Certificate picker for SSO on Windows browsers
One of the most underrated feature when it comes to SSO is to be able to automatically select the right certificate based on the domain, while there is mechanism in the SSL protocol to indicate which CA is requested, a device or a user may have multiple certificates depending on the scenario. This may lead to wrong certificate being chosen and other inconvenience for the end user but as well for security.
Luckily browsers offer the possibility to configure so they choose the right certificate for the right domain, and we can deploy this configuration with Workspace ONE UEM which ever browser it is. The deployment in itself will depend of the browsers but 99% of the time an ADMX is available. This is the method we are going to use here.
ADMX Install
For the ADMX be available on the machine we need to use the ADMX Install CSP, which allow to create a bridge between CSP, ADMX configuration and registry keys.
There is multiple articles already describing the CSP and how to install the ADMX, in this article we assume that the ADMX is already installed on the device using ADMX install and ready to be used.
- VMware TechZone: Understanding Windows 10 Group Policies
- Debay.blog: Deep Dive – ADMX Ingestion on Windows 10
- Microsoft Docs: Policy CSP – Windows Client Management
Chromium Based Browsers
Chromium based browsers are using AutoSelectcertificateForUrls setting, the location of the settings differ depending of the browser. The format however is the same across browsers and platforms.
The format is base on JSON so it need to be escaped.
JSON Example
{
"pattern": "https://sso.digitalworkspace.one",
"filter": {
"ISSUER": {
"CN": "certificate issuer name",
"L": "certificate issuer location",
"O": "certificate issuer org",
"OU": "certificate issuer org unit"
},
"SUBJECT": {
"CN": "certificate subject name",
"L": "certificate subject location",
"O": "certificate subject org",
"OU": "certificate subject org unit"
}
}
}Edge
AutoSelectcertificateForUrls documentation: Microsoft Edge Browser Policy Documentation | Microsoft Docs
$URL_PATTERN format: Filter format for Microsoft Edge URL policies | Microsoft Docs
Install Settings
<Replace>
<CmdID>440c3845-6ed3-44f6-8e09-c2a7fe9e3ef9</CmdID>
<Item>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/edge~Policy~microsoft_edge~ContentSettings/AutoSelectCertificateForUrls</LocURI>
</Target>
<Data><![CDATA[<enabled/><data id="AutoSelectCertificateForUrlsDesc" value="1{"pattern":"https://www.1.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}2{"pattern":"https://www.2.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}3{"pattern":"https://www.3.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" />]]></Data>
</Item>
</Replace>Remove Settings
<Delete>
<CmdID>1cb70b36-54fa-4601-bdd1-181ae1715843</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/edge~Policy~microsoft_edge~ContentSettings/AutoSelectCertificateForUrls</LocURI>
</Target>
</Item>
</Delete>SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls\1 = "{\"pattern\":\"https://digitalworkspace.one\",\"filter\":{\"ISSUER\":{\"CN\":\"certificate issuer name\", \"L\": \"certificate issuer location\", \"O\": \"certificate issuer org\", \"OU\": \"certificate issuer org unit\"}, \"SUBJECT\":{\"CN\":\"certificate subject name\", \"L\": \"certificate subject location\", \"O\": \"certificate subject org\", \"OU\": \"certificate subject org unit\"}}}"Chrome
AutoSelectcertificateForUrls documentation: Chrome Enterprise policy list and management | Documentation
$URL_PATTERN format: Enterprise policy URL pattern format – Chrome Enterprise
Install Settings
<Replace>
<CmdID>440c3845-6ed3-44f6-8e09-c2a7fe9e3ef9</CmdID>
<Item>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~ContentSettings/AutoSelectCertificateForUrls</LocURI>
</Target>
<Data><![CDATA[<enabled/><data id="AutoSelectCertificateForUrlsDesc" value="1{"pattern":"https://www.1.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}2{"pattern":"https://www.2.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}3{"pattern":"https://www.3.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" />]]></Data>
</Item>
</Replace>Remove Settings
<Delete>
<CmdID>1cb70b36-54fa-4601-bdd1-181ae1715843</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/chrome~Policy~googlechrome~ContentSettings/AutoSelectCertificateForUrls</LocURI>
</Target>
</Item>
</Delete>Firefox
Firefox is known for having it’s own certificate store, however since Firefox 75, it is capable of using OS certs if security.osclientcerts.autoload is set at true. It is not possible however to specify which certificate can be used for which website. Firefox have also ADMX available.
JSON Example
{
"security.osclientcerts.autoload": {
"Value": true,
"Status": "locked"
}
}Install Settings
<Replace>
<CmdID>bc26a780-5fa9-4d5f-9128-fe3924d1ffcd</CmdID>
<Item>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/firefox~Policy~firefox/Preferences</LocURI>
</Target>
<Data><![CDATA[<enabled/><data id="JSON" value="{ "security.osclientcerts.autoload": { "Value": true, "Status": "locked" }}" />]]></Data>
</Item>
</Replace>Remove Settings
<Delete>
<CmdID>35c294f8-a6d7-418e-b732-8607dc332da8</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/firefox~Policy~firefox/Preferences</LocURI>
</Target>
</Item>
</Delete>Other browsers
If you are using other browsers let me know in the comment and will try to add them to the article.
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.