You configure the Mobile SSO for iOS authentication method from the Authentication Methods page in the Workspace ONE Access console. Select the Mobile SSO (for iOS) authentication method in the built-in identity provider.


  • Certificate authority PEM or DER file used to issue certificates to users in the Workspace ONE UEM tenant.
  • For revocation checking, the OCSP responder's signing certificate.
  • For the KDC service, select the realm name of the KDC service. If using the built-in KDC service, the KDC must be initialized. See the Installing and Configuring Workspace ONE Access for the built-in KDC details.


  1. In the Workspace ONE Access console Integrations > Authentication Methods page, select Mobile SSO (for iOS).
  2. Click CONFIGURE and configure the Mobile SSO (iOS) authentication settings.
    Option Description
    Enable KDC Authentication To enable users to sign in using iOS devices that support Kerberos authentication, select this check box.

    For tenant deployments in the cloud , the realm value is read-only. The realm name displayed is the identity manager realm name for your tenant.

    For on-premises deployments, if you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. Kerberos realm names are case sensitive. The text in this parameter must be entered in all caps. For example, OP.WORKSPACEONEACCESS.COM.

    If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.

    Root and Intermediate CA Certificate Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.
    Uploaded CA Certificate Subject DNs The content of the uploaded certificate file is displayed here. More than one file can be uploaded and certificates that are included are added to the list.
    Enable OCSP To use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate, select the check box.
    Send OCSP Nonce If you want the unique identifier of the OCSP request to be sent in the response, select this check box.
    OCSP Responder’s Signing Certificate Upload the OCSP certificate for the responder.

    When you are using the Workspace ONE UEM Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the Workspace ONE UEM certificate here as well.

    OCSP Responder’s Signing Certificate Subject DN The uploaded OCSP certificate file is listed here.
    Cancel Message Create a custom sign-in message that displays when authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.
    Enable Cancel Link When authentication is taking too long, give users the ability to click Cancel to stop the authentication attempt and cancel the sign-in.

    When the Cancel link is enabled, the word Cancel appears at the end of the authentication error message that displays.

    Enterprise Device Management Server URL Enter the Mobile Device Management (MDM) server URL to redirect users when access is denied because the device is not enrolled into Workspace ONE UEM for MDM management. This URL displays in the authentication failure error message. If you do not enter a URL here, the generic Access Denied message displays.
  3. Click SAVE.

What to do next

Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.

Configure the default access policy rule for Mobile SSO for iOS.