AirWatch Hands-on LabsVMworld 2051HOL-2051-13-UEMModule 2 - Setup Single Sign-On for Workspace ONEIntegrate Workspace ONE UEM and Workspace ONE Access using the Cloud Kerberos Key Distribution Center (KDC)

Integrate Workspace ONE UEM and Workspace ONE Access using the Cloud Kerberos Key Distribution Center (KDC)

You will now integrate the Cloud Kerberos Key Distribution Center (KDC) between Workspace ONE UEM and Workspace ONE Access to establish trust between the two services and allow your domain users to Single Sign-On into the Workspace ONE catalog by providing a certificate for authentication.

Continue to the next step.

1. Configure Workspace ONE Access Settings in Workspace ONE UEM

Navigate to All Settings

The first steps for configuring the Cloud Kerberos Key Distribution Center (KDC) is to setup the Workspace ONE Access Certificate in Workspace ONE UEM.

  1. Click Groups & Settings
  2. Click All Settings

1.1. Enable Workspace ONE UEM Certificate Provisioning

Enable the Certificate
  1. Click System
  2. Click Enterprise Integration
  3. Click VMware Identity Manager
  4. Click Configuration
  5. Scroll down to the Certificate section
  6. Click Enable

1.2. Export the Certificate

Export the Certificate
  1. Scroll back down to the Certificate section
  2. Click the Export button
  3. Click Close (X) to exit the Workspace ONE Access Configuration settings page

The Certificate file (VidmAirWatchRootCertificate.cer) will be saved in the Downloads folder.  You will need this certificate in an upcoming step.

2. Enable and Setup Cloud Kerberos Key Distribution Center (KDC)

Switch to VMware Identity Manger Console

With the Certificate exported from Workspace ONE UEM, return to your Workspace ONE Access tenant to continue the Cloud Kerberos Key Distribution Center (KDC) configuration.

Click on the VMware Workspace ONE tab to return to the Workspace ONE Access Administration Console.

2.1. Navigate to the Built-in Kerberos Configuration Page

Navigate to the Built-in Kerberos Configuration Page
  1. Click Identity & Access Management
  2. Click Authentication Methods
  3. Click on the Edit icon for Mobile SSO (for iOS)

2.2. Configure Mobile SSO (for iOS)

Configure Mobile SSO (for iOS)
  1. Enable the Enable KDC Authentication check box.
  2. Click the Select File button for Root and Intermediate CA Certificates

2.3. Upload the Root Certificate

Upload the Root Certificate
  1. Select the Downloads folder
  2. Select the VidmAirWatchRootCertificate.cer file that was downloaded
  3. Click Open

2.4. Confirm the Authentication Adapter Update

Confirm the Authentication Adapter Update

Click OK in the confirmation dialog box.

2.5. Save the Kerberos Auth Settings

Save the Kerberos Auth Settings
  1. Confirm the Certificate was uploaded
  2. Click Save

2.6. Navigate to the Identity Providers page

Navigate to the Identity Providers page
  1. Click Identity Providers
  2. Click Built-in

2.7. Download the KDC Server Root Certificate

Download the KDC Server Root certificate
  1. Scroll down to the bottom of the page to find the KDC Certificate Export section
  2. Click the Download Certificate link

The Certificate (KDC-root-cert.cer) will be saved in the Downloads folder.  You will need this certificate in an upcoming step.

3. Update the Access Policy

Navigate to the Policies page

With the Identity Provider (IdP) configured, you now need to update the Access Policies to use the Built-In Identity Provider (IdP).

  1. Click Policies
  2. Click Edit Default Policy

3.1. Create a new Policy Rule

Create a new Policy Rule
  1. Click Configuration
  2. Click Add Policy Rule

3.2. Configure the new Policy Rule

Configure the new Policy Rule

You will now configure a new Access Policy Rule to allow your iOS devices in any network range to authenticate using the Mobile SSO (for iOS) authentication method you configured.  As a backup, you will allow users to enter their Password to also authenticate to the Workspace ONE catalog.

  1. Select ALL RANGES for If a user's network range is
  2. Select All Device Types for and user accessing content from
  3. Select Authenticate using... for Then perform this action
  4. Select Mobile SSO (for iOS) for then the user may authenticate using
  5. Select Password (AirWatch Connector) for If the preceding method fails or is not applicable

3.3. SAVE the Policy Rule

  1. Scroll down until you see the option to SAVE.
  2. Click SAVE to continue.

3.4. Update the Policy Rules Order

Update the Policy Rules order and Save
  1. Click and drag the Mobile SSO (for iOS) handle to the top of the list.  This causes our Mobile SSO (for iOS) Policy to be processed first.
  2. Click NEXT

3.5. Save the Policy Rule Updates

Click SAVE to apply the new Access Policy changes.

You have now successfully configured the Mobile SSO (for iOS) authentication method in Workspace ONE Access and setup your Access Policies to authentication your iOS devices using this authentication method!

4. Create Workspace ONE UEM Profiles for Single Sign-On

Switch to the AirWatch Console

Your Access Policies and Identity Provider (IdP) authentication methods are now configured and ready to allow a Single Sign-On login for your iOS devices.  However, the iOS devices will require the KDC Root certificate that your Workspace ONE Access tenant trusts to enable this Single Sign-On experience.

You will now configure a iOS Profile in Workspace ONE UEM to send the KDC Root certificate to your iOS devices.

Click on the Workspace ONE UEM tab to return to the Workspace ONE UEM Console.

4.1. Create a Credentials Profile

Create a Credentials Profile
  1. Click Devices
  2. Click Profiles & Resources
  3. Click Profiles
  4. Click Add
  5. Click Add Profile

4.2. Select Apple iOS platform

Select Apple iOS platform

Click Apple iOS

4.3. Configure the General Profile Settings

Profile General Settings
  1. Enter iOS Identity KDC Cert in the Name field
  2. Click in the Smart Groups field and a list of smart groups will appear
  3. Click All Devices ([email protected])

4.4. Configure the Credentials Payload

Configure the Credentials Payload
  1. Enter Credentials in the payload search box
  2. Click the Credentials payload
  3. Click Configure

4.5. Upload the KDC Root Certificate

Upload the KDC Certificate
  1. Select Upload for the Credential Source
  2. Click Upload

4.6. Browse for the KDC Root Certificate to Upload

Browse for the KDC Certificate to Upload

Click Choose File

4.7. Select the KDC Root Certificate to Upload

Select the KDC Certificate to Upload
  1. Click the Downloads folder
  2. Click the KDC-root-cert.cer file
  3. Click Open

4.8. Save the KDC Root Certificate

Click Save to upload the KDC-root-cert.cer file.

4.9. Configure the SCEP Payload

Configure the SCEP Payload
  1. Enter SCEP in the payload search box
  2. Click the SCEP payload
  3. Click Configure

4.10. Configure SCEP Settings

Confirm SCEP Settings
  1. Select AirWatch Certificate Authority for the Credential Source
  2. Select AirWatch Certificate Authority for the Certificate Authority
  3. Select Single Sign-On for the Certificate Template

4.11. Create the Single Sign-On Payload

Create the Single Sign-On Payload
  1. Enter Single Sign-On in the payload search box
  2. Click the Single Sign-On payload
  3. Click Configure

4.12. Configure the Single Sign-On Connection Info

Configure the Single Sign-On Payload
  1. Enter a friendly name like TestSSO for the Account Name
  2. Enter the {EnrollmentUser} lookup value for the Kerberos Principal Name
  3. Enter VIDMPREVIEW.COM for the Realm
    IMPORTANT:     The value for Realm is case sensitive and it needs to be all upper case!
  4. Select SCEP #1 from the Renewal Certificate dropdown

4.13. Configure the Single Sign-On URL Prefixes and Applications

Configure the Single Sign-On Payload (continued)
  1. Scroll down until you see the URL Prefixes and Applications sections
  2. Enter your Workspace ONE Access URL (https://{tenantName}.vidmpreview.com) in the URLs field. Replace {tenantName} with your Workspace ONE Access tenant name!
    NOTE: This is the Workspace ONE Access URL you've logged into during previous lab steps.
  3. Enter com.apple.mobilesafari for the Application Bundle ID field.
  4. Click Save & Publish.

You have now configured an iOS Profile that will:

  • Distribute the KDC root certificate file to your enrolled iOS Devices
  • Allow Single Sign-On to the VIDMPREVIEW.COM realm using the SCEP certificate you configured and provide the kerberos principal name as the enrolled username on the iOS device
  • The Single Sign-On capabilities are allowed for your Workspace ONE Access tenant
  • The iOS Safari app (com.apple.mobilesfari) is allowed to use this Single Sign-On login

4.14. Publish the Profile

Publish the Profile

Click PUBLISH

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.