Access Architecture

Course: SAML and MobileIron Access Overview

MobileIron Confidential

Welcome to the SAML and Access Architecture Overview lesson of the MobileIron
Access course.

1
Control Flows with MobileIron Access
Federated Identity 3-way Trust
Identity Provider (IDP) Service Provider (SP)
Employee Login:
Username

Password Download SP
metadata. Sign
and Upload to SP
Download IDP
metadata. Sign
and Upload to IDP

Access as an SP Admin Portal Access as an IDP

MobileIron Confidential

While SAML authentication is still being used, MobileIron Access is injected into the
authentication workflow between the devices, the Service Providers and the Identity
Providers.

MobileIron Access acts both as a service provider and also as an identity provider.
>>> A three-way trust is established, with the identity provider interfacing with
MobileIron, >>> and the service provider doing the same.

As with a typical federated pair, metadata must be exchanged—only this time

between three entities instead of two. This 3-way trust is what then allows
MobileIron Access to enforce block and allow policies.

Now let us take a look at the requirements involved in using MobileIron Access.

2
Access Architecture Requirements
Salesforce Office365 Workday SAP Oracle
Identity/SAML

Must already be configured

and functioning Azure
Active
Directory

Concur Google Drive Box Dropbox

MobileIron Minimum Requirements

8.0.1 = minimum
Core 9.0.x 2.1
8.5 = Split tunnel
Cloud R33 with domains
MobileIron Confidential

In order to use MobileIron Access, there are some requirements that need to first be
considered.

The first requirement involves the Service Providers and Identity Providers. >>> Prior
to using MobileIron Access, these providers must already be configured for federated
authentication using SAML. This must be an existing, functioning setup. Note that
the service providers and identity providers listed are only some of the ones
supported with Access.

>>> Next, there are some additional requirements around the deployed MobileIron
components in your environment.

To use Access, >>> first you need to ensure that your Core or MobileIron Cloud
versions are at least meeting the minimum version required. >>> For Core, you need
to be on version 9.0 or later. >>> For MobileIron Cloud, the minimum version is R33.

>>> Sentry is used to host the Access services and so is also a required piece of the
architecture. Version 8.0.1 is the minimum Sentry version that can be used with
Access. If you are on version 8.0.1, it is a good idea to check the MobileIron Support
Community to make sure there are no issues around it. However, MobileIron
recommends upgrading your Sentry to the latest available version. Note that to use
split-tunneling with domains, a minimum Sentry version of 8.5 is required.

3
>>> The final piece of MobileIron architecture required is MobileIron Tunnel. Version
2.1 or later for MobileIron Tunnel needs to be deployed to ensure compatibility with
Access.

All of the requirements on this slide are the minimum requirements that are current
as of now. Refer to the latest MobileIron Access release guide for the current
requirements for MobileIron Access. This documentation can be found in the
MobileIron Community. There are links to these resources included at the end of this
lesson.

3
Access Browser Requirements

MobileIron Confidential

There are also some requirements around browsers that can be used to manage
Access through its administration web interface.

>>> For Windows, the three supported browsers are Firefox, Chrome and Internet
Explorer. The specific versions of these browsers that are supported are found in the
Access documentation.

>>> For OSX, Firefox, Chrome and Safari are the supported browsers. The specific
versions supported for OSX are also found in the Access documentation.

4
MobileIron Access Port Requirements
Internal DMZ Internet
Salesforce Office365 Workday SAP Oracle

Cloud hosted Access Admin

tenant

443
Concur Google Drive Box Dropbox

443/9090

443 Identity/SAML

Azure
Active
Directory

MobileIron Confidential

Using Access requires that you ensure that certain ports are opened up to allow
traffic to flow properly.

First, you want to ensure that ports are opened to allow Core to communicate with
Sentry. This is especially important if Core is located on your internal network and
Sentry in the DMZ. >>> Ports 443 and 9090 need to be opened between Core and
Sentry to accommodate the necessary communication.

The Sentry server being the main component in the Access architecture has the most
requirements when it comes to ports. Though Access is housed on Sentry, there is
also the Access Admin Cloud tenant. This is housed in the cloud, not within the
corporate network.

As Sentry needs to be able to communicate with the Access Cloud Admin tenant, >>>
you need to make sure that it can talk to it over port 443. While that likely does not
mean any firewall changes need to be made, you need to ensure that there are no
ACL’s on Sentry that prevent that communication.

>>> Your devices also need to be able to communicate with Access. >>> This
requires that you open port 443 to allow inbound connections from your user’s
devices. This communication between the devices and Access occurs when the IdP
and the SP redirect the device to Access. Access does not need access to

5
communicate with the IdP or SP. Access sends all communication to the device, after
which the device connects to those resources.

5
MobileIron Tunnel Port Requirements
Internal DMZ Internet

Salesforce Office365 Workday SAP Oracle

443

Concur Google Drive Box Dropbox

Identity/SAML
443
443 Azure
Active
Directory

MobileIron Confidential

When using managed devices with MobileIron Tunnel, there are some other port
requirements to take into consideration.

>>> First, devices using MobileIron Tunnel must be able to communicate with Sentry.
>>> This means that port 443 needs to be opened to allow communications from
user’s devices.

>>> Additionally, you need to allow Sentry to communicate with the IdP and SP’s
being used. >>> These connections from Sentry to the IdP and SP’s are vital. >>>
This communication occurs on port 443. This means that you need to open port 443
to allow sentry to communicate with these, wherever they may be located.

Again, Access does not communicate with the IdP or the SP’s. All of this
communication is performed by the device, through its MobileIron Tunnel
connection.

6
Access and Sentry
Salesforce Office365 Workday

SAP Oracle Concur

access.domain.com
Separate external Google Drive box

hostnames required
for Sentry and Identity/IDP
(SAML)

Access

apptunnel.domain.com
MobileIron Confidential

Though Access runs on Sentry, it is a completely separate service. Any Sentry with
Access running, has both Sentry and Access services running virtually on the same
server. This being the case, this adds an additional requirement that must be
considered.

>>> Sentry, as per normal functionality needs to have an external hostname assigned
to it in order for device traffic to connect to email using ActiveSync, or to other
backend resources using AppTunnel, or MobileIron Tunnel.

>>> When Access is involved however, a second externally resolvable hostname

needs to be created for the Sentry server. Though Access is hosted on Sentry, it is a
completely separate service. Devices cannot connect to Access using the ActiveSync,
or AppTunnel external hostname. A new external hostname is used for Access. This
means that if Sentry is being used to host normal Sentry services and is also being
used to host Access, two externally resolvable names must be created for it. One for
Access and one for normal Sentry services.

7
 MobileIron Confidential

Thank you for attending this MobileIron University training.