Configuring Mobile Single Sign-On for iOS

Configuring Mobile Single Sign-On for iOS

Introduction

Although we use an iOS device to test the mobile SSO feature, the wizard also configures mobile SSO for Android and Windows 10 devices.

This exercise helps you to configure the Salesforce application with the identity provider metadata and integrate VMware Identity Manager to a trial Salesforce account.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

In addition, you need to create a trial Salesforce developer account. To register, you need a valid email address to receive your Salesforce password.

This exercise requires a user to enrol their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
testuser
Password VMware1!
Email testuser@company.com
Group ID ginad
Server hol.awmdm.com

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Configuring a Profile for iOS

A device profile allows you to manage devices with specific settings and rules. You can enforce corporate rules and procedures when device profiles are combined with compliance policies.

The mobile SSO feature creates default device profiles. You must update the iOS device profile to include the Salesforce application identifier. 

1. Select iOS Device Profile

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.

2. Edit Device Profile Settings

  1. Select Single Sign-On.
  2. Click Add Version.

3. Add Salesforce Application Identifier

  1. Click Add.
  2. In the Applications section, enter com.salesforce.chatter.
  3. Click Save & Publish.
  4. Click Publish.

Assigning an iOS Profile

After a device profile has been created and configured, you can assign the profile to a smart group.

This exercise helps you to assign a Workspace ONE UEM device profile to a smart group.

1. Select iOS Device Profile

  1. In Workspace ONE UEM Console, select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.

2. Select Create Assignment Group

  1. Select the General tab.
  2. Click the Assigned Groups text box to open the drop-down menu.
  3. Select Create Assignment Group.

3. Provide Smart Group Details

  1. Name  – Enter a name of your choice for the smart group. This exercise uses iOS Smart Group.
  2. Platform and Operating System  – From the drop-down menus, select the following options: Apple iOS, Greater Than or Equal To, iOS 10.2.0.
  3. Click Save.
  4. Click Save & Publish.
  5. Click Publish.

Now that you have completed assigning a Workspace ONE UEM device profile to the iOS smart group, you are ready to Configure the SAML Metadata Settings.

Configuring SAML Metadata Settings

Security Assertion Markup Language (SAML) is an open standard for SSO across multiple services. Using SAML authentication, a user logs in to an environment only once per web browser session to access all systems.

This exercise helps you configure the SAML metadata settings. 

1. Export and Save Metadata File in Workspace ONE UEM

Export the identity provider SAML metadata from Workspace ONE UEM. The metadata is used to configure the Salesforce application.

1.2. Save Metadata File

Click Settings.

  1. Select SAML Metadata.
  2. Select Download SAML Metadata.
  3. Right-click Identity Provider (IdP) metadata, and select Save Link As.
  4. Save the metadata file in an accessible location.

2. Import the Metadata File to Salesforce

2.1. Log in to Salesforce

  1. In a web browser, navigate to https://login.salesforce.com.
  2. Enter your Salesforce user name.
  3. Enter your Salesforce password.
  4. Click Login.

2.2. Locate Single Sign-On Settings

 

  1. In the search panel on the left, enter single to locate SSO settings.
  2. Click Single Sign-On Settings.

2.3. Edit Single Sign-On Settings

Click Edit.

2.4. Enable SAML

  1. Select SAML Enabled to enable SSO using SAML.
  2. Click Save.

2.5. Populate SAML Single Sign-On Settings

  1. Click New from Metadata File.
  2. Click Choose File, and select the metadata file saved in the previous exercise.
  3. Click Create to populate the SAML SSO settings.

3. Update the SAML Settings in Salesforce

Specify how the identity provider identifies the Salesforce user, and complete the metadata download.

  1. Select Assertion contains the Federation ID from the User object.
  2. Click Save.
  3. Click Download Metadata.

Registering Your Domain in Salesforce

After you have downloaded the SAML metadata file, you need to register your domain in Salesforce.

1. Select My Domain in Salesforce

  1. In the search box on the left, enter my domain
  2. Click My Domain.

2. Register Your Domain Name

  1. Under Choose Your Domain Name, enter a domain name in the text box.
  2. To confirm that your domain name is not being used, click Check Availability.
  3. Click Register Domain.

It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain.

3. Edit Authentication Configuration

Next to Authentication Configuration, click Edit.

4. Enable Authentication Service

  1. To enable the authentication service, select your Identity Manager user name in the Authentication Service section.
  2. Click Save.

Updating the Federation ID

The federation ID in Salesforce is a unique user name that can be shared across multiple applications. The federation ID allows administrators to choose a user name format to pass to Salesforce from their user directory for SSO. The user name format is often an attribute, such as the user’s email address.

1. Select Users in Salesforce

  1. In the search box on the left, enter users.
  2. Click Users.

2. Edit User Settings

Next to the user name used for the trial account, select the check box and click Edit.

3. Enter Federation ID

  1. In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example, testuser@company.com.
  2. Click Save.

Configuring the Salesforce Application for SSO

You now add the Salesforce application to the Catalog and configure the application for SSO. To add a web application to Workspace ONE UEM Console, you must be logged in as a domain administrator.

1. Create New SaaS Application

  1. In Workspace ONE UEM Console, select Apps & Books.
  2. Select Applications.
  3. Select Web.
  4. Select SaaS.
  5. Click New.

2. Select the Salesforce Application

  1. In the Search text box, enter Salesforce.
  2. Select Salesforce from the list. The remaining options are auto-filled.
  3. Click Next.

3. Configure Salesforce Application Settings

Select URL/XML.

Open the previously saved metadata file (see Update the SAML Settings in Salesforce) using Notepad or TextEdit.

  1. Copy the data, and paste it into the URL/XML text box.
  2. Click Next.

4. Select Default Access Policy Set

Click Next.

5. Confirm Salesforce Configuration and Save

Click Save.

The Salesforce application has been added to the Catalog and configured for SSO.

Logging In to the VMware Identity Manager Console

This exercise helps you to log in to your VMware Identity Manager tenant.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

3. Login to Your VMware Identity Manager Tenant

  1. Enter the administrator user name.
  2. Enter the administrator password.
  3. Click Sign In.

Adding User Assignment in VMware Identity Manager

You are now ready to assign users to the Salesforce application.

1. Select Salesforce from the Catalog

  1. In the VMware Identity Manager administration console, click the Catalog tab.
  2. Click the Salesforce icon from the application list.

2. Assign Salesforce to a User

Click Assign.

3. Select User Account

  1. Enter a user name in the search field.
  2. Select the user name.

4. Specify User Assignment Details

 

  1. Select Automatic from the drop-down menu.
  2. Click Save to complete the assignment process.

Launching the Workspace ONE User Portal

In this section, log in to a web browser and launch the Workspace ONE user portal.

1. Open a Web Browser

From your device, launch Google Chrome by double-clicking the icon.

3. Log In to the Workspace ONE User Portal

Enter the credentials for a user entitled to the Salesforce application.

  1. Enter the user name, for example testuser.
  2. Enter the password, for example VMware1!.
  3. Click Sign In.

Testing the Salesforce SSO Configuration

In this section, access the Salesforce application from the Workspace ONE user portal to confirm that SSO is correctly configured.

In the Workspace ONE user portal, find the Salesforce application and click Open.

If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

Enrolling an iOS Device

In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent).

1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first. 

3. Enter the Server URL

  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Find Your Group ID From the Workspace ONE UEM Console

Finding your Group ID

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the console.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Note: The Group ID is required when enrolling your device in the following steps.

5. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

6. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

7. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

8. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.

NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

9. Install the Workspace ONE MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

10. Install and Verify the Workspace ONE MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted on the Install Profile dialog.

11. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

12. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

13. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

14. Workspace ONE UEM Enrollment Success

AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

15. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.

16. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.

17. Accept the App Installation (IF NEEDED)

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

18. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.

19. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.

20. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

Testing Salesforce SSO on iOS

When you install a Workspace Services profile, Workspace ONE UEM pushes Salesforce to your iOS device. In this exercise, you log in to your enrolled iOS device and start Salesforce. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

1. Launch Salesforce on iOS Device

On your iOS device, tap the Salesforce application.

2. Confirm Redirection to Workspace ONE

Confirm redirection to Workspace ONE.

3. Validate SSO

Validate SSO. Authentication completes, and the application starts without requiring a user name and password.

Now that you have tested the Salesforce SSO configuration on your mobile device, the Salesforce Mobile Single Sign-On section is complete.