Digital Workspace
- Click General
- Scroll down until you see "Device Management" and then click on it
7.4. Open the Digital Workspace profile
Click Digital Workspace
7.5. View More Details
Click More Details
7.6. Open the Singe Sign On Account
You should see the single sign on account that you added in the Profile created in the previous section.
Click testsso
7.7. Verify Settings
Verify that the Principal Name, Realm, URL Prefix Matches and Eligible App IDs are all correct.
7.8. Clear the Safari Cache
Navigate back to the main Settings page.
- Click Safari
- Click Clear History and Website Data
7.9. Launch Safari on the iOS device.
Click the Safari icon
7.10. Navigate to Identity Manager in Safari
- Enter the URL of your Identity Manager tenant in the URL bar.
- Click Go
7.11. Workspace One Single Sign-On
Notice that Identity Manager is signing you in without requiring any authentication.
7.12. Identity Manager Application Catalog
You are now signed into Workspace One. There are no applications visible because they haven't been added in Identity Manager or AirWatch.
0 Comments
Add your comment