Windows SSO

External Links:

Configuration

  • You must have a CA with template for SSO. Refer to MobileSSO for iOS for configuring internal AirWatch CA with SCEP protocol.
  • Check WS1 Access network ports.

Certificate Chain

  • From version of vIDM 1903+ Cert Auth Service port TCP7443 must be opened for vIDM Appliance (regardless of connector).
  • Also certificate chain and private key must be pasted into vIDM Appliance Admin Portal (accessed via port TCP8443).

Reference document - https://docs.vmware.com/en/VMware-Identity-Manager/19.03/vidm-install/GUID-B625A0BA-2991-4F46-9D41-A1BD8C4D8BE2.html

On AirWatch / Workspace ONE UEM side

  • If inner AirWatch CA/SCEP is used, go to Groups & Settings → All Settings → Enterprise Integration → Workspace ONE Access → Configuration, click Certificate → EXPORT button
  • Go to Devices → Profiles & Resources → Profiles → ADD → Add Profile → Windows → Windows Desktop → User Profile and make a User profile
Warning

There is also a Windows Desktop → Device Profile. Do NOT use it for SSO/Conditional Access, it will not work!

  • Give it a Name. Example: “Win10 SSO”. Select a group in Smart Groups. For example, choose all devices (World icon)

  • Go to SCEP tab/payload, and set:

    Credential Source: **AirWatch Certificate Authority
    **Certificate Template: **Certificate (Cloud Deployment)
    **Issuer: CN=<Issuer name in certificate, example = name of current Organization Group>

On vIDM / Workspace One Access side

  • Go to Identity & Access Management → Manage and select Authentication Methods
  • Choose Certificate (Cloud Deployment) authentication method (pencil icon)
  • Check the Enable Certificate Adapter, then Select File and upload the Certificate (*.cer) which you downloaded from the AirWatch CA/SCEP from the step above, or from ADCS Domain CA
  • Click Save
  • Go to Identity & Access Management →  Identity Providers, click on Built-in IF you are NOT using the ESC connector. If you are using the Connector, choose it in the list
  • Find Authentication Methods area and select Certificate (Cloud Deployment) check box, then click Save
  • Go to Identity & Access Management → Policies and select default_access_policy_set, select Edit
  • In Configuration tab, ALL RANGES, select Device Type = Windows 10, and in “**then the user may authenticate using “**choose Certificate (Cloud Deployment)
  • (Optional) In “if the preceding method fails or is not applicable, then” choose Password (Cloud Deployment)
  • (Optional) Select the (****+) ADD FALLBACK METHOD and in “If the preceding method fails or is not applicable, then” select Password ( Local Directory)

Windows 10 Device Tests and Checks

  • On enrolled Win10 device, open MMC, select Menu File → Add/Remove Snap-In…, select My User Account

  • Check Personal folder to see that the profile certificate was delivered

  • Use Hub to access vIDM/Workspace ONE Access portal.

Troubleshooting certificate issues

CertificateAuthAdapterBase function header for requesting the certificate from Windows:

//function names & var names obfuscated
 
protected X509Cert[] getCert(@Nonnull String tenantId,
                             @Nonnull HttpServletRequest request,
                             @Nonnull HttpServletResponse response,
                             @Nonnull Map<String, String> attribVal,
                             @Nullable Map<String, String> inputParam) throws AuthAdapterConfigException { ... }
 
 
X509Cert[] certs = getCert(tenantId, request, response, attribVal, inputParam);
        if (certs == null || certs.length == 0) {
            logger.info("No certificates were provided by the browser"); // --> horizon.log
            if (certs == null) {
                adapterResponse.setStatus(AuthnAdapterResponse.AuthnStatus.FAILURE);
                logger.info(logId + " authentication failure, no certificate provided"); // --> horizon.log

getCert method returns the certificate, received from client browser HTTP-request. If not, it logs errors in horizon.log file on WS1 Access/vIDM.