Prerequisites
- Workspace ONE Identity Manager
- Enable the Certificate (Cloud) Auth method, covered here on the EUCSE Blog
- Docs Here
- Workspace ONE UEM Console
- A Certificate Authority configured within Workspace ONE UEM to issue user certificates
macOS – Chrome
To enable the selection of the User certificate within Chrome, we need to configure the AutoSelectCertificateForUrls policy. This can be achieved with the below Custom XML.
Points to change:
- pattern: the CAS URL for your Identity Manager tenant. In this example, its https://cas.vidmpreview.com/
- filter: The ISSUER: should be the Issuer name of your CA. Something like “Company Issuing CA“.
Leave everything else default.
<dict>
<key>AutoSelectCertificateForUrls</key>
<array>
<string>{"pattern":"https://cas.vidmpreview.com/","filter":{"ISSUER":{"CN":”your-domain-AD01-CA"}}}</string>
</array>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>Google Chrome Settings</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.google.Chrome.4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>
<key>PayloadType</key>
<string>com.google.Chrome</string>
<key>PayloadUUID</key>
<string>4F720473-6832-4CE0-A895-E9C3FC6F8CBD</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
Extra! Windows 10 – Chrome
Details provided by the Legendary Charlie Hodge EUCSE Blog. https://blog.eucse.com/windows-10-true-sso-using-chrome/
Further Resources
WorkspaceONE UEM Integration with Microsoft ADCS via DCOM
Chrome troubleshooting: chrome://policy
IDM– Activity Reports
Pages: 1 2
Hi,
Is it possible to use a *.domain.com instead of a single URL to provide an SSO experience for many URLs ?
Thanks
Hi Ben. They way this works is whenever a service is integrated with Workspace ONE Access as its IDP or 3rd party IDP, for SSO it will go to a certificate server (the cas url). If we then present the certificate to the CAS url automatically it will sign you in seamlessly.
This would work if you have a service which uses a certificate to authenticate thats installed on your devices, you can just put yourdomain.com in and it will work.