When the Workspace ONE UEM console and the Workspace ONE Access console are configured for Android mobile SSO authentication, you configured the network traffic rules so that the VMware Tunnel mobile app routes traffic to 5262. When users use their Android devices to launch an SAML app that requires single-sign on, the tunnel app intercepts the request and based on the device traffic rules, established a proxy tunnel to the Cert Proxy port 5262.

The following diagram shows the authentication approval flow when the cert proxy services is configured with both Port 5262 and port 5263.

Figure 1. Authentication Approval Flow for Android Mobile Single Sign-On with Port 5262 and Port 5263 Configured

The authentication flow with both port 5262 and port 5263 configured for cert proxy.

  1. User starts a SAML app from an Android mobile device.
  2. The SAML app requests authentication.
  3. Identity Manager authentication on Port 443 is required to sign in to the app.
  4. The network traffic rules are configured so that the VMware Tunnel app routes traffic to 5262. The Tunnel app intercepts the request and based on the device traffic rules, established a proxy tunnel to the Cert Proxy port 5262.
  5. The load balancer is configured with SSL passthrough on port 5262 and the load balancer passes through the request to the cert proxy port 5262 on one of the nodes in the cluster.
  6. The cert proxy service receives the request, extracts the user certificate, and stores it as a local file using the request's source port number, for example port 55563, as a reference key.
  7. The cert proxy service forwards the request to Workspace ONE Access for authentication on port 443 on the load balancer. The sending node, Node 2 in this example, IP address is included in the X-Forwarded-For header and the original request source port number information (port 55563) in the RemotePort header.
  8. The load balancer sends a request to port 443 on one of the nodes based on load balancer rules, Node 1 in this example. This request includes the X-Forwarded-For and the RemotePort headers.
  9. The horizon service port 443 on Node 1 talks to the cert proxy service on Node 2 port 5263, which directs the service to /some/path/55563 to retrieve the user certificate and perform authentication.
  10. The certificate is retrieved and the user is authenticated.