You configure the Mobile SSO for iOS authentication method from the Auth Methods page in the administration console. You select the authentication method to use in the built-in identity provider.

About this task

The Mobile SSO for iOS authentication method uses a Key Distribution Center (KDC) without the use of a connector or a third-party system. You can initiate the KDC service in the VMware Identity Manager built-in identity provider before you enable Kerberos in the admin console or you can use the KDC cloud hosted service. To use the KDC managed in the VMware Identity Manager appliance, see the Preparing to Use Kerberos Authentication on iOS devices in the VMware Identity Manager Installation and Configuration Guide.

Note:

When you deploy VMware Identity Manager with AirWatch in a Windows environment, you must use the cloud hosted KDC service. See Using the Cloud Hosted KDC Service.

Prerequisites

  • Certificate authority PEM or DER file used to issue certificates to users in the AirWatch tenant.

  • For revocation checking, the OCSP responder's signing certificate.

  • Built-in identity provider configured.

  • Know the realm name of the KDC service.

Procedure

  1. In the Identity & Access Management tab, go to Manage > Auth Methods.
  2. In the Mobile SSO (for iOS) Configure column, click the icon.
  3. Configure the Kerberos authentication method.

    Option

    Description

    Enable KDC Authentication

    Select this check box to enable users to sign in using iOS devices that support Kerberos authentication.

    Realm

    If you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. The text in this parameter must be entered in all caps. For example, OP.VMWAREIDENTITY.COM

    If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.

    Root and Intermediate CA Certificate

    Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.

    Uploaded CA Certificate Subject DNs

    The content of the uploaded certificate file is displayed here. More than one file can be uploaded and whatever certificates that are included are added to the list.

    Enable OCSP

    Select the check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

    Send OCSP Nonce

    Select this check box if you want the unique identifier of the OCSP request to be sent in the response.

    OCSP Responder’s Signing Certificate

    Upload the OCSP certificate for the responder.

    When you are using the AirWatch Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the AirWatch certificate here as well.

    OCSP Responder’s Signing Certificate Subject DN

    The uploaded OCSP certificate file is listed here.

    Enable Cancel Link

    When authentication is taking too long, give the user the ability to click Cancel to stop the authentication attempt and cancel the sign-in.

    When the Cancel link is enabled, Cancel appears at the end of the authentication error message that displays.

    Cancel Message

    Create a custom message that displays when the Kerberos authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.

  4. Click Save.

What to do next

  • Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.

  • In the KDC Certificate Export section, click Download Certificate. Save this certificate to a file that can be access from the AirWatch admin console. You upload this certificate when you configure the iOS device profile in AirWatch.

  • Configure the default access policy rule for Kerberos authentication for iOS devices. Make sure that this authentication method is the first method set up in the rule.

  • Go to the AirWatch admin console and configure the iOS device profile in AirWatch and add the KDC server certificate issuer certificate from Identity Manager.