VMware Horizon True SSO configuration - pt.2

horizon-saml-true-sso-setup-pt2-01

VMware Horizon True SSO eliminates the requirement of entering the credentials twice while accessing VMware Horizon desktops and published applications.

After installing the Enrollment Servers and configured the CA accordingly, the export/import of the certificate and the SAML configuration are the next steps to perform.

 

Blog series

VMware Horizon True SSO configuration - pt.1
VMware Horizon True SSO configuration - pt.2
VMware Horizon True SSO configuration - pt.3

 

Export the Enrollment Service Client Certificate

From a Connection Server, open the Certificate console by running the certlm.msc command.

Expand VMware Horizon View Certificates and select Certificates. Search from the list the certificate with the Friendly Name vdm.ec (all Connection Servers have the same certificate). Right click the certificate and select All Tasks > Export.

horizon true sso 1

Click Next.

horizon true sso 2

Select No, do not export the private key then click Next.

horizon true sso 3

Select DER encoded binary X.509 (.CER) format and click Next.

horizon true sso 4

Enter a File Name for the certificate to export and click Next.

horizon true sso 5

Click Finish.

horizon true sso 6

Click OK.

horizon true sso 7

Copy the exported certificate to the Enrollment Server.

 

Import the certificate to the Enrollment Server

In the Enrollment Server open the Certificates console with certlm.msc.

Right click VMware Horizon View Enrollment Server Trusted Roots and select All Tasks > Import.

horizon true sso 8

Click Next.

horizon true sso 9

Click Browse to select the certificate file previously exported from the Connection Server and click Next.

horizon true sso 10

Select Place all certificates in the following store option and select VMware Horizon View Enrollment Server Trusted Roots. Click Next.

horizon true sso 11

Click Finish to import the certificate.

horizon true sso 12

The certificate has been imported successfully. Click OK.

horizon true sso 13

The imported certificate.

horizon true sso 14

 

Configure SAML authentication for Horizon True SSO

To take advantage of True SSO, you need to create an application in your Azure environment first.

Follow this procedure to create in Azure the appropriate application for the Unified Access Gateway.

 

Download the Federation Metadata XML from the Identity Provider

Login in the Azure portal and go to Azure Active Directory > Enterprise applications.

horizon true sso 15

From the All applications area, click the application link name created for UAG.

horizon true sso 16

Go to Single sign-on area and search for SAML Signing Certificate section. In the Federation Metadata XML field click the corresponding Download link.

horizon true sso 17

Save the file anywhere in your computer. Click OK.

horizon true sso 18

 

Configure the UAG

Access the UAG login page, enter the credentials and click Login.

horizon true sso 19

Click Select.

horizon true sso 20

Under Identity Bridging Settings, select the gear icon next to Upload Identity Provider Metadata option.

horizon true sso 21

Click Select link next to IDP Metadata.

horizon true sso 22

Select the previously downloaded Federation Metadata XML file and click Save.

horizon true sso 23

Under General Settings, enable the Edge Service Settings selector and click the gear icon next to Horizon Settings.

horizon true sso 24

At the bottom of the window, click More.

horizon true sso 25

From Auth Methods drop-down menu, select SAML.

horizon true sso 26

Select the value from the Identity Provider drop-down menu (https://sts.windows.net in the example) and click Save at the bottom to save the configuration.

horizon true sso 27

The SAML authentication is now configured in the UAG. Repeat same procedure also for the second UAG.

Part 3 will cover the configuration of the True SSO in the Connection Server and the test to check that True SSO works as expected.

signature