How to configure Certificate (Cloud Deployment) authentication in Workspace ONE Access

This blog describes the step-by-step guide on how to configure Cloud Certificate authentication in Workspace ONE Access.

This configuration provides a seamless logon experience for end-users, with this authentication method they do not have to provide a userid and password to authenticate to the Workspace ONE Access user portal.

This article assumes you have already an Active Directory with Certificate Services configured. If you haven’t done this yet, please follow this article from the official Microsoft documentation.

Active Directory Certificate Services

As a first step, we will download the Active Directory Certificate Services (ADCS) root certificate. Open the Certificate Authority console, right click the Certificate Authority and choose properties.

In the general tab, click View Certificate.

In the certificate details, choose Copy to File and select Base-64 encoded X.509 (.CER).

Save the file, you will need this later in the Workspace ONE Access Admin Console configuration.

Workspace ONE Access

In the Workspace ONE Access Admin Console, go to Identity & Access Management, choose Manage on the right side and select Authentication Methods.

Edit the Certificate (cloud deployment) configuration.

Enable the Authentication Method. Click the Select File button and browse to the earlier saved root certificate.

Click OK to upload the file.

The file is now correctly uploaded.

In our case, we are matching the User Identifier Search Order with the Certificate Template settings we have created earlier in Workspace ONE UEM. Be sure to follow my previous blog post on how to do this.

Next, make sure Validate UPN format is de-selected.
We have left the rest of the settings default. Make sure you verify these settings with your Security Officer.

Click Save. The Auth Adapter is now successfully updated.

As a next step, we need to enable this Auth Method in the built-in Identity Provider. Go to the Identity Provider menu and click the Built-in IDP hyperlink.

Enable the Certificate (cloud deployment) checkbox.

Click Save. The Built-in IDP is successfully updated.

As a last step, we will enable this Auth Method in an Authentication Policy. In our case, we will edit the default authentication policy.

Edit all the Network Ranges/Device Types for which you want to enable this policy.

Select the Certificate (cloud deployment) Auth Method from the drop-down menu.

In our case, we are going to configure this Auth Method as a primary authentication method. Decide yourself if you want to do this as primary of preceding method.

Click Save.

The policy is saved successfully.

Deploying the User Certificate

The next step is all about deploying the user certificate which will be used for authentication to the endpoints. Of course, there are multiple ways how to do this. For example, one method is deploying the user certificate with Active Directory Group Policy. In my case, I have done this with Workspace ONE UEM, please read my previous blog post on how to do this!

The User Experience

Once the infrastructure is fully configured, the authentication policy is set and the user certificates are deployed to the endpoints, it’s time to check the end-user experience in the Workspace ONE Access user portal.

As mentioned earlier, I have configured the Certificate (Cloud Deployment) as primary method. When end-users access the Workspace ONE Access portal, they are prompted with the user certificate.

By clicking OK, the end-user is automatically logged on to the Workspace ONE Access portal. At this point, please make sure you have configured VMware True SSO to be able to launch your Horizon 7, 8 or Cloud Resources without supplying the userid and password.

Hiding the certificate pop-up screen

To make the user experience even better, you can hide the certificate pop-up screen you see in the above screenshot! Please follow the below instruction on how to do this.

Google Chrome

For Google Chrome, you can do this via Active Directory Group Policy (GPO). Copy/Import the Google ADMX templates in the SYSVOL folder, create a new GPO, go to Administrative Templates -> Google -> Google Chrome -> Content Settings -> Enable “Automatically select client certificates for these sites”. This setting can be Computer or User.

Next, you will have to create a value for this GPO setting. The correct configuration would be:

  • {\”pattern\”:\”https://[*.]identitymanager. Code>\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”\”}}}

If the endpoint is not domain joined, you can optionally also do this via the registry. Go to HKCU or HKLM, Software\Policies\Google\Chrome\

Create the folder “AutoSelectCertificateForUrls” and create the following String Value: Name = 1 Type = REG_SZ

  • Data = {\”pattern\”:\”https://[*.]identitymanager. Code>\”,\”filter\”:{\”ISSUER\”:{\”CN\”:\”\”}}} 

Microsoft Edge

For Microsoft Edge, I could not find any GPO settings. Fortunately, there is a similar Registry key which also can be used! Go to HKCU or HKLM\ Software\Policies\Microsoft\Edge\AutoSelectCertificateForUrls and configure the exact same String Value as Google Chrome.

Please see the following URL for more information:

Mozilla Firefox

Firefox doesn’t use the local certificate store, but uses it’s own built-in store. At this moment, I couldn’t find a way to automatically install the user certificate for Firefox.