Enabling the Certificate Authentication for web-based access to Workspace ONE on Windows and macOS
This post is designed to walkthrough configuration and implementation of the Certificate Authentication adapter for Workspace One, enabling Windows/macOS devices to SSO into Workspace One using user certificates.
In this setup we will be using certificated generated by the corporate Microsoft Certificate Authority, using Active Directory Certificate Services.
- Log into your server that runs the Microsoft Certificate Authority.
Open the Certification Authority, and right- click Certificate Templates, and select Manage.
3. Scroll down to the User template, right-click and select Duplicate Template.
4. Select the General tab, and provide a name for the template.
Template Display Name (Example): EUCSE-User
5. Select the Subject Name tab, and select the button to Supply in request.
Click OK when the prompt appears.
6. Click Ok
7. Go back to the Certification Authority. Under Certificate Templates, right-click and select New ->Certificate Template to Issue.
8. Select the template created in Steps 4-6 and click OK.
9. On the same server, launch MMC. Go to File ->Add/Remove Snap-In.
10.Add in the Certificates snap-in, ensure you select for the Computer Account and click OK.
11. Browse to Certificates (Local Computer) -> Trusted Root Certificate Authorities? Certificates.
Right-click the root certificate for the CA, and select Open.
12. Click on the Details tab, and click Copy to File….
13. Click Next at the Certificate Export Wizard window.
14.Select Base-64 encoded X.509 as the format and click Next.
15. Click Browse to add in a file path for the certificate export, and click Next.
16. Click Finish – Ensure the export was successful. Click OK.
17. Transfer the exported certificate to your local machine.
18. Log into the AirWatch Console.
19. In the OG where Directory Services is enabled, go to Groups and Settings->All Settings->System ->Enterprise Integration->Certificate Authorities.
20. Under the Certificate Authorities tab, click Add.
21. Provide the configuration items for the Certificate Authority.
Name: Certificate Authority Name Authority Type: Microsoft ADCS Protocol: ADCS
Server Hostname: FQDN of the Certificate Authority
Authority Name: Name of the Certification Authority in MMC
Authentication: Service Account Username: Domain account to request certificates
Password: Password for username above
Click Test Connection. Confirm that the test is successful.
22.Click Save.
23. Select the Request Templates tab, and click Add.
24. Provide the following configuration items in the Request Template.
Name: Request Template Name Certification Authority: Name of the Authority configured in Step 12.
Issuing Template: Name of the certificate template in AD CS
Subject Name: CN={EnrollmentUser} Private Key Type: Signing, Encryption
San Type:
User Principal Name?{UserPrincipalName} DNS Name?UDID={DeviceUid}
Enable Certificate Revocation: Checked Click Save.
25. Log into the VMware Identity Manager administration console.
26.Go to Identity & Access Management -> Authentication Methods.
27. Select the Certificate (Cloud Deployment).
28. Click the checkbox to Enable Certificate Adapter.
Click Select File and upload the root certificate downloaded in Step 17.
29. Click Save to update the authentication adapter.
30. Select the Built-in Identity Provider and enabled Certificate (Cloud deployment).
31. Go to Identity & Access Management ->Policies.
32. Select the default_access_policy_set policy and click edit.
33.Under Policy Rules, modify the existing Web Browser policy by clicking the authentication method.
34.Click Save on the default_access_policy_set policy.
Validate Access to Workspace ONE using a Web Browser on a device with a managed certificate
1.Log into the Workspace One UEM console.
2.Go to Add ->Profile, and select Windows ->Windows Desktop -> User Profile.
3. Fill out the details in the General tab, and ensure that the profile is applied to a Smart Group.
4. Click Configure the Credentials payload, and configure the credential to the following:
Credential Source: Defined Certificate Authority
Certificate Authority: Name of CA defined in above, Step 21
Certificate Template: Name of Template defined above, Step 24
Certificate Store: Personal Store Location: User
5. Click Save and Publish, then Publish the profile.
6. Enroll a Windows 10 device into the Workspace One UEM environment.
7.In Workspace One UEM, validate that the profile created in Steps 2-5 has been successfully installed and reported to the console.
8.On the Windows 10 device, launch MMC and add in the Certificates snap-in for My User account.
9. Browse to Certificates – Current User->Personal -> Certificates.
Validate that the enrolled user certificate is present here, signed by the Enterprise CA. This certificate has been delivered to the device by AirWatch through that profile.
10. Launch Edge on the Windows 10 device. Type in the URL of the VMware Identity Manager tenant.
Click Next.
11. When prompted, click OK to confirm the certificate being presented to the web browser.
NOTE: There is a setting in Internet Options to remove this prompt if one certificate is being presented for authentication to the browser.
12. The session will be redirected to cas.vmwareidentity.com, and then to the VMware Identity Manager tenant.
Confirm access to the Workspace ONE web portal is granted without having to type in a username/password.
This authentication was completed using the Certificate (cloud deployment) adapter.
Sales Engineer specialising in Unified Endpoint Management (UEM) and Identity Management.
Technical Expertise:
o Okta – Identity Management – Providing single sign on services to applications
o VMware Workspace ONE – Configuring and managing AirWatch components across all device types.
o Digital Transformation – Helping organisations implement and deploy a modern strategy for UEM
o Networking – VPN, DNS, DHCP
o Device Management – macOS, iOS, Android, Windows and Rugged Devices
o Cloud Solutions – Azure, Office 365, Identity Providers, VMware AirWatch
o Server – Windows Server, Active Directory, Exchange
Andrew
January 18, 2019This is an excellent way to configure SSO and I would add that it can be chained with additional authentication methods such as VMware Verify to ensure that the user accessing the Identity Manager portal is the user that the certificate has identified.
Charlie Hodge
March 1, 2019Awesome point Andrew, you could add a whole bunch of stuff like integration to third-party IdP’s as well! You should get a blog on here Andrew!
Integration of Workspace One with Access (vIDM) and OKTA as 3rd Party IDP - vDXB
May 9, 2020[…] Workspace One – Enabling Certificate Based Access – Windows 10/mac: https://blog.eucse.com/workspace-one-enabling-certificate-based-access-windows-10-mac/ […]