Certificate-based authentication for Single Sign-On on mobile devices

Certificate-Based Authentication (CBA) is a secure authentication method for mobile devices, enhancing the security of Single-Sign On (SSO) solutions by using digital certificates. This article details how to integrate CBA with your SSO setup, ensuring a secure and streamlined sign-in process for users of Axon mobile applications.

Prerequisites

• A Mobile Device Manager (MDM). iOS requires any certificates used as part of the SSO flow are managed by an MDM.An MDM helps integrate and ensure secure delivery of certificates from the identity provider to the device.
• Axon apps that support CBA.
• SSO configured with Identity Provider. To use CBA, you must user a third-party identity provider.

Integrate your identity provider with an MDM

Active Directory Federation Services (AD FS), Microsoft Entra ID, and Okta all have methods of providing certificates using Active Directory Certificate Services. Refer to the following resources for more information on integrating these with an MDM, such as Airwatch.

• Microsoft Entra ID Integration: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/Application_Management_Windows/GUID-AWT-ENROLL-CONFIGAADSERVICES.html
• AD FS Integration: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/workspaceone_adfs_integration/GUID-29C7D29F-2E7D-45C7-A338-9BA9EC89DD1B.html
• Active Directory Certificate Services Integration: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/Certificate_Authority_Integrations/GUID-F2B1B07A-FE6F-4647-B7BC-24FD54075F85.html
• Okta Device Management Configuration for mobile devices: https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/config-device-mgmt-mobile.htm

Troubleshooting

Enabling support for certificates generally involves two pieces of customer software (MDM and Identity Providers) that are not provided by Axon. The following are tips for working with CBA.

• Ensure the Port Configuration for the IDP is correct. Certificate Based Authentication often uses a different subdomain or port than Username/Password logins. Check with your identity provider and ensure your organization has those domains allowed or ports made available to the devices.
• Ensure the Certificate Request from the MDM is correct. The most common configuration for automatic certificate generation for mobile devices has the MDM requesting a certificate from the Certificate Authority, providing the Subject Name and Subject Alternate Name in the request. The IDP might have specific requirements for the SN/SAN that need to be in the request (for example, ADFS requires the SAN to contain User Principal Name).
• Ensure the Certificate Authority is trusted by iOS/Android or Included in the MDM Profile. Issues can arise with mobile devices and with SSO in general when the Certificate Authority used by the IDP is not trusted by devices. Ensure that the Certificate Authority is one of the default trusted CAs or is included in the MDM Profile provided to the device.

Additional Resources

For further guidance and detailed information on configuring SSO with Axon, refer to the following resources:

• Considerations for Implementing SSO: Explore the strategic considerations for choosing an identity provider and understand directory synchronization compatibility.
• User Registration and Sign-In with SSO
• Configure SSO with Microsoft Entra ID: Integrate Microsoft Azure Active Directory with Axon .
• Configure SSO with Microsoft Active Directory Federation Services: Integrate Microsoft Active Directory Federation Services with Axon .
• Configure SSO with Okta Single Sign-On:Integrate Okta Identity with Axon .