Note: You need a device with the MobileIron agent installed and configured with your MobileIron instance. An X.509 certificate will be provisioned to the device for authentication with the X.509 adapter. The CA root certificate must be imported into the PingFederate trusted store (see Trusted Certificate Authorities in the PingFederate Administrator’s Manual).).

Follow this procedure to test your adapter configuration:

  1. Set up PingFederate to run the SP Application according to instructions in the Quick-Start Guide.
  2. Navigate to your MobileIron instance, login and go to Configurations > Add > Identity Certificate.
  3. Name the configuration and select Dynamically Generated from the Certificate Distribution dropdown. Select your Certificate Authority from the Source dropdown and enter the desired subject name for the Subject field (for example, CN=${userCN}).
  4. Click Add under Subject Alternative Name Type and select a key and enter ${deviceMdmDeviceIdentifier} as the value.
    Note: Version 1.3 of the X.509 adapter supports parsing URI, user principal name and RFC 822 name out-of-the-box without requiring OGNL to extract the values. Using a different key will require an OGNL script to extract the value.
  5. Click Test Configuration and click Continue.
  6. Select your inclusion/exclusion criteria for provisioning the certificate to the devices enrolled in MobileIron. Ping Identity recommends selecting Custom and selectively choosing your test device. Click Done.
  7. On your test device, navigate to the MobileIron Go app and sync your device. It might take some time for the certificate to provision.
    Note: You may need to open the agent app and force a check-in between the device and the MobileIron instance.
  8. After the profile is installed on the device, verify a certificate from your credential source is available on the device by navigating to Devices > Select your device > Certificates. Inspect the list of certificates installed on the device and verify a certificate from your configuration has been provisioned to the device.
  9. Using the device with the installed configuration, open a browser on the device and navigate to a resource protected by the adapter.
  10. When challenged for X.509 authentication, select the certificate installed by the profile. The browser will be redirected to PingFederate for X.509 validation and the device should be redirected to the protected resource.
    Note: Depending on the device, the certificate isn’t readily available in the browser for authentication. The certificate might require importing into the browser’s certificate store before it can be used to authenticate a user.