AirWatch SAML Single Sign-On (SSO)

The following is an overview of the steps required to configure the AirWatch Web application for single sign-on (SSO) via SAML. AirWatch offers SP-initiated SAML SSO (for SSO access directly through the AirWatch web application).

SP-initiated SSO for AirWatch is automatically enabled when the SAML feature is activated.
  1. Prepare AirWatch for single sign-on (see AirWatch requirements for SSO).
  2. In the Admin Portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configuring AirWatch in Admin Portal.

  3. Configure the AirWatch application for single sign-on.

    You will need to copy some settings from Application Settings in the Admin Portal and paste them into fields on the AirWatch website. For details, Configuring Directory Services in the AirWatch Admin Console

    After you have finished configuring the application settings in the Admin Portal and the AirWatch application, users are ready to launch the application from the CyberArk Identity User Portal.

  4. (Optional) Configure the AirWatch application for your mobile device.

    For details, Configuring AirWatch on Android and iOS devices for SSO.

  5. AirWatch requirements for SSO

    Before you configure the AirWatch web application for SSO, you need the following:

    • An active AirWatch account with administrator rights for your organization.
    • AirWatch Idaptive Connector hosted.
    • A signed certificate.

    You can either download one from the Admin Portal or use your organization’s trusted certificate.  

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about AirWatch

Each SAML application is different. The following table lists features and functionality specific to AirWatch.



Support details

Web browser client



Mobile client


iOS and Android.

SAML 2.0



SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only



Separate administrator login
after SSO is enabled


Only administrators can log in.

User or Administrator lockout risk


Username/password login is always available

Automatic user provisioning



Multiple User Types


Admin user

End users

Self-service password


Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configure AirWatch in the Admin Portal

Configure Directory Services in the AirWatch Admin Console

Configure AirWatch on Android and iOS devices for SSO

For Android devices, deploy the regular AirWatch Android application using the Android Google Play application.

For iOS devices, deploy the AirWatch iOS application using the iOS App Store mobile application.

You can download the mobile installation files either from your AirWatch account, or iTunes and Google Play:

Configure the AirWatch MDM agent

AirWatch MDM Agent is an app for enrolling a mobile device to AirWatch.

Contact AirWatch support for more information about configuring AirWatch for SSO.