To provide single sign-on from AirWatch managed Android devices, you configure Mobile SSO for Android authentication in the VMware Identity Manager Built-in identity provider.

For information about configuring the Certificate authentication method, see Configuring a Certificate or Smart Card Adapter for Use with VMware Identity Manager.

Obtain the root certificate and intermediate certificates from the CA that was used to enable AirWatch Tunnel. If an Enterprise CA was used to enable AirWatch Tunnel, this certificate is the root and intermediate from the Enterprise CA. If AirWatch Tunnel was set up with the default certificate, this certificate is exported from the Device Root Certificate settings in the AirWatch Tunnel advanced configuration page.

(Optional) List of Object Identifier (OID) of valid certificate policies for certificate authentication.

For revocation checking, the file location of the CRL and the URL of the OCSP server.

(Optional) OCSP Response Signing certificate file location.


In the administration console, Identity & Access Management tab, select Manage > Identity Providers.


Click the identity provider labeled Built-in.


Verify that the Users and Network configuration in the built-in identity provider is correct.

If it is not, edit the Users and Network sections as needed.


In the Authentication Methods section, click the Mobile SSO (for Android devices) gear icon.


In the CertProxyAuthAdapter page, configure the authentication method.



Enable Certificate Adapter

Select this check box to enable Mobile SSO for Android.

Root and Intermediate CA Certificate

Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded. The file format can be either PEM or DER.

Uploaded CA Certificate Subject DNs

The contents of the uploaded certificate file is displayed here.

Use email if no UPN in certificate

If the user principal name (UPN) does not exist in the certificate, select this check box. The emailAddress attribute is used as the Subject Alternative Name extension to validate user accounts.

Certificate policies accepted

Create a list of object identifiers that are accepted in the certificate policies extensions. Enter the object ID number (OID) for the Certificate Issuing Policy. Click Add another value to add additional OIDs.

Enable Cert Revocation

Select the check box to enable certificate revocation checking. Enabling this feature prevents users who have revoked user certificates from authenticating.

Use CRL from certificates

Select the check box to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate a certificate's status of revoked or not revoked.

CRL Location

Enter the server file path or the local file path from which to retrieve the CRL.

Enable OCSP Revocation

Select this check box to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

Use CRL in case of OCSP failure

If you configure both CRL and OCSP, you can check this box to fall back to using CRL if OCSAP checking is not available.

Send OCSP Nonce

Select this check box if you want the unique identifier of the OCSP request to be sent in the response.


If you enabled OCSP revocation, enter the OCSP server address for revocation checking.

OCSP Responder's Signing Certificate

Enter the path to the OCSP certificate for the responder. Enter as /path/to/file.cer


Click Save.


Click Save on the built-in identity provider page.

Configure the default access policy rule for Mobile SSO for Android. See Managing Authentication Methods to Apply to Users


The network range that you use in the policy rule for Mobile SSO for Android should consist of only the IP addresses used to receive requests coming from the AirWatch Tunnel proxy server.