VMware Horizon True SSO eliminates the requirement of entering the credentials twice while accessing VMware Horizon desktops and published applications.
After installing the Enrollment Servers and configured the CA accordingly, the export/import of the certificate and the SAML configuration are the next steps to perform.
Blog series
VMware Horizon True SSO configuration - pt.1
VMware Horizon True SSO configuration - pt.2
VMware Horizon True SSO configuration - pt.3
Export the Enrollment Service Client Certificate
From a Connection Server, open the Certificate console by running the certlm.msc command.
Expand VMware Horizon View Certificates and select Certificates. Search from the list the certificate with the Friendly Name vdm.ec (all Connection Servers have the same certificate). Right click the certificate and select All Tasks > Export.
Click Next.
Select No, do not export the private key then click Next.
Select DER encoded binary X.509 (.CER) format and click Next.
Enter a File Name for the certificate to export and click Next.
Click Finish.
Click OK.
Copy the exported certificate to the Enrollment Server.
Import the certificate to the Enrollment Server
In the Enrollment Server open the Certificates console with certlm.msc.
Right click VMware Horizon View Enrollment Server Trusted Roots and select All Tasks > Import.
Click Next.
Click Browse to select the certificate file previously exported from the Connection Server and click Next.
Select Place all certificates in the following store option and select VMware Horizon View Enrollment Server Trusted Roots. Click Next.
Click Finish to import the certificate.
The certificate has been imported successfully. Click OK.
The imported certificate.
Configure SAML authentication for Horizon True SSO
To take advantage of True SSO, you need to create an application in your Azure environment first.
Follow this procedure to create in Azure the appropriate application for the Unified Access Gateway.
Download the Federation Metadata XML from the Identity Provider
Login in the Azure portal and go to Azure Active Directory > Enterprise applications.
From the All applications area, click the application link name created for UAG.
Go to Single sign-on area and search for SAML Signing Certificate section. In the Federation Metadata XML field click the corresponding Download link.
Save the file anywhere in your computer. Click OK.
Configure the UAG
Access the UAG login page, enter the credentials and click Login.
Click Select.
Under Identity Bridging Settings, select the gear icon next to Upload Identity Provider Metadata option.
Click Select link next to IDP Metadata.
Select the previously downloaded Federation Metadata XML file and click Save.
Under General Settings, enable the Edge Service Settings selector and click the gear icon next to Horizon Settings.
At the bottom of the window, click More.
From Auth Methods drop-down menu, select SAML.
Select the value from the Identity Provider drop-down menu (https://sts.windows.net in the example) and click Save at the bottom to save the configuration.
The SAML authentication is now configured in the UAG. Repeat same procedure also for the second UAG.
Part 3 will cover the configuration of the True SSO in the Connection Server and the test to check that True SSO works as expected.