Certificate authentication from AppConnect apps to enterprise services

An AppConnect app can send a certificate to identify and authenticate the app user to an enterprise service. The AppConnect library, which is part of every AppConnect app, makes sure the connection uses the certificate. No additional development is required for the app.

When an AppConnect app uses a certificate to authenticate the app user to an enterprise service using HTTPS:

  • The authentication occurs without interaction from the app user.

    The app user does not need to enter a user name and password to log into enterprise services, resulting in a better user experience.

  • Access to the enterprise service is more secure.

The AppConnect app must use networking methods that this feature supports. Contact the application vendor or developer to find out if the app supports certificate authentication to enterprise services.

Certificate authentication from AppConnect apps to enterprise services:

  • is for HTTPS connections only.
  • does not work if you are using AppTunnel with HTTP/S tunneling for the connection.
  • does work if you are using AppTunnel with TCP tunneling for the connection.
NOTE: Authenticating users to enterprise servers using Kerberos Constrained Delegation (KCD) with AppTunnel has been available for some time. This feature does not use KCD or AppTunnel.

Impact on AppTunnel use

If an AppConnect app uses a certificate to authenticate the app user to an enterprise service:

  • The app can use AppTunnel with TCP tunneling (provided with the Tunnel app) to access an enterprise service.

  • The app cannot use AppTunnel with HTTP/S tunneling for accessing the same URL to which the certificate authenticates.

    The app can use AppTunnel for HTTP/S tunneling for accessing a different URL than the one that the certificate authenticates to.

Set up certificate authentication from an AppConnect app

Setting up certificate authentication from an AppConnect app requires the following two main steps:

  1. Configure MobileIron Cloud with the certificate that the app will use to authenticate to the enterprise service.

    See Configuring a certificate on MobileIron Cloud.

  2. Add two sets of key-value pairs to the AppConnect Custom Configuration.

    See Configuring a certificate on MobileIron Cloud.

Configuring a certificate on MobileIron Cloud

Configure the certificate that the app will use to authenticate to the enterprise service on MobileIron Cloud.

Procedure 

  1. Add a certificate authority in Admin > Certificate Management > Certificate Authority.

    A Connector installation is required if you are using an external certificate authority.

  2. Create an Identity Certificate setting, in Configurations > Add > Identity Certificate.

    For Certificate Distribution, select Dynamically Generated and for Source, select the certificate you configured in Admin > Certificate Management > Certificate Authority. You will reference the Identity Certificate configuration in the key-value pair in the app’s Custom AppConnect configuration.

Related topics 

  • "Certificate Management" in the MobileIron Cloud Administrator Guide.
  • "Identity Certificate" in the MobileIron Cloud Administrator Guide.

Configuring the key-value pairs for the certificate and URL matching rule

To set up certificate authentication from an AppConnect app to an enterprise service, add two sets of key-value pairs to the app's AppConnect Custom Configuration. The two key-value pairs in each set specify:

  • a certificate
  • a URL matching rule

When the app makes a web request to a URL that matches a URL matching rule, the connection uses the certificate.

Procedure 

  1. In MobileIron Cloud, App Catalog, edit the setting for the AppConnect app.

  2. For the AppConnect app, go to App Configurations > AppConnect Custom Configuration.

  3. Edit an existing custom configuration or add a new AppConnect Custom Configuration.

  4. In the AppConnect Certificate Configuration section add the following key value pairs.

    Key

    Value

    MI_AC_CLIENT_CERT_#

    substituting digits of your choice for #

    The key is case-sensitive.

    Example  

    MI_AC_CLIENT_CERT_1

    MI_AC_CLIENT_CERT_2

    MI_AC_CLIENT_CERT_15

    NOTE: You can have many MI_AC_CLIENT_CERT_# keys, each with a different digit substitution.

    Select the Certificate Enrollment setting from the dropdown list.

    MI_AC_CLIENT_CERT_#_RULE

    Substituting the same digits for # that you used in MI_AC_CLIENT_CERT_#.

    The key is case-sensitive.

    Example  

    MI_AC_CLIENT_CERT_15_RULE

    Enter the URL that will use the certificate for authentication.

    Example  

    *.mycompany.com/sales

    myserver.mycompany.com/hr/benefits
  5. Click Save.

Related topics 

Details about MI_AC_CLIENT_CERT_#_RULE

Rule format

The value for the key MI_AC_CLIENT_CERT_#_RULE is a URL matching rule. The rule has one of these formats:

  • <host >
  • <host >/<path>

The <host > component specifies a host within a domain. It can include one or more wildcard characters *.

Example  

  • myserver.mycompany.com
  • anotherserver.mycompany.com
  • *.mycompany.com

The <path > component specifies a path within the host. It cannot include the wildcard character *. It can contain multiple <subpath> components.

Example  

  • sales

  • sales/west

  • sales/west/california

    The <subpath> components are sales, west, and california.

Matching logic

When the app makes a URL request, the AppConnect library within the app compares the URL request with the values of the MI_AC_CLIENT_CERT_#_RULE keys. If the rule matches the URL request, the connection uses the certificate.

A match occurs if all of the following are true:

  • the rule’s <host> matches the URL request’s <host>.

  • Any <subpath> in the rule matches the URL request’s <subpath>, in the same order.

    More <subpath> components can be in the URL request than are in the rule.

NOTE: The matching logic ignores any port number or query parameters in the URL request.

Example  

Table 1. Matching rule example: my.server.mycompany.com

URL Request

Match?

Comments

https://myserver.mycompany.com

Yes

Exact match

https://myserver.mycompany.com/sales

Yes

Matches <host>

https://myserver.mycompany.com:8080

Yes

Matches -- port is ignored

https://myserver.mycompany.com:sales?
range=quarter

Yes

Matches -- query parameters are ignored

https://anotherserver.mycompany.com

No

<host> does not match

http://anotherserver.mycompany.com

No

HTTP, not HTTPS
Table 2. Matching rule example: *.mycompany.com/sales

URL Request

Match?

Comments

https://myserver.mycompany.com/sales

Yes

<host> and <subpath> match.

https://myserver.mycompany.com/sales/west

Yes

<host> and <subpath> match

https://anotherserver.mycompany.com/sales

Yes

<host> and <subpath> match

https://myserver.mycompany.com/salesmeeting

No

Entire <subpath> must match.

https://myserver.mycompany.com

No

Missing required <subpath>

https://myserver.mycompany.com/s

No

Entire <subpath> must match.

If more than one MI_AC_CLIENT_CERT_#_RULE value matches the URL request, the rule with the most number of non-wildcard characters is chosen.

For example, consider four MI_AC_CLIENT_CERT_#_RULE keys with the following values:

Table 3. Example of similar MI_AC_CLIENT_CERT_#_RULE values

Key

Value

MI_AC_CLIENT_CERT_1_RULE

*.mycompany.com

MI_AC_CLIENT_CERT_2_RULE

*.mycompany.com/sales/west

MI_AC_CLIENT_CERT_3_RULE

myserver.mycompany.com/sales

MI_AC_CLIENT_CERT_4_RULE

myserver.mycompany.com/sales/west

If the app requests URL https://myserver.mycompany.com/sales/west, the request matches all the values, but only one match is chosen. The chosen match is myserver.mycompany.com/sales/west, and the connection uses the corresponding certificate in MI_AC_CLIENT_CERT_4.