In the built-in identity provider, configure the users, network ranges, and authentication methods that users use for single sign-on to their apps portal.

A built-in identity provider is automatically created when you set up a directory in the Directory Sync service and selected to set up the password authentication method for the directory. If you did not select to set up password authentication, you can create the built-in identity provider.


To configure the built-in identity provider, make sure that the following are set up.

  • Users and groups located in your enterprise directory synced to the Workspace ONE Access directories.
  • Network ranges created in the Resources > Policies > Network Ranges page.
  • The authentication methods to be used in the built-in identity provider configured.


  1. In the Workspace ONE Access console Integrations > Identity Provider page, select the identity provider labeled Built-in and configure the identity provider settings.
    Option Description
    Identity Provider Name Enter the name for this built-in identity provider instance.
    Users Select which users to authenticate. The directories that you configured are listed.
    Connector Authentication Methods When directories you select are associated with a connector authentication method, the authentication method is listed. Select the authentication method to associate with the directories.

    If you select a combination of supported directories and directories that are not supported with a connector authentication methods, no connectors authentication methods are listed.

    Authentication Methods The authentication methods that are configured in the Integrations > Authentication Methods page are displayed. Select the authentication methods to associate to the identity provider.

    For Device Compliance (with Workspace ONE UEM) and Password (AirWatch Connector), make sure that the option is enabled in the Workspace ONE UEM configuration page.

    Network The existing network ranges configured in the service are listed. Select the network ranges for the users based on the IP addresses that you want to direct to this identity provider instance for authentication.
    KDC Certificate Export When the Mobile SSO (iOS) authentication method associated with the built-in identity provider, you download the KDC certificate.
  2. Click Add.

What to do next

Make sure that all authentication methods that you configure are associated with an access policy rule. See Managing Access Policies in the Workspace ONE Access Service.