Configure the Unified Access Gateway bridging feature to provide single sign-on (SSO) to On-Premises legacy non-SAML applications using certificate validation.


Before starting the configuration process, make sure you have the following available:

  • Keytab file of a back end application, such as Sharepoint or JIRA

  • Root CA certificate or the entire certificate chain with intermediate certificate for the domain.


  1. From Authentication Settings > X509 Certificate
    1. At Root and Intermediate CA certificate, click Select and upload the entire cert chain.
    2. At Enable Cert Revocation, set the toggle to Yes.
    3. Select the checkbox for Enable OCSP Revocation.
    4. Enter the OCSP responder URL in the OCSP URL field. Unified Access Gateway will send the OCSP request to the URL in this field and receive the response containing information indicating whether or not the certificate is revoked.
    5. Select the checkbox Use OCSP URL from certificate only if there is a use case to send the OCSP request to the OCSP URL in the client certificate. If this is not enabled, then it will default to the value in the OCSP URL field.

      Cert-to-Kerberos - X509 Certificate

  2. From Advanced Settings > Identity Bridging Settings > OSCP settings click Add.
    1. Click Select and upload the OCSP signing certificate.
  3. Select the Realm Settings gearbox icon and configure the Realm settings as described in Configure Realm Settings.
  4. From General Settings > Edge Service Settings, select the Reverse Proxy Settings gearbox icon.
  5. Set Enable Identity Bridging Settings to YES, configure the following Identity Bridging settings, then click Save.

    enable Identity Bridging settings for Cert-to-Kerberos



    Authentication Types

    Select CERTIFICATE from the drop down menu.


    In the drop-down menu, select the configured keytab for this reverse proxy.

    Target Service Principal Name

    Enter the Kerberos service principal name. Each principal is always fully qualified with the name of the realm. For example, myco_hostname@MYCOMPANY. Type the realm name in uppercase. If you do not add a name to the text box, the service principal name is derived from the host name of the proxy destination URL.

    User Header Name

    For header-based authentication, enter the name of the HTTP header that includes the user ID derived from the assertion or use the default, AccessPoint-User-ID.

  6. Log in to the AirWatch console, select the appropriate Organization Group, and upload a certificate:
    1. Go to All Settings > Apps > Security & Policies > Security Policies.
    2. Select the Override option.
    3. Enable Integrated Authentication.

    4. Select Use Certificate.
    5. Select Upload as the Credential Source in the drop-down menu.

    6. Upload the user certificate in PFX format, enter the certificate password and click Save.
    7. Set Allowed Sites as * (asterisk).

    8. Click Save.
  7. Enroll the device in the same Organization Group and environment as used in the previous step.
  8. Use the AirWatch Browser to access the target website configured on the Unified Access Gateway (which is acting as the reverse-proxy).

    Unified Access Gateway validates the presented certificate. If the certificate is valid, the browser displays the user interface page for the back end application. For troubleshooting details, see Troubleshooting Cert-to-Kerberos.