Configure single sign-on for BlackBerry UEM Skip Navigation

Configure single sign-on for
BlackBerry UEM

If you connect
BlackBerry UEM
to
Microsoft Active Directory
, you can configure single sign-on authentication to allow administrators or users to bypass the login webpage and access the management console or
BlackBerry UEM Self-Service
directly. When administrators or users log in to
Windows
, the browser uses their credentials to authenticate them with
UEM
automatically.
Windows
login information can include
Active Directory
credentials or derived credentials (for example, from CAC readers or digital tokens).
This feature is not supported by
UEM Cloud
.
  • Do the following to configure constrained delegation for the
    Active Directory
    account that
    UEM
    uses for the directory connection:
    1. Use the
      Windows Server
      ADSI Edit tool or setspn command-line tool to add the following SPNs for
      UEM
      to the
      Active Directory
      account:
      HTTP/
      <host_FQDN_or_pool_name>
      (for example, HTTP/domain123.example.com)
      BASPLUGIN111/
      <host_FQDN_or_pool_name>
      (for example, BASPLUGIN111/domain123.example.com)
    2. In
      Microsoft Active Directory Users and Computers
      , in the
      Microsoft Active Directory
      account properties, on the
      Delegation
      tab, enable
      Trust this user for delegation to specified services only
      and
      Use Kerberos only
      .
    3. Add the SPNs to the list of services.
  • If you enable single sign-on for multiple
    Active Directory
    connections, verify that there are no trust relationships between the
    Active Directory
    forests.
  1. In the
    UEM
    management console, on the menu bar, click
    Settings > External integration > Company directory
    .
  2. In the
    Configured directory connections
    section, click an
    Active Directory
    connection.
  3. On the
    Authentication
    tab, select the
    Enable Windows single sign-on
    check box.
  4. Click
    Save
    .
  5. Click
    Save
    again.
  6. Click
    Close
    .
  • Restart the
    UEM
    services on each computer that hosts a
    UEM
    instance.
  • Instruct administrators and users to use the following URLs:
    • Management console: https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /admin
    • UEM Self-Service
      : https://
      <host_FQDN_or_pool_name>
      :
      <port>
      /mydevice
    Single sign-on authentication takes precedence over other authentication methods. If your organization's security standards require that administrators or users use another authentication method, the single sign-on method can be circumvented by appending ?sso=n to the end of the URLs above.
  • Instruct administrators and
    UEM Self-Service
    users to configure their browsers to support single sign-on for
    UEM
    :
    • Microsoft Edge
      : The management console and
      UEM Self-Service
      URLs must be assigned to the local intranet zone. Enable Integrated
      Windows
      Authentication.
    • Mozilla Firefox
      : In the about:config list, Add https://,
      <host_FQDN_or_pool_name>
      to the "network.negotiate-auth.trusted-uris" preference.
    • Google Chrome
      : The management console and
      UEM Self-Service
      URLs must be assigned to the local intranet zone.