MobileIron Integration Kit

Testing the adapter

Test the X509 Adapter and MobileIron Adapter’s connection to MobileIron.

Before you begin

  • Install the MobileIron agent on your device and configure it with your MobileIron instance.

    An X.509 certificate will be provisioned to your device for authentication with the X.509 Adapter.

  • Import the certificate authority (CA) root certificate into the PingFederate trusted store.

    You can find more information in Manage trusted certificate authorities in the PingFederate documentation.

  • Configure PingFederate to run the SP Application according to instructions in SP application integration settings in the PingFederate documentation.

Steps

  1. Go to your MobileIron instance, sign on, and go to Configurations > Add > Identity Certificate.

    1. Enter a name for the certificate.

    2. In the Certificate Distribution list, select Dynamically Generated.

    3. In the Source list, select your certificate authority.

    4. In the Subject field, enter the desired subject name.

      For example, CN=${userCN}.

  2. In the Subject Alternative Name Type, click Add, select a key, and then enter ${deviceMdmDeviceIdentifier} as the value.

    The X.509 Adapter 1.3 and later support parsing the URI, RFC 822 name, and user principal name out-of-the-box.

    If you enter a different key in this field, you must use an OGNL script to extract the value.

  3. Click Test Configuration, then click Continue.

  4. Select your inclusion and exclusion criteria for provisioning the certificate to the devices enrolled in MobileIron. Click Done.

    Ping Identity recommends selecting Custom and choosing your test device selectively.

  5. On your test device, open the MobileIron Go app and sync your device.

    The certificate can take some time to provision. You might need to open the agent app and force a check-in between the device and the MobileIron instance.

  6. After the profile is installed on the device, verify that a certificate from your credential source is available:

    1. Go to Devices > Select your device > Certificates.

    2. Review the list of installed certificates and confirm that a certificate from your configuration was provisioned to the device.

  7. Using the device with the installed configuration, open a browser on the device and go to a resource protected by the adapter.

  8. When prompted for X.509 authentication, select the certificate installed by the profile.

    Depending on the device, the certificate might not be readily available in the browser for authentication. You might need to import the certificate into the browser’s certificate store before you can use the certificate to authenticate a user.

    Result:

    The browser redirects to PingFederate for X.509 validation. The device should be redirected to the protected resource.