EUCEUC: Horizon Integrations 2020/21 Day 2Authentication Method - Android SSO

Authentication Method - Android SSO

Configure Single-Sign-on for Android Device from the Workspace ONE UEM  Admin Console

Pre-requisites to this lab

  • For this lab you will need an Android Device that you are willing to enroll into this lab environment.
  • If you do not have an Android test device, please complete Android emulator setup, from Day 1 lab, before proceeding.

Part 1: Configuring Workspace ONE Access for Android Mobile SSO

  1. In this section we will download a certificate from WorkspaceONE UEM and use to configure Android Mobile SSO in Workspace ONE Access. After we will round all the remaining Workspace ONE Access configurations.
    • Login to your Saas WorkspaceONE UEM with your custom credentials
      • Select GROUPS & SETTINGS > All Settings
      • Under System select Enterprise Integration
      • Under Enterprise Integration select VMware Tunnel
  1. On the Tunnel Configuration page enter the following
    • Next to Hostname: EUClivefire
      • Note: This is a dummy value as we only leverage the Device Network traffic rules to send the Authentication request to a cert proxy service and not deploy a Tunnel Server physically.
    • Port: 444 (Choose any dummy port number)
    • At the top of the page select SAVE
  1. In the Tunnel Configuration window
    • Expand Client Authentication
    • Below Thumbprint select EXPORT
    • Note the name of the certificate is TunnelDeviceRootCertificate.cer
    • if you get a security prompt click Keep
  1. Switch to and if necessary, login to your SaaS instance of Workspace ONE Access
    • Select the Identity & Access Management tab
    • Select Manage
    • Select Authentication Methods
    • Under Authentication methods for Built-in Identity Providers
      • Select the Pencil Icon next to Mobile SSO  (for Android)
    • On the Mobile SSO (for Android) window select the following: Next to
      • Enable Certificate Adapter:  select the checkbox
      • Root and Intermediate CA certificates click on the Select File button, choose the TunnelDeviceRootCertificate.cer file you downloaded earlier and select Open.
        • On the Update Auth adapter window select OK
      • Use CRL from Certificates : Uncheck the checkbox
      • Use CRL in case of OCSP failure: Uncheck the checkbox
      • At the bottom of the page select Save

 

  1. In the Workspace ONE Access Admin Console
    • Select the Identity & Access Management tab > Manage , select Identity Providers
    • On the Identity Providers window, select Built-in
      • In the Built-in Interface
        • In the Users area
          • Next to LivefireSync, select the Checkbox
        • In the Network area
          • Next to ALL RANGES, select the Checkbox
            • Notice that Mobile SSO (for Android) checkbox is already selected
    • Scroll down
    • Select Save
  1. In the Workspace ONE Access Admin Console
    • On the Identity & Access Management tab > Manage, select Policies
    • Select ADD POLICY.
    • In the 1. Definition area
      • Enter a policy name: App_SSO Policy
      • Under Applies to section, select BambooHR
      • Select NEXT,
    • In the 2. Configuration area
      • Select +ADD POLICY RULE
        • On the Add Policy Rule page add the following, next to:
          • and user accessing content from *  : Android
          • then the user may authenticate using* : Mobile SSO (for Android)
          • if the preceding method fails or is not applicable, then * : Password (cloud deployment)
          • Select SAVE

 

  1. In the Workspace ONE Access Admin Console, Edit Policy window
    • In the 2. Configuration area
      • Select +ADD POLICY RULE
        • On the Add Policy Rule page add the following, next to:
          • and user accessing content from *  : Web Browser
          • then the user may authenticate using* : Mobile SSO (for Android)
          • if the preceding method fails or is not applicable, then * : Password (cloud deployment)
          • Select SAVE
      • Select NEXT
    • On the 3. Summary area, select SAVE

Part 2. Configuring Single-Sign-on for Android: Android VPN Profile                

Introduction: We have just configured the Workspace ONE Access Android SSO auth Adaptor, we will now configure the Android VPN profile and add a version to the profile in Workspace ONE UEM.

  1. Switch to your Saas Workspace ONE UEM Admin Console, if necessary login
    • Select Devices > Profiles & Resources 
    • Under Profiles & Resources select Profiles> ADD dropdown, then select Add Profile
    • On the Add Profile window,  select Android.
  1. Configuring Single-Sign-on for Android
    • In the Name Your Profile area
      • Type Android_Mobile_SSO
      • Next to Profile Scope, leave the default option Production
  2. In the Search area type VPN
    • To the right of VPN select ADD
  1. In the Android_Mobile_SSO window configure the following...
    • In the VPN window configure the following next to:-
      • Connection Type: WorkspaceONE Tunnel
      • Connection Name: Android_SSO
      • Server: (leave default)
      • Device Traffic Rules  (leave default)
      • Per-App VPN Rules: checkbox enabled (default)
    • In the bottom right corner
      • Select NEXT
  1. In the Assignment window
    • Next to Smart Group, select All Devices("your org name")
    • In the bottom right corner
      • Select SAVE & PUBLISH

Part 3: Configuring Android Public applications for a Per App VPN Profile in WorkspaceONE UEM for SSO

This section is dedicated to configuring Workspace ONE UEM to deliver native applications to your Android device

  1. In the Workspace ONE UEM Admin Console
    • Select APPS & BOOKS > Applications > Native > Public tab
      1. Select +ADD APPLICATION
        • In the Add Application window next to: Select
          • Platform*Android
          • Name*: Workspace ONE Tunnel
          • select NEXT
      2. In the Add Application window select Tunnel-Workspace ONE
      3. In the Tunnel - Workspace ONE section, click the Select button
        • Select SAVE & ASSIGN
      4. On the Tunnel - Workspace ONE -  Assignment window, enter the following:
        • In the Distribution area next to
          • Name: type,  Workspace ONE Tunnel Assignment
          • Assignment Groups*select  All Devices (your org)
          • App Delivery Method* select Auto radio button
        • Select Application Configuration
          • Select the following: next to
            • DisplayPrivacyDialog : Disable
            • PolicyAllowFeatureAnalytics : Disable
            • PolicyAllowCrashReporting : Disable
            • DisplayWelcomeScreen: Disable
      5. At the bottom select CREATE
      6. On the Tunnel- Workspace ONE - Assignment window
        • Select  SAVE
      7. On the Tunnel- Workspace ONE - Preview Assigned Devices
        • Select PUBLISH
  1. Configuring BAMBOOHR for native Android Single Sign-On
    1. In the WorkspaceONE UEM console, select APPS & BOOKS > Applications > Native
      • Select the  Public tab
        • Select +ADD APPLICATION
    2. In Add Application window, select the following, next to:-
      • Platform*: Android
      • Name*: BAMBOOHR
      • Select NEXT
    3. In the Add Application window under Apps select BambooHR
    4. In the Add Application window under BambooHR click Select
    5. On the Edit Application - BambooHR window, select SAVE & ASSIGN
    6. On the BambooHR -  Assignment window, enter the following:
      1. In the Distribution area next to
        • Name: type, BambooHR Assignment
        • Assignment Groups*select  All Devices (your org)
        • App Delivery Method* select Auto radio button
      2. In the Tunnel area next to
        • Android : Android_Mobile_SSO @ your org
      3. In the  Application Configuration area
        • Select the Send Configuration, radio button
          • Select the ADD option
            • Under Configuration Key,
              • Type AppServiceHosts
            • Under Value Type
              • Select String dropdown
            • Under Configuration Value
              • Type in your custom your bambooHRce domain 
                • e.g. https://SLGB55.bamboohr.com
    7. At the bottom select CREATE
    8. On the BambooHR - Assignment window select SAVE
    9. On the BambooHR - Preview Assigned Devices window select PUBLISH
  1. Configuring your Chrome Browser for Single-Sign ON
    • Certain Applications like BambooHR integrate with your Browser. You will have to configure your browser for Single-Sign ON as well
      1. In the APPS & BOOKS > Applications > Native > Public tab continued..
      2. Select +ADD APPLICATION
      3. In the Add Application window next to:
        • Platform* : Android
        • Name*: Chrome
        • Select NEXT
      4. In the top of the  Add Application window select Google Chrome
      5. In the Chrome : Fast & Secure, click on Select
      6. In the Edit Application - Google Chrome, select SAVE & ASSIGN

 

  1. On the Google Chrome: Fast & Secure -  Assignment window, enter the following:
    1. In the Distribution area next to
      • Name: type, Chrome Assignment
      • Assignment Groups*select  All Devices (your org)
      • App Delivery Method* select Auto radio button
    2. Select the Tunnel area next to
      • Android : Android_Mobile_SSO @ your org
    3. Select the  Application Configuration area
      • Select the Send Configuration, radio button
        • Next to Configure the home page URL, enter www.livefire.solutions
  2. Select CREATE
  3. Select SAVE
  4. Select PUBLISH

 

Part 4: Configuring VMware Tunnel Component

Configure single sign-on for Android devices to allow users to sign in securely to enterprise apps, without entering their password.

About this task

To configure single-sign-on for Android devices, you do not need to configure the VMware Tunnel, but you configure single sign-on using many of the same fields

  1. Configuring Single-Sign-on for Android
    • On your ControlCenter Server desktop
      • Launch your browser to enter https://dw-livefire.awmdm.com
        • Log into your Workspace ONE UEM admin console with your Admin credentials.
      • In the Workspace ONE UEM admin console,
        • Select GROUPS & SETTINGS,  
        • Select All Settings

 

  1. Configuring VMware Tunnel Component...
    • Under System select Enterprise Integration  
    • Select VMware Tunnel.
  1. In the Tunnel Configuration Page
    • In the Device Traffic Rules section 
      1. Select EDIT
      2. In the Manage Trafic Assignments window
        • Select Default
          • In Device Traffic Rules window, configure the following:
            • Select ADD RULE
            • Next to Rank # 1, under Application in the drop down
              • Select BambooHR; Chrome ;  Android Workspace;
  1. In Device Traffic Rules
    • Under Action from the dropdown 
      • Select PROXY
    • Under Web Proxy 
      • type certproxy.vidmpreview.com:5262
    • Under Destination
      • type *.vidmpreview.com
    • Next to Rank # 2, under Application leave (all other Apps) under Action
      • Select BYPASS
    • Select SAVE
    • On the Are you sure you want to continue? window
      • Select OK
    • Under Manage Traffic Assignments
      • Select CLOSE
  1. Switch to your enrolled Android Emulator or physical Android device
    • Wait until all your apps have been deployed on your device.That being  BambooHR &  Chrome.
  • Select your WORK Profile
  • Select your Tunnel Application
    • In the Tunnel application, select CONTINUE
    • In the Privacy window, select I UNDERSTAND
    • In Data Sharing window, select I AGREE
    • On the Connection request window, select OK

 Wait until all your apps have been deployed on your device. That being  Workspace ONE Tunnel, BambooHR &  Chrome.

  • On your Android device,
    • Look to be prompted for the following message
      • Connection request. Tunnel wants to set up a VPN connection.... 
        • Select OK

Part 5: Testing Mobile SSO for Android

  1. Testing Mobile SSO for BambooHR
    • On your Android Device select your BambooHR application
      1. In the bambooHR window type in your custom domain in the yourdomain.boomboohr.com section
        • eg. globalrn.bamboohr.com
        • select Continue
      2. Select the LOG IN button
      3. On the Welcome to Chrome window select Accept & Continue
      4. On the Sign in to Chrome select No thanks
      5. On the Workspace ONE console enter your username and select Next.
      6. Notice you were logged in without a need to provide password. This means Mobile Single Sign on was successful.

 

Proceed to the next lab.

About the Author

About the Author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions please email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.