To provide single sign-on from Workspace ONE UEM-managed Android devices, you configure Mobile SSO for Android authentication in the Workspace ONE Access built-in identity provider.

Mobile single sign-on (SSO) for Android is an implementation of the certificate authentication method for VMware Workspace ONE® UEM-managed Android devices. With mobile single sign-on, users can sign in to their device and securely access their VMware Workspace® ONE® apps without reentering a password. See the Android Mobile Single Sign-on to VMware Workspace ONE guide for detailed configuration information.


  • Obtain the root certificate and intermediate certificates from the CA that signed the certificates presented by your users.
  • List of Object Identifier (OID) of valid certificate policies for certificate authentication.
  • For revocation checking, the file location of the CRL and the URL of the OCSP server.
  • (Optional) OCSP Response Signing certificate file location.


  1. In the Identity & Access Management tab, go to Manage > Authentication Methods.
  2. In the Mobile SSO (for Android Configure column, click the pencil icon.
  3. Configure the Mobile SSO for Android page.
    Option Description
    Enable Certificate Adapter Select this check box to enable Mobile SSO for Android.
    Root and Intermediate CA Certificate Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded. The file format can be either PEM or DER.
    Uploaded CA Certificates The contents of the uploaded certificate file is displayed here.
    User Identifier Search Order

    Select the search order to locate the user identifier within the certificate.

    • upn. The UserPrincipalName value of the Subject Alternative Name
    • email. The email address from the Subject Alternative Name.
    • subject. The UID value from the Subject.
    • If a AirWatch CA is used for the tunnel client certificate generation, the User Identifier Search Order must be UPN | Subject.
    • If a third-party enterprise CA is used, the User Identifier Search Order must be UPN | Email | Subject and the certificate template must contain the subject name CN={DeviceUid}:{EnrollmentUser}. Make sure to include the colon ( :).

    Validate UPN Format Enable this check box to validate the format of the UserPrincipalName field.
    Certificate Policies Accepted Create a list of object identifiers that are accepted in the certificate policies extensions. Enter the object ID number (OID) for the Certificate Issuing Policy. Click Add another value to add additional OIDs.
    Enable Cert Revocation Select the check box to enable certificate revocation checking. Certificate revocation prevents users who have revoked user certificates from authenticating.
    Use CRL from Certificates Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate a certificate's status of revoked or not revoked.
    CRL Location Enter the server file path or the local file path from which to retrieve the CRL.
    Enable OCSP Revocation Select this check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.
    Use CRL in case of OCSP failure If you configure both CRL and OCSP, you can select this box to fall back to using CRL if OCSP checking is not available.
    Send OCSP Nonce Select this check box if you want the unique identifier of the OCSP request to be sent in the response.
    OCSP URL If you enabled OCSP revocation, enter the OCSP server address for revocation checking.
    OSCP URL Source Select the source to use for revocation checking.
    • Configuration Only. Perform certificate revocation check using the OCSP URL provided in the text box to validate the entire certificate chain.
    • Certificate Only (required). Perform certificate revocation check using the OCSP URL that exists in the AIA extension of each certificate in the chain. Every certificate in the chain must have an OCSP URL defined, otherwise the certificate revocation check fails.
    • Certificate Only (Optional). Only perform certificate revocation check using the OCSP URL that exists in the AIA extension of the certificate. Do not check revocation if the OCSP URL does not exist in the certificate AIA extension.
    • Certificate with fallback to configuration. Perform certificate revocation check using the OCSP URL extracted from the AIA extension of each certificate in the chain, when the OCSP URL is available. If the OCSP URL is not in the AIA extension, check revocation using the OCSP URL configured in the OCSP URL text box. The OCSP URL text box must be configured with the OCSP server address.
    OCSP Responder's Signing Certificate Enter the path to the OCSP certificate for the responder. Enter as /path/to/file.cer
    Uploaded OCSP Signing Certificates The uploaded certificate files are listed in this section.
    Enable Cancel Link When authentication is taking too long, if this link is enabled, users can click Cancel to stop the authentication attempt and cancel the sign-in.
    Cancel Message Create a custom message that displays when the authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.
  4. Click Save.

What to do next

Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.

Configure the default access policy rule for Mobile SSO for Android.