For iOS device authentication, VMware Workspace ONE Access uses an identity provider that is built in to the VMware Workspace ONE Access service to provide access to mobile SSO authentication.

Overview of iOS Mobile SSO

The iOS Mobile SSO authentication method for iOS device users makes use of a certificate that is deployed in a device profile to authenticate the user with the system deployed by Workspace ONE UEM. Combining the iOS Mobile SSO authentication method with a device profile that enforces the use of a PIN or biometric to access the device creates a multi-factor authentication method for iOS devices. The user must have the device and know the PIN.

iOS Mobile SSO certificate authentication relies on Kerberos to collect the certificate. The following high-level list corresponds to procedures in this document.

  1. Configure a certificate authority (CA).
  2. Generate the certificate using a CA.
  3. Obtain a template that the CA uses to generate the certificate.
  4. Have a method in place that makes use of the Simple Certificate Enrollment Protocol (SCEP) and the Workspace ONE UEM device profile to transfer the certificate to devices.
  5. Have a method in place to validate the certificate.

Kerberos authentication provides users access to their Workspace ONE Intelligent Hub apps portal without additional credential prompts.

iOS Mobile SSO uses the HTTP Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) and Kerberos protocols to perform validation of the certificate within a Key Distribution Center (KDC) that is part of VMware Workspace ONE Access. The certificate is automatically selected for configured applications, which allows the user to log in to the system without entering additional credentials.

The KDC scans the certificate to obtain required information, including a SAN (Subject Alternate Name) and user device UDID (unique device identifier).

Overview of Implementing iOS Mobile SSO

You can use the KDC service with the iOS Mobile SSO authentication adapter to create a cloud-hosted, on-premises, or hybrid deployment. Both the KDC service and the iOS Mobile SSO authentication adapter are either on-premises or cloud hosted. A hybrid deployment consists of an on-premises iOS Mobile SSO authentication adapter and a cloud-hosted KDC.

You can combine the iOS Mobile SSO authentication method with other authentication methods, such as the Device Compliance authentication method. Make sure that you configure all the applicable authentication methods before you configure the built-in identity provider.

Implementing Mobile SSO for iOS requires the following configuration steps.

  • Select a deployment model.
    You can use the KDC service with the iOS Mobile SSO authentication adapter to create a cloud-hosted, on-premises, or hybrid deployment. Both the KDC service and the iOS Mobile SSO authentication adapter can be either on-premises or cloud hosted. A hybrid deployment consists of an on-premises iOS Mobile SSO authentication adapter and a cloud-hosted KDC.
    Component/Factor Cloud-Hosted Hybrid On-Premises
    Authentication Adapter Cloud Hosted On-Premises On-Premises
    KDC Cloud Hosted Cloud Hosted On-Premises
    Level 4 Load Balancer Cloud Hosted Cloud Hosted Provided by Customer
    DNS Setup N/A N/A Required Customer Task
    KDC Initialization N/A N/A Required Customer Task
    Realm Fixed (based on region) Fixed (based on region) Selected by Customer
    OS Support N/A SVA (Linux) or Windows SVA (Linux)
  • Determine the realm name.
    • For on-premises deployments, create the realm name.
    • For cloud-hosted or hybrid deployments, obtain the realm name.
  • To obtain an issuer certificate, select and configure a certificate authority for Mobile SSO for iOS.

    You can use Active Directory Certificate Services, the Workspace ONE UEM Certificate Authority, or a third-party certificate authority. See #GUID-3FB97195-E5DE-4D29-9531-B5C26E409819.

  • For on-premises deployments only, establish the Key Distribution Center (KDC) to use and configure DNS.

    See Using a Key Distribution Center for Authentication from iOS Devices.

    Skip this step for cloud-hosted and hybrid deployments.

  • Configure the mobile SSO for iOS authentication method.

    See #GUID-6F76A447-F061-4D1A-978A-9BE72FD3B94D.

  • Configure the built-in identity provider, download the KDC CA cert from the built-in identity provider, and associate the Mobile SSO for iOS authentication method in the VMware Workspace ONE Access console.

    See #GUID-6F76A447-F061-4D1A-978A-9BE72FD3B94D.

  • Configure the default policy to add the new authentication method.

    See #GUID-61066072-5A9D-4CDE-A58F-291FEF79C202.

  • Configure the iOS device profile and enable single sign-on from the Workspace ONE UEM console.

    See Assign a Workspace ONE UEM Device Profile to Smart Groups.