Integrate Workspace ONE UEM and Workspace ONE Access using the Cloud Kerberos Key Distribution Center (KDC)
You will now integrate the Cloud Kerberos Key Distribution Center (KDC) between Workspace ONE UEM and Workspace ONE Access to establish trust between the two services and allow your domain users to Single Sign-On into the Workspace ONE catalog by providing a certificate for authentication.
Continue to the next step.
1. Configure Workspace ONE Access Settings in Workspace ONE UEM
The first steps for configuring the Cloud Kerberos Key Distribution Center (KDC) is to setup the Workspace ONE Access Certificate in Workspace ONE UEM.
- Click Groups & Settings
- Click All Settings
1.1. Enable Workspace ONE UEM Certificate Provisioning
- Click System
- Click Enterprise Integration
- Click VMware Identity Manager
- Click Configuration
- Scroll down to the Certificate section
- Click Enable
1.2. Export the Certificate
- Scroll back down to the Certificate section
- Click the Export button
- Click Close (X) to exit the Workspace ONE Access Configuration settings page
The Certificate file (VidmAirWatchRootCertificate.cer) will be saved in the Downloads folder. You will need this certificate in an upcoming step.
2. Enable and Setup Cloud Kerberos Key Distribution Center (KDC)
With the Certificate exported from Workspace ONE UEM, return to your Workspace ONE Access tenant to continue the Cloud Kerberos Key Distribution Center (KDC) configuration.
Click on the VMware Workspace ONE tab to return to the Workspace ONE Access Administration Console.
2.1. Navigate to the Built-in Kerberos Configuration Page
- Click Identity & Access Management
- Click Authentication Methods
- Click on the Edit icon for Mobile SSO (for iOS)
2.2. Configure Mobile SSO (for iOS)
- Enable the Enable KDC Authentication check box.
- Click the Select File button for Root and Intermediate CA Certificates
2.3. Upload the Root Certificate
- Select the Downloads folder
- Select the VidmAirWatchRootCertificate.cer file that was downloaded
- Click Open
2.4. Confirm the Authentication Adapter Update
Click OK in the confirmation dialog box.
2.6. Navigate to the Identity Providers page
- Click Identity Providers
- Click Built-in
3. Update the Access Policy
With the Identity Provider (IdP) configured, you now need to update the Access Policies to use the Built-In Identity Provider (IdP).
- Click Policies
- Click Edit Default Policy
3.1. Create a new Policy Rule
- Click Configuration
- Click Add Policy Rule
3.2. Configure the new Policy Rule
You will now configure a new Access Policy Rule to allow your iOS devices in any network range to authenticate using the Mobile SSO (for iOS) authentication method you configured. As a backup, you will allow users to enter their Password to also authenticate to the Workspace ONE catalog.
- Select ALL RANGES for If a user's network range is
- Select All Device Types for and user accessing content from
- Select Authenticate using... for Then perform this action
- Select Mobile SSO (for iOS) for then the user may authenticate using
- Select Password (AirWatch Connector) for If the preceding method fails or is not applicable
3.3. SAVE the Policy Rule
- Scroll down until you see the option to SAVE.
- Click SAVE to continue.
3.4. Update the Policy Rules Order
- Click and drag the Mobile SSO (for iOS) handle to the top of the list. This causes our Mobile SSO (for iOS) Policy to be processed first.
- Click NEXT
3.5. Save the Policy Rule Updates
Click SAVE to apply the new Access Policy changes.
You have now successfully configured the Mobile SSO (for iOS) authentication method in Workspace ONE Access and setup your Access Policies to authentication your iOS devices using this authentication method!
4. Create Workspace ONE UEM Profiles for Single Sign-On
Your Access Policies and Identity Provider (IdP) authentication methods are now configured and ready to allow a Single Sign-On login for your iOS devices. However, the iOS devices will require the KDC Root certificate that your Workspace ONE Access tenant trusts to enable this Single Sign-On experience.
You will now configure a iOS Profile in Workspace ONE UEM to send the KDC Root certificate to your iOS devices.
Click on the Workspace ONE UEM tab to return to the Workspace ONE UEM Console.
4.1. Create a Credentials Profile
- Click Devices
- Click Profiles & Resources
- Click Profiles
- Click Add
- Click Add Profile
4.2. Select Apple iOS platform
Click Apple iOS
4.3. Configure the General Profile Settings
- Enter
iOS Identity KDC Cert
in the Name field - Click in the Smart Groups field and a list of smart groups will appear
- Click All Devices ([email protected])
4.4. Configure the Credentials Payload
- Enter
Credentials
in the payload search box - Click the Credentials payload
- Click Configure
4.5. Upload the KDC Root Certificate
- Select Upload for the Credential Source
- Click Upload
4.6. Browse for the KDC Root Certificate to Upload
Click Choose File
4.7. Select the KDC Root Certificate to Upload
- Click the Downloads folder
- Click the KDC-root-cert.cer file
- Click Open
4.8. Save the KDC Root Certificate
Click Save to upload the KDC-root-cert.cer file.
4.9. Configure the SCEP Payload
- Enter
SCEP
in the payload search box - Click the SCEP payload
- Click Configure
4.10. Configure SCEP Settings
- Select AirWatch Certificate Authority for the Credential Source
- Select AirWatch Certificate Authority for the Certificate Authority
- Select Single Sign-On for the Certificate Template
4.11. Create the Single Sign-On Payload
- Enter
Single Sign-On
in the payload search box - Click the Single Sign-On payload
- Click Configure
4.12. Configure the Single Sign-On Connection Info
- Enter a friendly name like
TestSSO
for the Account Name - Enter the
{EnrollmentUser}
lookup value for the Kerberos Principal Name - Enter
VIDMPREVIEW.COM
for the Realm
IMPORTANT: The value for Realm is case sensitive and it needs to be all upper case! - Select SCEP #1 from the Renewal Certificate dropdown
4.13. Configure the Single Sign-On URL Prefixes and Applications
- Scroll down until you see the URL Prefixes and Applications sections
- Enter your Workspace ONE Access URL (
https://{tenantName}.vidmpreview.com
) in the URLs field. Replace {tenantName} with your Workspace ONE Access tenant name!
NOTE: This is the Workspace ONE Access URL you've logged into during previous lab steps. - Enter
com.apple.mobilesafari
for the Application Bundle ID field. - Click Save & Publish.
You have now configured an iOS Profile that will:
- Distribute the KDC root certificate file to your enrolled iOS Devices
- Allow Single Sign-On to the VIDMPREVIEW.COM realm using the SCEP certificate you configured and provide the kerberos principal name as the enrolled username on the iOS device
- The Single Sign-On capabilities are allowed for your Workspace ONE Access tenant
- The iOS Safari app (com.apple.mobilesfari) is allowed to use this Single Sign-On login
0 Comments
Add your comment