You configure the Certificate (Cloud Deployment) authentication method from the Authentication Methods page in the Workspace ONE Access console, and then you select the authentication method to use in the built-in identity provider.

Prerequisites

  • Obtain the root certificate and intermediate certificates from the CA that signed the certificates presented by your users.
  • (Optional) List of Object Identifier (OID) of valid certificate policies for certificate authentication.
  • (Optional) Set up CRL for revocation checking.
  • (Optional) Set up OCSP server for revocation checking and know the OCSP responder URL. If an OCSP server is enabled for revocation checking, verify that the OCSP server is working correctly before you enable it.
  • (Optional) OCSP Response Signing certificate file location.
  • Consent form content, if a consent form is displayed to users before authentication.

Procedure

  1. In the Workspace ONE Access console Integrations > Authentication Methods page, select Certificate (cloud deployment)
  2. Click CONFIGURE and configure the certificate authentication settings.
    1. Upload the certificate.
      Setting Description
      Enable Certificate Adapter To enable certificate authentication, activate the Enable Certificate Adapter toggle.
      Root and intermediate CA certificates Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM.
      Uploaded CA Certificates The uploaded certificate files are listed in the Uploaded CA Certificates section of the form.
    2. Select the User Identifier Search Order to locate the user identifier within the certificate.
      Setting Description
      User Identifier Search Order

      Select the search order to locate the user identifier within the certificate.

      • upn. The UserPrincipalName value of the Subject Alternative Name
      • email. The email address from the Subject Alternative Name.
      • subject. The UID value from the Subject. If the UID is not found in the subject DN, the UID value in the CN text box is used, if the CN text box is configured.

      Validate UPN Format Toggle this setting to Yes to validate the format of the UserPrincipalName.
    3. Request Timeout. Enter the time in seconds to wait for a response. A value of zero (0) means that the wait for the response is indefinite.
    4. Certificate Policies Accepted. Create a list of object identifiers (OID) that are accepted in the certificate policies extensions. Enter the object identifier number for the certificate issuing policy. Click Add to add additional OIDs.
    5. To configure certificate revocation checking, activate the Enable Cert Revocation toggle. Revocation checking prevents users who have their user certificates revoked from authenticating.

      Both Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) revocation checking are supported.

      See Using Certificate Revocation Checking for Certificate Authentication in Workspace ONE Access.

      Configure Only CRL for revocation checking

      A CRL is a list of revoked certificates published by the CA that issued the certificates. When you enable Use CRL from Certificates for revocation, the Workspace ONE Access server reads a CRL to determine the revocation status of a user certificate. If a certificate is revoked, authentication through the certificate fails.

      You configure which CRL URL to use for revocation checking. You can either activate the URL from the certificate or you can enter the CRL URL in the CRL Location text box. The URL is obtained from the CRL field in the certificate itself.

      Option Description
      Activate Use CRL from Certificates toggle and do not set a value in the CRL Location setting

      When you activate the Use CRL from Certificates toggle, the certificate revocation list (CRL) is obtained from the CRL field in the certificate.

      Note: If there is a value in the CRL Location setting value, it is ignored in this configuration.
      Set the CRL location. If you set the CRL location, do not activate the Use CRL from Certificates toggle. Enter the CRL URL from which to retrieve the CRL that is used to validate the status of a certificate.
      Note: The Use CRL from Certificates toggle is not activated in this configuration.

      Configure Only OCSP for Revocation checking

      To use only OCSP for revocation checking, configure the following settings.

      Note: If you are using AirWatch Certificate Authority with Workspace ONE Access, enable OCSP for revocation checking. Do not enable the Use CRL from Certificates setting or enter a URL value in the CRL Location text box.
      Setting Description
      Enable OCSP Revocation To use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate, activate the Enable OCSP Revocation toggle.
      Send OCSP Nonce

      An OCSP nonce is a unique identifier used to cryptographically bind an OCSP response message to a particular OCSP request message to prevent replay attacks.

      If you want to validate the certificate with the unique identifier of the OCSP request, activate the Send OCSP Nonce toggle.

      OCSP URL

      The OCSP URL can either be configured manually in the OCSP URL text box or extracted from the Authority Information Access (AIA) extension of the certificate that is being validated.

      To manually set the OCSAP URL, enter the OCSP URL for the revocation checking server.

      OCSP URL Source

      The OCSP option that you select when you configure certificate authentication determines how Workspace ONE Access obtains the OCSP URL.

      From the drop-down menu, select the source to use for revocation checking.

      • Configuration Only. Perform certificate revocation check using the OCSP URL provided in the text box to validate the entire certificate chain. The OCSP URL text box must also be configured with the OCSP server address for revocation checking.
      • Certificate Only (required). Perform certificate revocation check using the OCSP URL that exists in the AIA extension of each certificate in the chain. Every certificate in the chain must have an OCSP URL defined, else the certificate revocation check fails.
        Note: If you are using a AirWatch CA, select Certificate Only (required) as the source.
      • Certificate Only (Optional). Only perform certificate revocation check using the OCSP URL that exists in the AIA extension of the certificate. Do not check revocation if the OCSP URL does not exist in the certificate AIA extension. The setting in the OCSP URL text box is ignored.
      • Certificate with fallback to configuration. Perform certificate revocation check using the OCSP URL extracted from the AIA extension of each certificate in the chain, when the OCSP URL is available. If the OCSP URL is not in the AIA extension, check revocation using the OCSP URL configured in the OCSP URL text box. The OCSP URL text box must be configured with the OCSP server address.
      OCSP Responder's Signing Certificate Search for and select the OCSP certificate file for the responder.
      Upload OCSP Signing Certificates The uploaded OCSP signing certificate files are listed in this section.

      Configure Both CRL and OCSP for Revocation checking

      To use both CRL and OCSP for revocation checking, configure the settings for both CRL and OCSP revocation checking and activate the Use CRL in case of OCSP failure toggle.

      When this setting is activated, OCSP is checked first and if OCSP fails, revocation checking falls back to CRL. Revocation checking does not fall back to OCSP if CRL fails.
    6. Enable Consent Form before Authentication. Select this check box to include a consent form page to appear before users log in to their Workspace ONE portal using certificate authentication. In the Consent Form Content text box, enter the text that displays in the consent form.
  3. Click SAVE.

What to do next