In the built-in identity provider, configure the users, network ranges, and authentication methods that users use for single sign-on to their apps portal.

A built-in identity provider is automatically created when you set up a directory in the Directory Sync service and selected to set up the password authentication method for the directory. If you did not select to set up password authentication, you can create the built-in identity provider.


To configure the built-in identity provider, make sure that you complete the following tasks.

  • Users and groups located in your enterprise directory synced to the Workspace ONE Access directories.
  • Network ranges created in the Resources > Policies > Network Ranges page.
  • The authentication methods to be used in the built-in identity provider configured.


  1. In the Workspace ONE Access console Integrations > Identity Providers page, click ADD and select the identity provider labeled Built-in IDP and configure the identity provider settings.
    Option Description
    Identity Provider Name Enter the name for this built-in identity provider instance.
    Users Select which users to authenticate. The directories that you configured are listed.
    Add a Connector and Connector Authentication Methods When directories you select are associated with a connector authentication method, the authentication method is listed. Select the authentication method to associate with the directories.

    If you select a combination of supported directories and directories that are not supported with a connector authentication methods, no connectors authentication methods are listed.

    Authentication Methods The authentication methods that are configured in the Integrations > Authentication Methods page are displayed. Select the authentication methods to associate to the identity provider.

    For Device Compliance (with Workspace ONE UEM) and Password (AirWatch Connector), make sure that the option is enabled in the Workspace ONE UEM configuration page.

    Network The existing network ranges configured in the service are listed. Select the network ranges for the users based on the IP addresses that you want to direct to this identity provider instance for authentication.
    KDC Certificate Export When the Mobile SSO (iOS) authentication method associated with the built-in identity provider, you download the KDC certificate.
    Built-in Identity Provider page in Workspace ONE Access console
  2. Click SAVE.

What to do next

Make sure that all authentication methods that you configure are associated with an access policy rule. See Managing Access Policies in the Workspace ONE Access Service.