Integrate AirWatch and VMware Identity Manager using the Cloud Kerberos Key Distribution Center (KDC)

This section will review how to integrate the Cloud Kerberos Key Distribution Center (KDC) between AirWatch and VMware Identity Manager.  Continue to review the necessary steps.

1. Configure VMware Identity Manager Settings in AirWatch

Navigate to All Settings

The first steps for configuring the Cloud Kerberos Key Distribution Center (KDC) is to setup the VMware Identity Manager Certificate in AirWatch.

  1. Click Groups & Settings.
  2. Click All Settings.

1.1. Enable the Certificate

Enable the Certificate
  1. Click System
  2. Click Enterprise Integration
  3. Click VMware Identity Manager
  4. Scroll down to the Certificate section
  5. Click Enable

1.2. Export the Certificate

Export the Certificate
  1. Scroll back down to the Certificate section again.
  2. Click the Export button.

The Certificate (VidmAirWatchRootCertificate.cer) will be saved in the Downloads folder.  You will need this certificate in an upcoming step.

2. Enable and Setup Cloud Kerberos Key Distribution Center (KDC)

With the Certificate exported from AirWatch, return to your VMware Identity Manager tenant to continue the Cloud Kerberos Key Distribution Center (KDC) configuration.

2.1. Switch to VMware Identity Manger Console

Switch to VMware Identity Manger Console

Click on the VMware Workspace ONE tab to return to the VMware Identity Manager Administration Console.

2.2. Navigate to the Built-in Kerberos Configuration Page

Navigate to the Built-in Kerberos Configuration Page
  1. Click Identity & Access Management.
  2. Click on Authentication Methods section.
  3. Click on the Edit icon for Mobile SSO (for iOS).

2.3. Configure Mobile SSO (for iOS)

Configure Mobile SSO (for iOS)
  1. Enable the Enable KDC Authentication check box.
  2. Click the Select File button for the Root and Intermediate CA Certificates.

2.4. Upload the Root Certificate

Upload the Root Certificate
  1. Select the Downloads folder.
  2. Select the VidmAirWatchRootCertificate.cer file that was downloaded previously.
  3. Click Open.

2.5. Confirm the Authentication Adapter Update

Confirm the Authentication Adapter Update

Click OK in the confirmation dialog box.

2.6. Save the Kerberos Auth Settings

Save the Kerberos Auth Settings
  1. Confirm the Certificate was uploaded.
  2. Click Save.

2.7. Navigate to the Identity Providers page

Navigate to the Identity Providers page
  1. Click Identity Providers
  2. Click Built-in

2.8. Download the KDC Server Root certificate

Download the KDC Server Root certificate
  1. Scroll down to the bottom of the page to find the KDC Certificate Export section.
  2. Click the Download Certificate link.

The Certificate (KDC-root-cert.cer) will be saved in the Downloads folder.  You will need this certificate in an upcoming step.

3. Update the Access Policy

Navigate to the Policies page

With the Identity Provider (IdP) configured, we now need to update the Policies to use our Identity Provider (IdP).

  1. Click Policies.
  2. Click the checkbox to select the default_access_policy_set.
  3. Click Edit.

3.1. Create a new Policy Rule

Create a new Policy Rule
  1. Click Configuration.
  2. Click Add Policy Rule.

3.2. Configure the new Policy Rule

Configure the new Policy Rule
  1. Select ALL RANGES for the If a user's network range is dropdown.
  2. Select iOS for the and user accessing content from dropdown.
  3. Select Authenticate using... for the Then perform this action dropdown.
  4. Select Mobile SSO (for iOS) for the then the user may authenticate using dropdown.
  5. Select Password (Local Directory) for the If the preceding method fails or is not applicable, then dropdown.

3.3. Save the New Policy Rule

  1. You may need to scroll down to find the Save button.
  2. Click Save.

3.4. Update the Policy Rules Order

Update the Policy Rules order and Save
  1. Click and drag the Mobile SSO (for iOS) handle to the top of the list.  This causes our Mobile SSO (for iOS) Policy to be processed first.
  2. Click Save.

3.5. Save the Policy Rule Updates

  1. You may need to scroll down to find the Save button.
  2. Click Save.

4. Create AirWatch Profiles for Single Sign-On

Switch to the AirWatch Console

With our Access Policies and Identity Providers (IdP) configured, we now need to create a profile to enable our iOS device to Single Sign-on into our VMware Identity Manager tenant.

Click on the AirWatch tab to return to the AirWatch Console.

4.1. Close the Settings Page

Close the Settings Page

If necessary, close the Settings page that was left open on a previous step by clicking on the X.

4.2. Create a Credentials Profile

Create a Credentials Profile
  1. Click Devices
  2. Click Profiles & Resources
  3. Click Profiles
  4. Hover the mouse over Add
  5. Click Add Profile

4.3. Select Apple iOS platform

Select Apple iOS platform

Click Apple iOS.

4.4. Profile General Settings

Profile General Settings
  1. Click General.
  2. Enter "iOS Identity KDC Cert" in the Name field.
  3. Scroll down if needed.
  4. Click in the Assigned Groups field and a list of groups will appear.
  5. Click All Devices ([email protected]).

4.5. Configure the Credentials Payload

Configure the Credentials Payload
  1. Click the Credentials payload.
  2. Click Configure.

4.6. Upload the KDC Root Certificate

Upload the KDC Certificate
  1. Ensure Upload is selected for the Credential Source field.
  2. Click Upload.

4.7. Browse for the KDC Root Certificate to Upload

Browse for the KDC Certificate to Upload

Click Choose File in the Add popup.

4.8. Select the KDC Root Certificate to Upload

Select the KDC Certificate to Upload
  1. Click the Downloads folder.
  2. Select the KDC-root-cert.cer file by clicking on it.
  3. Click Open.

4.9. Save the KDC Root Certificate

Click Save.

4.10. Configure the SCEP Payload

Configure the SCEP Payload
  1. Scroll down to find the <--> SCEP payload.
  2. Click <--> SCEP.
  3. Click Configure.

4.11. Confirm SCEP Settings

Confirm SCEP Settings
  1. Select AirWatch Certificate Authority for the Credential Source dropdown.
  2. Select AirWatch Certificate Authority for the Certificate Authority dropdown.
  3. Select Single Sign On for the Certificate Template dropdown.

4.12. Create the Single Sign-On Payload

Create the Single Sign-On Payload
  1. Scroll down to view the Single Sign-On payload.
  2. Click Single Sign-On.
  3. Click Configure.

4.13. Configure the Single Sign-On Connection Info

Configure the Single Sign-On Payload
  1. Enter a friendly name like "testsso" in the Account Name field.
  2. Enter the "{EnrollmentUser}" lookup value in the Kerberos Principal Name field.
  3. Enter "VIDMPREVIEW.COM" in the Realm field.

    NOTE - The value for Realm is case sensitive and it needs to be all upper case.
  4. Select "SCEP #1" from the Renewal Certificate dropdown.

4.14. Configure the Single Sign-On URL Prefixes and Applications

Configure the Single Sign-On Payload (continued)
  1. Scroll down until you see the URL Prefixes and Applications sections.
  2. Enter your VMware Identity Manager URL (https://{tenantName}.vidmpreview.com) in the URLs field.
    NOTE - This is the VMware Identity Manager URL you received in the email when starting the lab and also the VMware Identity Manager URL you've logged into during previous lab steps.
  3. Enter "com.apple.mobilesafari" for the Application Bundle ID field.
  4. Click Save & Publish.

4.15. Publish the Profile

Publish the Profile

Click Publish.