Windows 10 Certificate Single Sign On using an AirWatch Certificate Authority
In this lab you will be deploying a certificate to an enrolled Windows 10 virtual machine. This certificate will be generated by the built-in CA in Workspace ONE UEM.
We will later configure Workspace ONE Access to trust certificates issues by UEM and configure the Certificate (Cloud Deployment) authentication adapter.
Finally we will test everything on a Windows 10 Machine to ensure we are able to have a seamless authentication experience.
Part 1: WorkspaceOne UEM - Certificate Profile
1
- Open Chrome on your ControlCenter2 jumpbox and navigate to https://cn-livefire.awmdm.com Authenticate using your e-mail address and unique password
- Navigate to Groups & Settings > All Settings > Enterprise Integration > VMware Identity Manager> Configuration
- Under Certificate select ENABLE (this should be enabled from a previous lab)
- Under Certificate next to Issuer Certificate select EXPORT

2. WorkspaceOne UEM - Certificate Profile continued...
- Then navigate to Devices > Profiles & Resources > Profiles > ADD > Add Profile > Windows > Windows Desktop > User Profile Give it a name : W10 - SCEP - SSO .
- Select your Smart Group with the World icon for the Smart Group
- Select the SCEP payload on the left hand navigation panel.
- Select CONFIGURE
- Set the following
- Credential Source: AirWatch Certificate Authority
- Certificate Template: Certificate (Cloud Deployment)
- Issuer: LiveFire
- Click SAVE AND PUBLISH
- In the Device Assignment notice your device in the list of device being added. Then click PUBLISH




Part 2: Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication
1. Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication
- In this next section, we will configure Workspace ONE Access Certificate Auth Adaptor to trust the certificates being presented by the devices.
- On your ControlCenter server, use your unique Workspace ONE Access server and authenticate to the local directory using administrator account and password.
- Under Identity & Access Management > Manage select Authentication Methods
- Click on the Pencil to Configure the Certificate (Cloud Deployment) authentication method.
- Select the checkbox Enable Certificate Adapter and click Select File to upload the Certificate (VidmAirWatchRootCertificate.cer) you downloaded above in the UEM console.
- On the Update Auth Adapter window select OK
- Leave everything else in here as default and click Save.
- Now navigate Identity Providers under Identity & Access Management click on Built-in
- Navigate to the Authentication Methods area and select the check box next to Certificate (Cloud Deployment) and select Save at the bottom of the page.



2.
-
Configuring Workspace ONE Access Certificate (Cloud Deployment) Authentication....continued
- Navigate to Policies under Identity & Access Management then click on the SSO policy.
- Select Edit
- Next to Configuration select +ADD POLICY RULE.
-
In the Add Policy Rule window add the following, next to : -
- 'and user accessing content from' to Select Windows 10 from the drop down
- then the user may authenticate using* change to Certificate (Cloud Deployment)
- "if the preceding method fails or is not applicable, then" change Select failback method... to Password (Cloud Deployment)
- Select SAVE
- Select +ADD POLICY RULE.
-
In the Add Policy Rule window add the following, next to : -
- 'and user accessing content from' select Web Browser from the drop down
- then the user may authenticate using* change to Certificate (Cloud Deployment)
- "if the preceding method fails or is not applicable, then" change Select failback method... to Password (Cloud Deployment)
- Select SAVE,
- Next to ALL RANGES for Windows 10 on the left select the 6 DOTS and drag to the top
- Select NEXT, select SAVE.
Part 3: Windows 10 Single Sign On using Certificates
- Now that the administrative elements are in place we will now test the authentication flow from our Windows 10 VM.
- On the ControlCenter2 VM on the desktop you will find the Remote Desktop folder. In this folder click double click on w10client01.RDP
- Inside the Windows 10 Virtual Machine open Microsoft Edge from the desktop and type OFFICE.COM in the address bar
- In the Office.com page select Sign In
- In the Sign in window, type your email address. eg [email protected]
- Select Next
- Notice now that you are being re-directed to cas.vidmpreview.com in the URL field and you are prompted for a Certificate.
- Click OK on the pop-up for your certificate and notice your are straight into your WorkspaceOne bookmarks Tab.
- Now click on any one of your Office365 deeplinks and notice your are authenticated without further credentials. If you get prompted to "Stay Signed in?" simply click No.
- You are now authenticated to your O365 environment using a certificate based authentication method.
This completes this lab.

0 Comments
Add your comment