Configure a Web Reverse Proxy for Identity Bridging (Certificate to Kerberos)

Configure the Unified Access Gateway bridging feature to provide single sign-on (SSO) to on-premises legacy non-SAML applications using certificate validation.

Prerequisites

Before starting the configuration process, make sure that you have the following files and certificates available:

Keytab file of a back-end application, such as Sharepoint or JIRA
Root CA certificate or the entire certificate chain with intermediate certificate for the user
You must have added and uploaded a certificate in the Workspace ONE UEM console. See Enable Workspace ONE UEM Console to Fetch and Use CA Certificates.

See the relevant product documentation to generate the root and user certificates and the keytab file for non-SAML applications.

Ensure that TCP/UDP port 88 is open since Unified Access Gateway uses this port for Kerberos communication with Active Directory.

Procedure

From Authentication Settings > X509 Certificate, go to:
1. At Root and Intermediate CA certificate, click Select and upload the entire cert chain.
2. Turn on the Enable Cert Revocation toggle.
3. Select the check box for Enable OCSP Revocation.
4. Enter the OCSP responder URL in the OCSP URL text box.
  Unified Access Gateway sends the OCSP request to the specified URL and receives a response that contains the information indicating if the certificate is revoked.
5. Select the check box Use OCSP URL from certificate only if there is a use case to send the OCSP request to the OCSP URL in the client certificate. If this is not enabled, then it defaults to the value in the OCSP URL text box.
From Advanced Settings > Identity Bridging Settings > OSCP settings, click Add.
1. Click Select and upload the OCSP signing certificate.
Select the Realm Settings gearbox icon and configure the Realm settings as described in Configure Realm Settings.
From General Settings > Edge Service Settings, select the Reverse Proxy Settings gearbox icon.

Turn on the Enable Identity Bridging Settings toggle, configure the following Identity Bridging settings, then click Save.

Option	Description
Authentication Types	Select CERTIFICATE from the drop-down menu.
Keytab	In the drop-down menu, select the configured keytab for this reverse proxy.
Target Service Principal Name	Enter the Kerberos service principal name. Each principal is always fully qualified with the name of the realm. For example, `myco_hostname@MYCOMPANY`. Type the realm name in uppercase. If you do not add a name to the text box, the service principal name is derived from the host name of the proxy destination URL.
User Header Name	For header-based authentication, enter the name of the HTTP header that includes the user ID derived from the assertion or use the default, AccessPoint-User-ID.

What to do next

When you use the Workspace ONE Web to access the target website, the target website acts as the reverse-proxy. Unified Access Gateway validates the presented certificate. If the certificate is valid, the browser displays the user interface page for the back-end application.

For specific error messages and troubleshooting information, see Troubleshooting Errors: Identity Bridging.