Does anyone love getting prompts? How many of your end-users know what a certificate is? Why is my web browser prompting for a certificate? Which one should I choose? These are all valid questions when an organization deploys certificates to enable Single Sign-on. I’ve been surprised to see how many folks don’t know certificate prompts can be avoided in macOS. What is the secret sauce? Identity preferences!
In the context of this blog post, I’m making a few assumptions to illustrate the functionality:
- An admin has a certificate authority and template configured per Workspace ONE UEM Integration with Microsoft ADCS via DCOM.
- VMware Identity Manager’s authentication method “Certificate (Cloud)” configured to trust certificates issued by the ADCS root certificate authority.
Specific to Safari, the real secret sauce is the Identity Preference Payload mentioned in the Configuration Profile Reference. This payload outlines a method to specify a specific certificate payload to be used for a specific URL, email address, DNS Host, etc. Within Workspace ONE, admins can leverage this functionality to automatically choose the certificate chosen by Safari to provide Single Sign-On to VMware Identity Manager.
Google Chrome doesn’t make use of the identity preferences assigned within the keychain. In order to facilitate Single Sign-on for Google Chrome, admins must define preferences in the Google Chrome preferences domain in macOS. This is achieved using the Custom Settings XML payload in Workspace ONE UEM. Specific to Google Chrome, the preference instructs Google to search the keychain for a certificate containing a particular Common Name. As such, it is possible to re-use the same identity certificate delivered in the payload for Safari.
To learn more about how to set identity preferences for Safari and Chrome on macOS, see Managing Identity Preferences to Streamline Single Sign-On for macOS.