EUCEUC: Advanced Integrations - 2019 Day 3Authentication Method - iOS SSO

Authentication Method - iOS SSO

Configuration for Single-Sign-On on native applications

In this section we will first configure the necessary pre-requirements for the last mile configuration of Mobile SSO.

There are two common options for a Certificate Authority:

  1. Customers might want to use their own internal Certificate Authority for issuing certificates  
  2. Workspace ONE UEM can act as the certificate authority and issue certificates to devices for authentication against Workspace ONE Access.

In this specific lab we will leverage option 2, where Workspace ONE  is the Certificate Authority and we will need to export the Root Certificate used for Single Sign on and Import it into Workspace ONE Access.

There are also two options for Key Distribution Center (KDC) :

  1. Cloud Hosted, which means the KDC service is hosted by VMware in the cloud
  2. On-Premise (LINUX only) where KDC service is running locally on the Workspace ONE Access server.

In this specific lab we will leverage option 1, as we are already leveraging the cloud hosted Workspace ONE Access server.

 

This lab is divided into 4 parts

Part 1 :  Mobile Single Sign-On Configuration for IOS based Applications
Part 2:   IOS Device Configuration for Single Sign On
Part 3:  IOS Device enrollment in Workspace ONE UEM
Part 4: Microsoft Word Single Sign On

Part 1: Mobile Single Sign-On Configuration for IOS based Applications

1. Mobile Single Sign-On Configuration for IOS based Applications

  •   If you not already done so, navigate to the WorkspaceONE UEM console https://cn-livefire.awmdm.com and sign in with your  e-mail address and password
    1. In Admin Console select Groups & Settings > All Settings
    2. Under System > select Enterprise Integration
    3. Under Enterprise Integration select VMware Identity Manager
    4. Under VMware Identity Manager select Configuration
    5. Next to Certificate Provisioning select ENABLE (possibly already enabled)
    6. Scroll down until you find the Certificate section and next to Issuer Certificate select EXPORT

      This will be the root certificate used to validate incoming certificate auth requests for IOS mobile devices. We need to now navigate to the Auth Adapter in Workspace ONE Access

2. Mobile Single Sign-On Configuration for IOS based Applications...

  • Navigate to your assigned Workspace ONE Access Server server and login the Admin Console using the local directory admin account. In the Tenant Admin Console select your Administration Console
    1. Select Identity & Access Management  
    2. Under Identity & Access Management > Manage select Authentication Methods
    3. Under Authentication Methods for Built-In Identity Providers select then click the Pencil next to Mobile SSO (for iOS)

3. Mobile Single Sign-On Configuration for IOS based Applications...

  • In the Mobile SSO (for IOS) window select the following:
    1. Click Enable KDC Authentication check box . Leave as default next to Realm: as VIDMPREVIEW.COM (must be in all CAPS)
    2. Next to Root and Intermediate CA Certificates, select Select File  (step 1.6 earlier)
    3. Select the VidmAirWatchRootCertificate.cer file and select Open
    4. On the Update Auth Adapter window select OK
    5. Next to Enterprise Device Management Server URL enter your Workspace ONE UEM url https://cn-livefire.awmdm.com
    6. Select Save
    7. Mobile SSO (for IOS) should now be enabled

4. Mobile Single Sign-On Configuration for IOS based Applications...

  • We will now associate the Built-in IDP with the IOS Single Sign On method in order configure our Access Policies
    1. Under Identity & Access Management > Manage  select Identity Providers
    2. Under Identity Providers, select the Built-in IDP
    3. Under Authentication Methods select the Mobile SSO (for iOS) checkbox
    4. Next to KDC Certificate Export select Download Certificate
    5. Scroll down and select Save

5. Mobile Single Sign-On Configuration for IOS based Applications...

  • We will now configure an Application Level Access Policy
  • Under Identity & Access Policies > Manage select Policies
    1. Select ADD POLICY
    2. In the New Access Policy wizard under Policy Name type SSO
    3. To the bottom of the Definition section under Applies to select the following checkboxes
      • Microsoft Outlook
      • Microsoft Powerpoint
      • Microsoft Word
      • Office 365 with Provisioning
      • OKTA
      • Onedrive
      • Salesforce
      • ServiceNow
    4. Select NEXT
    5. In the Configuration section select + ADD POLICY RULE

6. Mobile Single Sign-On Configuration for IOS based Applications...

  • Access Policies to support IOS devices continued...
    1. On the Add policy Rule page next to :
      1. "and user accessing content from" select from the dropdown iOS
      2. "then the user may authenticate using" from the dropdown select Mobile SSO (for iOS)
      3. "if the preceding method fails or is not applicable then"  select from the dropdown Password (Cloud Deployment)
    2. Select Save
    3. On the New Access Policy Configuration window Select Next
    4. On the Summary page, review your configurations and select Save

Part 2: IOS Device Configuration for Single Sign On

1. We will now ensure that the devices are receiving our certificates to authenticate to native mobile apps using iOS SSO.

  • Return to the Workspace ONE UEM console cn-livefire.awmdm.com
    1. Select Devices > Profiles & Resources >
    2. Under Profiles click ADD > Add Profile
    3. Under Add Profile, select Apple iOS
    4. In the IOS add a New Apple iOS Profile under General add the following : Next to-
      1. Name the profile iOS - Mobile SSO
      2. Next to Smart Groups select your Organisation Group
    5. In the left navigation pane of the profile, select SCEP
    6. In the SCEP section in the middle of the pane select CONFIGURE

 

2. IOS Device Configuration for Single Sign On...

  1. In the SCEP window add the following, next to:
    1. Credential Source : select AirWatch Certificate Authority,
    2. Certificate Authority select AirWatch Certificate Authority, (it should default)
    3. Certificate Template select Single Sign-On (it should default)

3. IOS Device Configuration for Single Sign On...

  • iOS Add a New Apple iOS Profile cont...
    1. On the left navigation pane above SCEP select Credentials  select configure.
    2. In the Credentials window add the following, next to:-
      • Next to Certificate select UPLOAD , In the Add window, select Choose file select the  KDC-roo-cert.cer file and select Open. In the Add window select SAVE. (Part 1 step 4.4 we downloaded the certificate)

4. IOS Device Configuration for Single Sign On...

  • iOS Add a New Apple iOS Profile cont...
    1. In the left navigation pane scroll down and select Single Sign-On 
    2. In the Single Sign-On section select Configure 
    3. In the Single Sign-On window Fill in the Following information next to:-
      1. Account Name: Kerberos
      2. Kerberos Principal Name - + {EnrollmentUser}
      3. Realm - VIDMPREVIEW.COM (ENSURE to do this in CAPS)
      4. Renewal Certificate - SCEP #1
      5. URL Prefixes - enter your unique vidm tenant (example https://aw-euclivefire.vidmpreview.com)
      6. Under the Applications section
        1. select +ADD below Application Bundle ID to add an extra line
        2. Under Application Bundle ID add each of these apps as separate lines

com.microsoft.Office.Word

com.air-watch.agent

com.air-watch.appcenter

com.apple.mobilesafari

com.apple.SafariViewService

  1. Select SAVE AND PUBLISH
  2. On the View Device Assignment window select PUBLISH 

Once an iOS Device is enrolled you will see the profile and the certificates appear in the settings of the device.

Part 3: Microsoft Word Single Sign On

Now the we have setup the device with the profile. Let's make sure we have the Microsoft Word Application installed.

1. Open the Hub application on your iOS device and authenticate using your biometrics or pin.

2. Select Apps at the bottom navigation and click All Apps. You will now see Microsoft Word - Click Install if it isn't already installed

1. Once the Microsoft Word application has installed you will now authenticate to the application using MobileSSO. Launch the Word application on your iOS device.

2. When prompted click sign in. Use the UPN of the unique user you create in the SFDC lab (ie user33buk@madrid33.euc-livefire.com) and click Next

3. At his point the Mobile Single sign on for iOS will kick in and leverage the certificate on the device for authentication. You will see a screen that says activating.

4. On the Notification prompt click Not Now

5. Now click Create and Edit Documents to get started using the Word  application

6. When you click on Settings you will see under Account the uniqueuser@XXX.euc-livefire.com. Notice you didn't have to use a username or password to authenticate. This is the user experience that so many enterprises desire for authentication.  

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.