This week Hans Jaspers and I had some fun getting Certificate (Cloud Deployment) working in a SAAS environment of Workspace ONE Access formerly known as Identity Manager.
All the VMware documentation points to On-Premises Deployments and is kinda incomplete and differs from how the SAAS setups works. Did ask around within the VMware circles but no real answer there yet… It’s just to new! Eventually one of the WS1 Guru’s in the Netherlands, Jan Bushoff pointed me in the right direction and clarified the SAAS route! Thanks again! He was facing this same predicament and done this just a few days ago. The vCommunity is strong!
The use case
So why do we want this Certificate (Cloud Deployment)? Well, Workspace ONE Access is filled with applications for the users. The user’s login to a VDI first and are then allowed to consume these apps also like if they are at home. But you do not want them to log in a second time. They already logged into the VDI and are trusted. Before you could use Kerberos also but this is a pain in the ass to configure. With Certificate (Cloud Deployment) we can start a browser session to the portal directly after logon in the VDI and it will be logged in already for the user! a.k.a happy users. This is also nice for domain-joined laptops or other devices where we can push the user certificate too.
If you run Workspace ONE Access On-Premises you can “simply” follow this youtube guide from Peter Bjork. This will point you in the right way but still is missing some information about the user certificate structure and options needed in Workspace ONE Access. It will get the job done tho!
So where does saas differ? Well, where an On-Premises deployment needs a redirect to another DNS entry and port 7443. As seen in the video, you need SSH access to the environment to do that. With SAAS you cannot do this! SAAS already has this built-in. It will redirect you to https://cas-aws.vmwareidentity.eu and authenticate your certificate with your uploaded CA. This is done in a Pass-Through mode on the SAAS Loadbalancer. No documentation talks about this at all.
So how to setup Certificate (Cloud Deployment) in SAAS?
Go to Identity & Access Management. Then Authentication Methods to enable Certificate (Cloud Deployment).
Click on the configure button to enable the certificate adapter. Here you will need to:
- Check the box to Enable Certificate Adapter.
- upload your Root and intermediate CA certificates so it can validate the certificate on which you want to login.
- In our case, change the User Identifier Search Order to UPN|Subject
- Uncheck Validate UPN Format.
- Click Save.
Rest of the settings are not needed or by your own choice.
Now that this is configured you need to enable it on your Identity Provider. In our case, we use the Built-In. Go to Identity & Access Management. Then Identity Providers.
When this is done, you need to create a policy to enable Certificate (Cloud Deployment) Go to Identity & Access Management. Then Policies to configure this. In our case, we want to be the certificate the first way of authentication, as fallback the user password.
So Workspace ONE Access is configured, now what?
You still need to push and create a user certificate for the users. This is a basic user certificate but you need in the certificate template to add the Alternative name to be the UPN of the user.
On this, there are many guides online and I will not be describing this here. You will need to add User Certificates to your Root CA. Ask your in house CA wizard to help you with this if you are not that capable 🙂 But will add screenshots of the template later on.
The thing to do afterward
Chrome works out of the box with Certificate (Cloud Deployment). Internet Explorer, however, needs a GPO to trust your SAAS tenant URL as an internet source. Otherwise, you will get a popup to choose your certificate to authenticate. It still works but this is not user-friendly at all!
The settings you are looking for are: open IE, click Tools, Internet Options, and then select the Security tab. Select the zone associated with your application’s Web site and click Custom level. Find the Don’t prompt for client certificate selection when no certificates or only one certificate exists option and enable it. Now users will no longer be prompted because IE will automatically select their client certificate and use it to access the Web site.
Hi laurens, so i’ve tried certificate (cloud deployment) in my test lab which is on premise. but when i try to upload ssl certificate for passthrough ssl it says SSL Certificate chain format is not valid. i’m aware i only have root certificate from my adcs but is there any other ways to make it work? thanks before.
usure.. have to test it for myself and see the logs.
Is there MTLS here? Can the client verify the server is who it says it is?
What kind of certificate extensions are required?
By cert extension, I meant x509 extension.