The Challenge
More and more customers are looking to migrate away from on-premise enterprise components and reduce corporate internal hosting needs. That being said, in our current global situation, leveraging cloud resources to enable zero-trust authentication into corporate resources from anywhere has never been more relevant.
In this article we’ll look at how to implement single sign-on into Workspace ONE Access using Workspace ONE to provision the certificates, all from the cloud. No enterprise CA needed! Below is a step by step guide.
Implementation
Assumptions:
- Admin access to a Workspace ONE UEM console
- Admin access to a Workspace ONE Access console
- Integration between Workspace ONE UEM and Workspace ONE Access has been completed
- Users added into Workspace ONE Access either via Workspace ONE UEM API or synced into Workspace ONE Access via Access Connector
- Users within Workspace ONE UEM and Workspace ONE Access match
Configuring the certificate (cloud deployment) settings are very straight forward, follow the step-by-step guide below in order to configure it for yourself!
- Export the issuer certificate from Workspace ONE UEM. Within the UEM console navigate to Groups & Settings->All Settings->System->Enterprise Integration->Workspace ONE Access->Configuration
- Provided that you’ve already setup the integration between Workspace ONE UEM and Access you’ll have an ‘Export’ at the bottom of the page to download the issuer certificate.
- We now need to upload this certificate into the Workspace ONE Access Console. Within the Access admin console, navigate to Identity & Access Management->Authentication Methods Click on the pencil next to ‘Certificate (Cloud Deployment)’
- Upload the downloaded certificate from Workspace ONE UEM and enable the adapter. You will also need to change the ‘User Identifier Search Order’ to email | subject | upn. You’ll end up with settings that should mirror these but with your own CN
- Now that we have our certificate in the Access console, we need to associate this authentication method with our identity provider
- Navigate to Identity & Access Management -> Identity Providers and click ‘Built-in’
- In the Authentication Methods section tick ‘Certificate (Cloud Deployment)’ Associated Authentication Method
- Now that the certificate has been added and enabled for our idp, we need to edit our login policies to allow the devices to use that cert. Navigate to Identity & Access Management->Policies and select the policy that we want this to apply to. I’m using the default_access_policy_set.
- Edit the policy and under configuration add a new rule for Windows 10 and macOS
- Select ‘Certificate (Cloud Deployment)’ under the ‘then the user may authenticate user*’ drop down, select certificate. It would be a good idea to have a fall back method in there whilst you are testing so you don’t get locked out of the console.
- Now we need to push the certificate out to devices so that when they try and authenticate, we leverage the installed certificate.
- Navigate back to your Workspace ONE UEM console.
- Navigate to Devices->Profiles & Resources->Profiles and click ‘Add’
- Create a profile for macOS and a separate profile for Windows 10. Both need to be USER profiles.
- Scroll down to the ‘SCEP’ payload of the profile.
- Change ‘Credential Source’ to ‘Airwatch Certificate Authority’ and change ‘Certificate Template’ to ‘Certificate Cloud Deployment’.
- Save and assign the profile out to your desired smart group, Organisation group or user group.
- Test that the certificate has been installed:
- On a macOS device, open ‘System Preferences’ and go to ‘Profiles’ you should see your newly created profile within here under ‘User Profiles’
- You can see that this profile has been pushed and added my username to the relevant parts of the cert. Accessing the Workspace ONE Access URL through a browser will give the following experience:
- On a Windows device open the start menu, type ‘mmc’, click file and ‘Add or remove Snap-in’ add certificates. Click when prompted for ‘My User Account’
- This will then present the following under Certificates->Personal->Certificates
- As you can see, the certificate has now been installed on both devices. Accessing the Workspace ONE Access URL through a browser will give the following experience:
This will now allow end-users to login to the Workspace ONE Access portal and the local Intelligent hub application with a cloud based certificate authority meaning you don’t need to intall anything on-premise! Result!
Sales Engineer specialising in Unified Endpoint Management (UEM) and Identity Management.
Technical Expertise:
o Okta – Identity Management – Providing single sign on services to applications
o VMware Workspace ONE – Configuring and managing AirWatch components across all device types.
o Digital Transformation – Helping organisations implement and deploy a modern strategy for UEM
o Networking – VPN, DNS, DHCP
o Device Management – macOS, iOS, Android, Windows and Rugged Devices
o Cloud Solutions – Azure, Office 365, Identity Providers, VMware AirWatch
o Server – Windows Server, Active Directory, Exchange
Rob
May 11, 2020Don’t forget to leverage the Identity Preferences in the Credentials payload in UEM 2005 and later for macOS — this way you can auto-choose the cert for the WS1 Access instance. It basically bakes in support for the stuff documented here: https://techzone.vmware.com/blog/managing-identity-preferences-streamline-single-sign-macos