Configure mobile single sign-on (SSO) to allow users from AirWatch enrolled devices to log in to their enabled application securely without entering multiple passwords.

About this task

The wizard runs through a series of steps to configure all settings for all of the supported platforms. You can edit the configuration after the wizard configuration is complete.

Figure 1. List of Components that are Configured

The wizard configuration can take some minutes. Do not refresh or navigate away from the wizard configuration page while the configuration is in progress.

You can also select individual components to configure manually.

Procedure

  1. Log in to the AirWatch console with the admin password.
  2. Select Getting Started > Workspace ONE.
  3. In the Mobile Single Sign-on section, click Configure.
  4. In the Fast and Easy Setup! page, click Get Started to have the wizard configure all the mobile single sign-on components for Workspace ONE.

    Click Manual Setup to configure mobile single sign-on manually.

  5. In the Get Started page, click Continue.
  6. In the Auto-Configure page, click Start Configuration.

    As a step is finished, a checkmark appears in front of the step.

  7. Click Finish, when the configuration is complete.

    You can click Edit Settings to change or review the component configuration, otherwise click Close.

Results

The mobile single sign-on wizard automatically configures the following components to set up mobile single sign-on for iOS, Android for Work, and Windows 10 devices with Workspace ONE.

Table 1. Components Configured for Mobile Single Sign-on

Component Configured

Description

Admin Console Settings Page

Certificate Authority

A connection to the native AirWatch Certificate Authority used to issue authentication certificates for mobile SSO for managed iOS devices is set up.

AirWatch console > System > Enterprise Integration > Certificate Authorities

Certificate Templates

An AirWatch Certificate Template is pre-configured to issue certificates for mobile single sign-on.

AirWatch console > System > Enterprise Integration > Request Templates

VMware Tunnel

VMware Tunnel is configured and configures a certificate to provide local single sign-on services to third-party Android applications connected to VMware Identity Manager.

AirWatch console > System > Enterprise Integration > VMware Tunnel

Authentication Methods

The authentication methods required for mobile single sign-on are configured in the VMware Identity Manager service. These authentication methods establish a trust chain between the AirWatch Certificate Authority and theVMware Identity Manager service. The authentication methods that are configured are Mobile SSO for iOS, Mobile SSO for Android, Password (AirWatch Connector), Certificate (Cloud Deployment). In addition, Device Compliance with AirWatch is enabled.

VMware Identity Manager admin console > Identity & Access Management > Manage > Authentication Methods

User Authentication Profiles

AirWatch configuration profiles for iOS and Windows are created. The profiles are used to distribute a certificate and configure devices to authenticate with the VMware Identity Manager service.

AirWatchconsole > Devices > Profiles & Resources > Profiles

Access Policies

The default access policy in the VMware Identity Manager service is configured with access rules for each iOS device, Android devices, and Windows 10 devices. Users authenticate using mobile single sign-on for managed devices. See Managing Access Policies to Apply to Users.

VMware Identity Manager admin console > Identity & Access Management > Manage > Policies

What to do next

  • For iOS devices, the services must be integrated with Kerberos. This authentication method for iOS devices uses a Key Distribution Center (KDC) without the use of a third-party system. For on-premises deployments, two KDC options are available. KDC as a VMware identity Manager cloud hosted service and a built-in KDC on the appliance. This is configured from the VMware Identity Manager admin console. See Using a Key Distribution Center for Authentication from iOS Devices.

  • Enable VPN for each Android app that uses the application tunnel functionality from the AirWatch admin console.

  • Publish the iOS profile to enable SSO from the AirWatch admin console. The profile is generated, but not automatically published.

  • For Windows deployments, the certificate for cloud deployment must be configured manually. This is configured from the VMware Identity Manager admin console. See the VMware Identity Manager Administration guide.

  • Create access policies for applications that require restricted access from managed devices. See Managing Access Policies to Apply to Users.