Workspace ONE Access – Certificate authentication

In my next post about Workspace ONE Access, I would like to finally move away from using passwords and change it to something more secure and way more convenient for the employees. I am talking about certificate-based authentication.

I think I will continue the trend I started in the last post (about Windows 10 OOBE) and show you a short video about the look and feel of the result.

You haven’t seen any rocket science video, but it’s pretty cool, that we have just eliminated passwords from the login process. The employee is prompted for a certificate, which in this case was automatically requested for him during the enrollment using our device management solution Workspace ONE UEM. 

Prerequisites

My assumption here is that you have a PKI infrastructure you can use and that you have implemented Workspace ONE Access somewhere (on-prem or in the cloud – the cloud deployment is what I will be using in this post).

Delivering and requesting the certificate using Workspace ONE UEM is optional, if you don’t have that setup, you will need to deliver the cert on the device manually – I believe that the strength of this solution is when you have this integration in place. I will cover how to integrate Workspace ONE UEM and your PKI in a future post.

Configuration

As a first step get your CA root certificate chain and store it somewhere at hand. Now login to Workspace ONE Access administrative console and navigate to section “Identity & Access Management > Authentication Methods”. 

The very last row is the one we are interested in, called “Certificate (Cloud Deployment)” click on the pencil icon in the middle to enable it and configure it.

The minimal configuration you need to do here to get it up and running is to check the “Enable Certificate Adapter” box and upload your CA root certificate (plus intermediate if you have such). Everything else is optional and up to you to configure it furthermore for additional security etc.

Now as always you need to make two additional steps to bring this new authentication adapter to live. You must enable the method in the Identity Provider. Go to the “Identity Providers” section and click on the Built-in provider.

Check the “Certificate (Cloud Deployment)” box in the authentication methods section and save it.

The last thing is to tell the Workspace ONE Access when to use it – modify the access policies. To make it simple let’s try the certificate whenever the user is accessing the web portal. Go to the “Policies” section and edit the default policy. Add the “Certificate (Cloud Deployment)” as a first method. I would recommend keeping the password there just in case…

I will test it from a Windows virtual machine, I will double-check that I have a certificate in the user’s store and you are good to go. 

It works as on the video at the beginning…

Conclusion

You can very easily step up your security and user experience game by moving away from using usernames and passwords. Now every application you integrate into the Workspace ONE Access catalog (web application, Horizon virtual desktop/app) can leverage this technology. If you manage the device (using UEM solution) deployment of the certificate can be fully automated and the UX is seamless access to any app. 

One small catch…

You are enjoying this new certificate access, but then you click on the Horizon virtual desktop icon and oops, there is a password prompt.

“Why is that? Can we get rid of it?”

The reason for this is that Horizon needs your username and password in order to log you into the Windows OS. Workspace ONE Access and Horizon talks SAML between each other, but Windows does not understand SAML for authentication – they only allow password or certificate.

“I just used a certificate to get into Workspace ONE Access, so what the heck?”

We cannot just bounce your certificate from one server to another. But we can use our technology call TrueSSO, which will eliminate that password prompt and use (a different – short-lived) certificate to log you into Windows OS. More about that in a future post.