In this blog post, we will walk through the steps to configure IOS Mobile SSO.
I will be assuming that your Workspace ONE UEM and Workspace ONE Identity Manager environments have not been previously integrated.
This blog will assume that you already have an Enterprise Cloud Connector installed and syncing with Workspace ONE UEM.
In this blog, we'll cover:
- Configure Workspace ONE Identity in the UEM Console
- Enable Active Directory Basic
- Enable Mobile SSO
- Basic Troubleshooting
Validation of Pre-requisites
- Log into Workspace ONE UEM -> Global Settings -> All Settings -> System -> Enterprise Integration -> Cloud Connector
- Ensure AirWatch Cloud Connector is enabled
- Perform a Test Connection. Make sure the connection is active
- Click on Directory Services from the left menu
- Ensure your directory has been configured and you can perform a successful test connection
- Close from Settings and go to accounts on the main left in Workspace ONE UEM.
- Make sure you have users being synchronized into Workspace ONE UEM
Step 1: Configure Workspace ONE Identity in the UEM Console
Although this step is not absolutely required to get Mobile SSO working, I highly recommend you configure this as its required for Device Compliance, Unified Catalog and UEM Password Authentication.
In previous versions of Workspace ONE UEM, there was a lot of manual configuration required to enable Workspace ONE Identity. Using the wizard in Workspace ONE UEM we can automate a lot of these tasks.
Click on Getting Started
- Under Workspace ONE -> Begin Setup
- Under Identity and Access Management -> Click Configure for "Connect to VMware Identity Manager"
- Click Continue
- Enter your Tenant URL, User name, and Password
- Click Save
- If you check your Workspace ONE Identity tenant, you will see that AirWatch configuration as been completed: Identity & Access Management -> Setup -> AirWatch
Step 2: Enable Active Directory Basic
VMware recommends you download and install the VMware Identity Manager connector to synchronize users from your Active Directory to Workspace ONE Identity. However, for the purpose of this blog we are going to leverage to built-in capabilities of Workspace UEM to provision users directly into Workspace ONE Identity.
- In Workspace ONE UEM, Groups & Settings -> All Settings -> System -> Enterprise Integration -> VMware Identity Manager -> Configuration
- You will see under the server settings that "Active Directory Basic" is disabled
- Click "Enabled" beside Active Directory Basic
- You will be prompted to enter your password
- Click Next
- Enter a name for your directory (This will be name of the directory in Workspace ONE Identity). You can leave Enable Custom Mapping to standard
- Click Save
- If everything worked successfully, you should see your a new directory appear in Workspace ONE Identity with your synchronized users:
Step 3: Enable Mobile SSO
- Lets go back to the "Getting Started Section" of Workspace ONE UEM
- Under Workspace ONE -> Continue
- Under Identity & Access Management -> Mobile Single-Sign-On, click Configure
- Click "Get Started"
- Click Configure to use the AirWatch Certificate Authority
- Click Start Configuration
- Click Finish when complete
- Click Close
Basic Troubleshooting
There are a variety of reasons that Mobile SSO can fail. Lets go over a few of the common reasons.
- You are prompted for a username/password or the Workspace ONE Domain chooser when doing Mobile SSO
The problem here is that Mobile SSO has failed and Workspace ONE Identity is triggering the fallback authentication mechanism. For the purpose of troubleshooting, I recommend removing the fallback mechanism. In the IOS Policy, remove Certificate Authentication and Password (Local Directory). When you test again you will be prompted with an error message instead. - You are prompted with an error message "Access denied as no valid authentication methods were found"
a) Check to make sure the "Ios_Sso" profile was pushed to the device. By default, when the profile is created it does not have an assignment group. If not, create an smart group and assign the profile and publish. - You received the error "The required field “Keysize” is missing" when deploying the IOS Mobile SSO Profiless
Something went wrong with the import of the KDC Certificate from Workspace ONE Identity to UEM.
a)Log into Workspace ONE Identity -> Identity & Access Management -> Identity Providers -> Built-In and download the KDC Certificate:
b) Now switch back to UEM, Devices -> Profiles & Resources -> Profiles
c) Edit the IOS Profile
d) Click Credentials and re-upload the KDC Certificate. - You received the message "Kerberos NEGOTIATE failed or was cancelled by the user"
Unfortunately this is a catch all error message for mobile sso failures can could be many things. I'll try to cover some of the common reason here:
a) In Workspace ONE UEM, check your IOS Mobile SSO profile -> Single Sign-on. Verify the Realm is correct. For production it should be "VMWAREIDENTITY.COM". However if you have localized cloud tenant this can be different (VMWAREIDENTITY.EU, VMWAREIDENTITY.ASIA, VMWAREIDENTITY.CO.UK, VMWAREIDENTITY,COM.AU, VMWAREIDENTITY.CA, VMWAREIDENITY.DE). For non-production, you might be on the vidmpreview.com domain. If this is the case, it should be "VIDMPREVIEW.COM"
b) When you use the wizard to create the Mobile SSO configuration, it will automatically add the application bundle id's where Mobile SSO is allowed. You will need to either enter all your application bundle id's into the profile or optionally delete them all. If you don't specify the bundle id's, it will allow them all. I recommend for a POC, you leave this blank.
c) Mobile SSO on IOS is based on Kerberos. The kerberos negotiation works of Port 88 on UDP. Ensure that your firewall is not blocking this port.
d)The built-in AirWatch Certificate Authority uses the username (usually sAMAccountName) as the principal name on the certificate provisioned to the device. The kerberos negotiation will use the username to formulate a user principle name which needs to match in Workspace ONE Identity. A problem can occur when organizations define their UPN with a different prefix than the sAMAcountName. So if my my username is "jdoe" but my UPN is "john.doe@domain.com". In this scenario, Mobile SSO will fail. In this scenario, we can:
i) Sync the correct UPN prefix as a customer attribute into Workspace UEM and provision that on the certificate
ii) Sync sAMAccountName as the UPN in Workspace ONE Identity (Note: This can have potential issues with downstream applications but you can always pull the UPN as a custom attribute as well)
iii) Use a custom certificate authority in Workspace ONE UEM and configure a kerberos template with the correct values.