Authentication Method - Android SSO
Configure Single-Sign-on for Android Device from the Workspace ONE UEM Admin Console
Pre-requisites to this lab
- For this lab you will need an Android Device that you are willing to enroll into this lab environment.
- If you do not have an Android test device, please complete Android emulator setup, from Day 1 lab, before proceeding.
Part 1: Configuring Workspace ONE Access for Android Mobile SSO
- In this section we will download a certificate from WorkspaceONE UEM and use to configure Android Mobile SSO in Workspace ONE Access. After we will round all the remaining Workspace ONE Access configurations.
- Login to your Saas WorkspaceONE UEM with your custom credentials
- Select GROUPS & SETTINGS > All Settings
- Under System select Enterprise Integration
- Under Enterprise Integration select VMware Tunnel
- Login to your Saas WorkspaceONE UEM with your custom credentials
- On the Tunnel Configuration page enter the following
- Next to Hostname: EUClivefire
- Note: This is a dummy value as we only leverage the Device Network traffic rules to send the Authentication request to a cert proxy service and not deploy a Tunnel Server physically.
- Port: 444 (Choose any dummy port number)
- At the top of the page select SAVE
- Next to Hostname: EUClivefire
- In the Tunnel Configuration window
- Expand Client Authentication
- Below Thumbprint select EXPORT
- Note the name of the certificate is TunnelDeviceRootCertificate.cer
- if you get a security prompt click Keep
- Switch to and if necessary, login to your SaaS instance of Workspace ONE Access
- Select the Identity & Access Management tab
- Select Manage
- Select Authentication Methods
- Under Authentication methods for Built-in Identity Providers
- Select the Pencil Icon next to Mobile SSO (for Android)
- On the Mobile SSO (for Android) window select the following: Next to
- Enable Certificate Adapter: select the checkbox
-
Root and Intermediate CA certificates click on the Select File button, choose the TunnelDeviceRootCertificate.cer file you downloaded earlier and select Open.
- On the Update Auth adapter window select OK
- Use CRL from Certificates : Uncheck the checkbox
- Use CRL in case of OCSP failure: Uncheck the checkbox
- At the bottom of the page select Save
- In the Workspace ONE Access Admin Console
- Select the Identity & Access Management tab > Manage , select Identity Providers
- On the Identity Providers window, select Built-in
- In the Built-in Interface
- In the Users area
- Next to LivefireSync, select the Checkbox
- In the Network area
- Next to ALL RANGES, select the Checkbox
- Notice that Mobile SSO (for Android) checkbox is already selected
- Next to ALL RANGES, select the Checkbox
- In the Users area
- In the Built-in Interface
- Scroll down
- Select Save
- In the Workspace ONE Access Admin Console
- On the Identity & Access Management tab > Manage, select Policies
- Select ADD POLICY.
- In the 1. Definition area
- Enter a policy name: App_SSO Policy
- Under Applies to section, select BambooHR.
- Select NEXT,
- In the 2. Configuration area
- Select +ADD POLICY RULE
- On the Add Policy Rule page add the following, next to:
- and user accessing content from * : Android
- then the user may authenticate using* : Mobile SSO (for Android)
- if the preceding method fails or is not applicable, then * : Password (cloud deployment)
- Select SAVE
- On the Add Policy Rule page add the following, next to:
- Select +ADD POLICY RULE
- In the Workspace ONE Access Admin Console, Edit Policy window
- In the 2. Configuration area
- Select +ADD POLICY RULE
- On the Add Policy Rule page add the following, next to:
- and user accessing content from * : Web Browser
- then the user may authenticate using* : Mobile SSO (for Android)
- if the preceding method fails or is not applicable, then * : Password (cloud deployment)
- Select SAVE
- On the Add Policy Rule page add the following, next to:
- Select NEXT
- Select +ADD POLICY RULE
- On the 3. Summary area, select SAVE
- In the 2. Configuration area
Part 2. Configuring Single-Sign-on for Android: Android VPN Profile
Introduction: We have just configured the Workspace ONE Access Android SSO auth Adaptor, we will now configure the Android VPN profile and add a version to the profile in Workspace ONE UEM.
-
Switch to your Saas Workspace ONE UEM Admin Console, if necessary login
- Select Devices > Profiles & Resources
- Under Profiles & Resources select Profiles> ADD dropdown, then select Add Profile
- On the Add Profile window, select Android.
-
Configuring Single-Sign-on for Android
- In the Name Your Profile area
- Type Android_Mobile_SSO
- Next to Profile Scope, leave the default option Production
- In the Name Your Profile area
-
In the Search area type VPN
- To the right of VPN select ADD
- In the Android_Mobile_SSO window configure the following...
- In the VPN window configure the following next to:-
- Connection Type: WorkspaceONE Tunnel
- Connection Name: Android_SSO
- Server: (leave default)
- Device Traffic Rules (leave default)
- Per-App VPN Rules: checkbox enabled (default)
- In the bottom right corner
- Select NEXT
- In the VPN window configure the following next to:-
-
In the Assignment window
- Next to Smart Group, select All Devices("your org name")
-
In the bottom right corner
- Select SAVE & PUBLISH
Part 3: Configuring Android Public applications for a Per App VPN Profile in WorkspaceONE UEM for SSO
This section is dedicated to configuring Workspace ONE UEM to deliver native applications to your Android device
- In the Workspace ONE UEM Admin Console
- Select APPS & BOOKS > Applications > Native > Public tab
-
Select +ADD APPLICATION
-
In the Add Application window next to: Select
- Platform* : Android
- Name*: Workspace ONE Tunnel
- select NEXT
-
In the Add Application window next to: Select
- In the Add Application window select Tunnel-Workspace ONE
- In the Tunnel - Workspace ONE section, click the Select button
- Select SAVE & ASSIGN
- On the Tunnel - Workspace ONE - Assignment window, enter the following:
- In the Distribution area next to
- Name: type, Workspace ONE Tunnel Assignment
- Assignment Groups*select All Devices (your org)
- App Delivery Method* select Auto radio button
- Select Application Configuration
- Select the following: next to
- DisplayPrivacyDialog : Disable
- PolicyAllowFeatureAnalytics : Disable
- PolicyAllowCrashReporting : Disable
- DisplayWelcomeScreen: Disable
- Select the following: next to
- In the Distribution area next to
- At the bottom select CREATE
- On the Tunnel- Workspace ONE - Assignment window
- Select SAVE
- On the Tunnel- Workspace ONE - Preview Assigned Devices
- Select PUBLISH
-
Select +ADD APPLICATION
- Select APPS & BOOKS > Applications > Native > Public tab
- Configuring BAMBOOHR for native Android Single Sign-On
- In the WorkspaceONE UEM console, select APPS & BOOKS > Applications > Native
-
Select the Public tab
- Select +ADD APPLICATION
-
Select the Public tab
- In Add Application window, select the following, next to:-
- Platform*: Android
- Name*: BAMBOOHR
- Select NEXT
- In the Add Application window under Apps select BambooHR
- In the Add Application window under BambooHR click Select
- On the Edit Application - BambooHR window, select SAVE & ASSIGN
- On the BambooHR - Assignment window, enter the following:
- In the Distribution area next to
- Name: type, BambooHR Assignment
- Assignment Groups*select All Devices (your org)
- App Delivery Method* select Auto radio button
- In the Tunnel area next to
- Android : Android_Mobile_SSO @ your org
- In the Application Configuration area
- Select the Send Configuration, radio button
- Select the ADD option
-
Under Configuration Key,
- Type AppServiceHosts
- Under Value Type
- Select String dropdown
- Under Configuration Value
- Type in your custom your bambooHRce domain
- e.g. https://SLGB55.bamboohr.com
- Type in your custom your bambooHRce domain
-
Under Configuration Key,
- Select the ADD option
- Select the Send Configuration, radio button
- In the Distribution area next to
- At the bottom select CREATE
- On the BambooHR - Assignment window select SAVE
- On the BambooHR - Preview Assigned Devices window select PUBLISH
- In the WorkspaceONE UEM console, select APPS & BOOKS > Applications > Native
- Configuring your Chrome Browser for Single-Sign ON
- Certain Applications like BambooHR integrate with your Browser. You will have to configure your browser for Single-Sign ON as well
- In the APPS & BOOKS > Applications > Native > Public tab continued..
- Select +ADD APPLICATION
-
In the Add Application window next to:
- Platform* : Android
- Name*: Chrome
- Select NEXT
- In the top of the Add Application window select Google Chrome
- In the Chrome : Fast & Secure, click on Select
- In the Edit Application - Google Chrome, select SAVE & ASSIGN
- Certain Applications like BambooHR integrate with your Browser. You will have to configure your browser for Single-Sign ON as well
- On the Google Chrome: Fast & Secure - Assignment window, enter the following:
- In the Distribution area next to
- Name: type, Chrome Assignment
- Assignment Groups*select All Devices (your org)
- App Delivery Method* select Auto radio button
- Select the Tunnel area next to
- Android : Android_Mobile_SSO @ your org
- Select the Application Configuration area
- Select the Send Configuration, radio button
- Next to Configure the home page URL, enter www.livefire.solutions
- Select the Send Configuration, radio button
- In the Distribution area next to
- Select CREATE
- Select SAVE
- Select PUBLISH
Part 4: Configuring VMware Tunnel Component
Configure single sign-on for Android devices to allow users to sign in securely to enterprise apps, without entering their password.
About this task
To configure single-sign-on for Android devices, you do not need to configure the VMware Tunnel, but you configure single sign-on using many of the same fields
-
Configuring Single-Sign-on for Android
- On your ControlCenter Server desktop
- Launch your browser to enter https://dw-livefire.awmdm.com
- Log into your Workspace ONE UEM admin console with your Admin credentials.
- In the Workspace ONE UEM admin console,
- Select GROUPS & SETTINGS,
- Select All Settings
- Launch your browser to enter https://dw-livefire.awmdm.com
- On your ControlCenter Server desktop
-
Configuring VMware Tunnel Component...
- Under System select Enterprise Integration
- Select VMware Tunnel.
-
In the Tunnel Configuration Page
- In the Device Traffic Rules section
- Select EDIT
- In the Manage Trafic Assignments window
- Select Default
- In Device Traffic Rules window, configure the following:
- Select ADD RULE
- Next to Rank # 1, under Application in the drop down
- Select BambooHR; Chrome ; Android Workspace;
- In Device Traffic Rules window, configure the following:
- Select Default
- In the Device Traffic Rules section
- In Device Traffic Rules
- Under Action from the dropdown
- Select PROXY
- Under Web Proxy
- type certproxy.vidmpreview.com:5262
- Under Destination
- type *.vidmpreview.com
- Next to Rank # 2, under Application leave (all other Apps) under Action
- Select BYPASS
- Select SAVE
- On the Are you sure you want to continue? window
- Select OK
- Under Manage Traffic Assignments
- Select CLOSE
- Under Action from the dropdown
- Switch to your enrolled Android Emulator or physical Android device
- Wait until all your apps have been deployed on your device.That being BambooHR & Chrome.
- Select your WORK Profile
- Select your Tunnel Application
- In the Tunnel application, select CONTINUE
- In the Privacy window, select I UNDERSTAND
- In Data Sharing window, select I AGREE
- On the Connection request window, select OK
Wait until all your apps have been deployed on your device. That being Workspace ONE Tunnel, BambooHR & Chrome.
-
On your Android device,
-
Look to be prompted for the following message
-
Connection request. Tunnel wants to set up a VPN connection....
- Select OK
-
Connection request. Tunnel wants to set up a VPN connection....
-
Look to be prompted for the following message
Part 5: Testing Mobile SSO for Android
-
Testing Mobile SSO for BambooHR
- On your Android Device select your BambooHR application
- In the bambooHR window type in your custom domain in the yourdomain.boomboohr.com section
- eg. globalrn.bamboohr.com
- select Continue
- Select the LOG IN button
- On the Welcome to Chrome window select Accept & Continue
- On the Sign in to Chrome select No thanks
- On the Workspace ONE console enter your username and select Next.
- Notice you were logged in without a need to provide password. This means Mobile Single Sign on was successful.
- In the bambooHR window type in your custom domain in the yourdomain.boomboohr.com section
- On your Android Device select your BambooHR application
Proceed to the next lab.
About the Author
About the Author Reinhart Nel
https://www.livefire.solutions/meet-the-team/reinhartnel/
For any questions please email Reinhart at [email protected]
0 Comments
Add your comment