The Challenge

More and more customers are looking to migrate away from on-premise enterprise components and reduce corporate internal hosting needs. That being said, in our current global situation, leveraging cloud resources to enable zero-trust authentication into corporate resources from anywhere has never been more relevant.

In this article we’ll look at how to implement single sign-on into Workspace ONE Access using Workspace ONE to provision the certificates, all from the cloud. No enterprise CA needed! Below is a step by step guide.



  • Admin access to a Workspace ONE UEM console
  • Admin access to a Workspace ONE Access console
  • Integration between Workspace ONE UEM and Workspace ONE Access has been completed
  • Users added into Workspace ONE Access either via Workspace ONE UEM API or synced into Workspace ONE Access via Access Connector
  • Users within Workspace ONE UEM and Workspace ONE Access match

Configuring the certificate (cloud deployment) settings are very straight forward, follow the step-by-step guide below in order to configure it for yourself!

  • Export the issuer certificate from Workspace ONE UEM. Within the UEM console navigate to Groups & Settings->All Settings->System->Enterprise Integration->Workspace ONE Access->Configuration
  • Provided that you’ve already setup the integration between  Workspace ONE UEM and Access you’ll have an ‘Export’ at the bottom of the page to download the issuer certificate. 
  • We now need to upload this certificate into the Workspace ONE Access Console. Within the Access admin console, navigate to Identity & Access Management->Authentication Methods Click on the pencil next to ‘Certificate (Cloud Deployment)’

  • Upload the downloaded certificate from Workspace ONE UEM and enable the adapter. You will also need to change the ‘User Identifier Search Order’ to email | subject | upn. You’ll end up with settings that should mirror these but with your own CN
  • Now that we have our certificate in the Access console, we need to associate this authentication method with our identity provider
  • Navigate to Identity & Access Management -> Identity Providers  and click ‘Built-in’
  • In the Authentication Methods section tick ‘Certificate (Cloud Deployment)’ Associated Authentication Method
  • Now that the certificate has been added and enabled for our idp, we need to edit our login policies to allow the devices to use that cert. Navigate to Identity & Access Management->Policies and select the policy that we want this to apply to. I’m using the default_access_policy_set.
  • Edit the policy and under configuration add a new rule for Windows 10 and macOS
  • Select ‘Certificate (Cloud Deployment)’ under the ‘then the user may authenticate user*’ drop down, select certificate. It would be a good idea to have a fall back method in there whilst you are testing so you don’t get locked out of the console.
  • Now we need to push the certificate out to devices so that when they try and authenticate, we leverage the installed certificate.
  • Navigate back to your Workspace ONE UEM console.
  • Navigate to Devices->Profiles & Resources->Profiles and click ‘Add’
  • Create a profile for macOS and a separate profile for Windows 10. Both need to be USER profiles.
  • Scroll down to the ‘SCEP’ payload of the profile.
  • Change ‘Credential Source’ to ‘Airwatch Certificate Authority’ and change ‘Certificate Template’ to ‘Certificate Cloud Deployment’.
  • Save and assign the profile out to your desired smart group, Organisation group or user group.
  • Test that the certificate has been installed:
  • On a macOS device, open ‘System Preferences’ and go to ‘Profiles’ you should see your newly created profile within here under ‘User Profiles’

  • You can see that this profile has been pushed and added my username to the relevant parts of the cert. Accessing the Workspace ONE Access URL through a browser will give the following experience:
  • On a Windows device open the start menu, type ‘mmc’, click file and ‘Add or remove Snap-in’ add certificates. Click when prompted for ‘My User Account’
  • This will then present the following under Certificates->Personal->Certificates
  • As you can see, the certificate has now been installed on both devices. Accessing the Workspace ONE Access URL through a browser will give the following experience:

This will now allow end-users to login to the Workspace ONE Access portal and the local Intelligent hub application with a cloud based certificate authority meaning you don’t need to intall anything on-premise! Result!

Spread the love