Workspace ONE AD CS Integration for SSO

macOS

macOS Certificate Authentication

Export the Root CA Certificate from AD CS

1. Open Microsoft Management Console (mmc.exe)
2. Under “Files”, select “Add/Remove Snap-ins”
3. Under the “Available snap-ins” column, select “Certificate”, and click “Add >”
4. In the “Certificate snap-in” window that appears, select the “Computer account” radio button, and select for “Local computer” radio button in the next screen. “Finish” and click “Ok” to view the “Certificates” console
5. To export the Root CA certificate, navigate to Trusted Root Certificates > Certificates.
6. Look for the certificate with a common name of your configured CA. Right-click it and “Open”
7. In the “Certificate” window that appears, under the “Details” tab, click “Copy to File…”
8. Follow the wizard to export the certificate as a “Base-64 encoded X5.09 (.CER)
9. Ensure that a prompt showing you “The export was successful.” appears once you are done with the export wizard

Importing Root CA Certificate into Workspace ONE Access

10. To be able to perform Certificate Authentication, in Workspace ONE Access you will have to enable the authentication method. As such, login into the Workspace ONE Access tenant as a Tenant Admin.
11. Navigate to “Identity & Access Management > Authentication Methods”, and click the pencil next to “Certificate (Cloud Deployment)” to configure it
12. Check the “Enable Certificate Adapter” checkbox
13. Upload the Root CA Certificate we exported in Step 8 by clicking the “Select File” button under “Root and Intermediate CA certificates”
14. Save the configuration. Check that the status of “Certificate (Cloud Deployment)” is now showing “Enabled”.

Allowing Authentication through Certificates

15. To allow incoming Authentication requests using Certification Authentication, under “Identity & Access Management > Identity Providers > Built-in”, select the “Certificate (Cloud Deployment)” checkbox.

Configuring Access Policies

16. The last step to perform in the Workspace ONE Access console would be to configure the Access Policies. Under “Identity & Access Management > Policies”, click the “Edit Default Policy” button.
17. Under the “Configuration” section of the window that appears, create a new policy rule for users accessing content from macOS devices. Explicitly configure that they will authenticate using “Certificate (Cloud Deployment)”. Configure the fallback method as required.
18. Save the configuration and return to the Workspace ONE UEM console

Create a macOS User Profile

19. In the Workspace ONE UEM console, create a new macOS User Profile with a “Credentials” payload.
20. In the “Credentials” payload, you will specify the Credential Source, the Certificate Authority, the Certificate Template, whether you want to allow access of the certificate to all applications, and if you want to allow the export of the private key from Keychain.
21. Assign the policy to your group of macOS users which you want to authenticate via Certificate Authentication.

Test macOS Certificate Authentication SSO

22. To test out if your configuration is working as intended. You will need to first enroll your macOS devices. After enrollment, you should see the certificates assigned as listed under “Devices > Certificates > List View”

23. Using the Workspace ONE App Catalog as an example, if you were to attempt to access it, it will prompt you to confirm the use of your certificate.

24. If all is configured correctly, you should be able to access all your apps assigned once you confirm the use of your certificate for authentication.

With these 24 steps, you have configured macOS SSO using Certificate Authentication! Continue viewing the configuration steps for the various platforms supported by Workspace ONE UEM!