(2) Passwordless with Workspace ONE - Certificate Authentication

Step 1. Federate Office 365 to Workspace ONE


Step 2. Certificate prompt


Passwordless SSO with Workspace ONE Access and Certificate Authentication:

In this blog I will walk you through the configuration of enabling Certificate Authentication with Workspace ONE Access. This will provide a seamless Single Sign On experience without any user interaction needed to enter a username and/or password. Navigating to for example Office365 will be fully automated and no user interaction is required.

The experience is similar to that of the following video where you can see that the user doesn’t need to provide any input to authenticate on Office 365:

In a previous blog post i have described the steps to federate Office 365 to Workspace ONE Access which is a prerequisite for this configuration:


(In this blog I will use the integrated AirWatch Certificate Authority but in production it is also possible to integrate with your own Certificate Authority link


  • Workspace ONE Access integrated with Active Directory

  • Workspace ONE UEM integrated with Active Directory

  • Integration enabled between UEM and Access

  • Federation of Office365 to Access (link)

  • KDC Certificate from AirWatch

  • SCEP profile for authentication


  • Download the KDC certificate from Workspace ONE UEM console under Groups & Settings > All settings > System > Enterprise Integration > Workspace ONE Access > Configuration. 

  • If it is not enabled, enable it and download the certificate.

  • NOTE: This certificate can only be generated at customer type OG

  • Go to Workspace ONE Access console

  • In the administration console Identity & Access Management tab, select Manage > Authentication Methods.

  • In the Authentication Methods section, click the Certificate (Cloud Deployment) icon.

  • Check the box for Enable Certificate Adapter

  • Configure the Certificate Service Auth Adapter page:



Enable certificate adapter

Select the checkbox to enable certificate authentication.

*Root and intermediate CA certificates

Select the certificate files to upload. You can select multiple root CA and intermediate CA certificates that are encoded as DER or PEM.

Uploaded CA certificates

The uploaded certificate files are listed in the Uploaded Ca Certificates section of the form.

Use email if no UPN in the certificate

If the user principal name (UPN) does not exist in the certificate, select this checkbox to use the emailAddress attribute as the Subject Alternative Name extension to validate users' accounts.

Certificate policies accepted

Create a list of object identifiers that are accepted in the certificate policies extensions.

Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click Add another value to add additional OIDs.

Enable cert revocation

Select the checkbox to enable certificate revocation checking. Revocation checking prevents users who have revoked user certificates from authenticating.

Use CRL from certificates

Select the checkbox to use the certificate revocation list (CRL) published by the CA that issued the certificates to validate the status of a certificate, revoked or not revoked.

CRL Location

Enter the server file path or the local file path from which to retrieve the CRL.

Enable OCSP Revocation

Select the checkbox to use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate.

Use CRL in case of OCSP failure

If you configure both CRL and OCSP, you can check this box to fall back to using CRL if OCSP checking is not available.

Send OCSP Nonce

Select this checkbox if you want the unique identifier of the OCSP request to be sent in the response.


If you enabled OCSP revocation, enter the OCSP server address for revocation checking.

OCSP responder's signing certificate

Enter the path to the OCSP certificate for the responder, /path/to/file.cer.

Enable consent form before authentication

Select this checkbox to include a consent form page to appear before users login to their Workspace ONE portal using certificate authentication.

Consent form content

Type the text that displays in the consent form in this text box.

  • Upload the Root CA certificate that you obtained from the Workspace ONE UEM console.

  • Click Save.

You will see CN=<OGNAME>

  • Click Save.

Now got to UEM console go to Devices > Profiles & Resources > Profiles

  • Create a new Windows profile:

  • Select Windows Desktop

  • Select User Profile

  • Configure the General Page (create an assignment and fill in the name for the profile)

  • Configure SCEP Payload as follows:

    • Credential Source - AirWatch Certificate Authority

    • Certificate Authority - AirWatch Certificate Authority

    • Certificate Template - Certificate (Cloud Deployment)

    • Key Location - TPM If Present