How to configure Android Single Sign on with Certificate Cloud Deployment, without VMware Tunnel

How to configure Android Single Sign on with Certificate Cloud Deployment, without VMware Tunnel

NOTE: Please check with your VMware rep to ensure the apps you test are supported, as there are app per-requirements for Certificate Authentication.

Workspace One UEM setup

Integrate UEM Console with VMware Identity Manager

This guide assumes the UEM Console integration with VMware Identity Manager has been completed.

Configure and deploy certificate through Workspace One UEM

Integrate with CA and Cert Template, make sure you meet the below guidelines.

Steps:

Subject Name

  • CN={DeviceUid}

Add SAN Type:

  • Email Address : {EmailAddress}
  • User Principal Name: {UserPrincipalName}

pastedImage_12.png

VMware Identity Manager setup

Configure “Certificate (Cloud Deployment)” as Authentication Method

Configure Certificate auth as the authentication method.

Steps:

In the VMware Identity Manager Console:

  1. Identity & Access Management > Authentication Methods > Certificate (Cloud Deployment).
  2. Enable Certificate Adapter.
  3. Upload Root and intermediate CA certificates – must match the CA integration from Workspace One UEM.
  4. Set User Identifier Search Order: email | upn | subject.
    1. Tip: You can troubleshoot which one to use by setting the identifier search to each one individually, test authentication, and view what we are pulling from the certificate by viewing the Audit Report in the vIDM Console: under Dashboards > Reports.
  5. I recommend unchecking all the other boxes for troubleshooting purposes.

pastedImage_13.png pastedImage_14.png

Enable Built-in Identity Provider to use Certificate (Cloud Deployment)

Steps:

In the VMware Identity Manager Console:

  1. Identity & Access Management > Identity Providers
  2. Open the “Built-In” provider.
  3. Enable “Certificate (Cloud Deployment)” as one of the authentication methods.

pastedImage_15.png

Set Policy Rule for Android to use Certificate & Device Compliance as authentication

Configure authentication policy for Android to Certificate (Cloud Deployment) & Device Compliance.

Steps:

In the VMware Identity Manager Console:

  1. Identity & Access Management > Policies > Create a New Policy.
  2. Set the policy to apply to the relevant application you are testing.
  3. Configure a Policy Rule for Android, and set authenticate using:
    1. Certificate (Cloud Deployment), and
    2. Device Compliance (with AirWatch).

pastedImage_16.png

Troubleshooting

Validate correct certificate is on the device

Validate correct certificate is on the device.

The Subject Name of certificate should be CN={DeviceUid}.

The SAN should match the Email or UPN in VMware Identity Manager, and should match the User Identifier Search set in the Authentication Method setup.

  • Tip: iOS devices show the certificate’s full SAN attributes. You can enroll an iOS device, receive the Certificate from UEM, and validate the SAN values are correct.

Ensure correct Policy Rule is being activated

Check that other Policy Rules, including the default Policy, are not interfering with the authentication process.

You can edit the Error Messages that show up

For troubleshooting purposes, remove all other authentication methods from the policy, so that you are only testing Certificate auth.

Set correct User Identifier Search Order (email | upn | subject)

You can troubleshoot which one to use by setting the identifier search to each one individually, test authentication, and view what we are pulling from the certificate by viewing the Audit Report in the vIDM Console: under Dashboards > Reports.

Review Audit Events

In VMware Identity Manager, under Dashboard > Reports > Adit Events > Show, you can view the recent authentication attempts. Look through the Events for events similar to:

  • LOGIN_ERROR failed
  • LOGIN (Certificate (Cloud Deployment))
  • LOGIN (Certificate (Cloud Deployment), Device Compliance (with AirWatch))
  • LOGIN failed

The details of the events should show if VMware Identity Manager was able to pull the User from the certificate, or whether the correct policy rule was used, or if the login failed or succeeded.

Version history
Revision #:
1 of 1
Last update:
‎08-01-2018 05:10 PM
Updated by: