VMware Horizon True SSO configuration - pt.3

horizon-saml-true-sso-setup-pt3-01

To leverage True SSO in VMware Horizon, Enrollment Server deployment, CA and SAML configuration in the UAG are the steps required before setting the True SSO authenticator in the Connection Server.

Once enabled True SSO in the Connection Server, the login process to the VDI machine won't prompt to enter the credentials twice making the procedure faster.

 

Blog series

VMware Horizon True SSO configuration - pt.1
VMware Horizon True SSO configuration - pt.2
VMware Horizon True SSO configuration - pt.3

 

Configure SAML Authenticator

To configure the SAML Authenticator, access the Connection Server admin login page, enter the credentials then click Login.

horizon-saml-true-sso-setup-pt3-02

From the dashboard, go to Settings > Servers area.

horizon-saml-true-sso-setup-pt3-03

From the Connection Servers tab, select the first Connection Server and click Edit.

horizon-saml-true-sso-setup-pt3-04

Go to Authentication tab and from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu select Allowed.

horizon-saml-true-sso-setup-pt3-05

Click Manage SAML Authenticators.

horizon-saml-true-sso-setup-pt3-06

Click Add.

horizon-saml-true-sso-setup-pt3-07

Select Static option as Type.

horizon-saml-true-sso-setup-pt3-08

Open the .xml file previously downloaded from Azure and select and copy the content.

horizon-saml-true-sso-setup-pt3-09

In the Connection Server, enter a Label name for the SAML 2.0 Authenticator (Azure_SSO in the example) and paste the .xml content to the SAML Metadata box. Make sure that option Enable for Connection Server is checked. Click OK.

horizon-saml-true-sso-setup-pt3-10

The new SAML Authenticator has been configured. Click OK to save.

horizon-saml-true-sso-setup-pt3-11

The just created authenticator is now configured as SAML Authenticator. Click OK.

horizon-saml-true-sso-setup-pt3-12

 

Configure second Connection Server

If your Horizon infrastructure has multiple Connection Servers, the following procedure must be applied to all Connection Servers installed.

Select the second Connection Server and click Edit.

horizon-saml-true-sso-setup-pt3-13

In the Authentication tab, select Allowed from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu. Click Manage SAML Authenticators.

horizon-saml-true-sso-setup-pt3-14

Select the authenticator configured in the first Connection Server (Azure_SSO in the example) and click Edit.

horizon-saml-true-sso-setup-pt3-15

Check the Enabled for Connection Server option and click OK.

horizon-saml-true-sso-setup-pt3-16

The SAML authenticator is now enabled. Click OK.

horizon-saml-true-sso-setup-pt3-17

The configured authenticator is now set under SAML Authenticator. Click OK to save.

horizon-saml-true-sso-setup-pt3-18

 

Check the SAML Authenticator status

From the Connection Server, go to Monitor > Dashboard area and click View.

horizon-saml-true-sso-setup-pt3-19

Access the Other Components section and go to SAML 2.0 tab. The authenticator Status is reported as healthy.

horizon-saml-true-sso-setup-pt3-20

 

Enable Horizon True SSO

From the Connection Server, open a Command Prompt as Administrator.

Run the following command to add the Enrollment Server. Repeat same command if you have multiple Enrollment Servers.

vdmUtil --authAs <administrator> --authDomain <domain> --authPassword <password> --truesso --environment --add --enrollmentServer <enroll-server01, enroll-server02>

C:\> vdmUtil --authAs Administrator --authDomain nolabnoparty.local --authPassword Password --truesso --environment --add --enrollmentServer w16-enroll01.nolabnoparty.local

horizon-saml-true-sso-setup-pt3-21

Check available CAs and certificate templates for the domain.

vdmUtil --authAs <administrator> --authDomain <domain> --authPassword <password> --truesso --environment --list --enrollmentServer <enroll-server> --domain <domain>

C:\> vdmUtil --authAs Administrator --authDomain nolabnoparty.local --authPassword Password --truesso --environment --list --enrollmentServer w16-enroll01.nolabnoparty.local --domain nolabnoparty.local

horizon-saml-true-sso-setup-pt3-22

If you have multiple Enrollment Servers, by default they are configured as active/passive.

vdmUtil --authAs <administrator> --authDomain <domain> --authPassword <password> --truesso --create --connector --domain <domain> --template <truesso template> --primaryEnrollmentServer <enroll-server01> --secondaryEnrollmentServer <enroll-server02> --certificateServer <ca-common-name01, ca-common-name02> --mode enabled

C:\> vdmUtil --authAs Administrator --authDomain nolabnoparty.local --authPassword Password --truesso --create --connector --domain nolabnoparty.local --template TrueSSO --primaryEnrollmentServer w16-enroll01.nolabnoparty.local --certificateServer lab-ca --mode enabled

horizon-saml-true-sso-setup-pt3-23

Check SAML Authenticators configured in Horizon.

vdmUtil --authAs <administrator> --authDomain <domain> --authPassword <password> --truesso --list --authenticator

C:\> vdmUtil --authAs Administrator --authDomain nolabnoparty.local --authPassword Password --truesso --list --authenticator

horizon-saml-true-sso-setup-pt3-24

Enable True SSO for the created SAML Authenticator.

vdmUtil --authAs <administrator> --authDomain <domain> --authPassword <password> --truesso --authenticator --edit --name <authenticator> --truessoMode enabled

C:\> vdmUtil --authAs Administrator --authDomain nolabnoparty.local --authPassword Password --truesso --authenticator --edit --name Azure_SSO --truessoMode enabled

horizon-saml-true-sso-setup-pt3-25

 

Check True SSO status

Now go back to Monitor > Dashboard area and click View.

horizon-saml-true-sso-setup-pt3-26

Access the Components section and go to TrueSSO tab. The TrueSSO Status is reported as healthy.

horizon-saml-true-sso-setup-pt3-27

 

Test True SSO

Now that the Horizon infrastructure has been configured for True SSO, let's test the login procedure.

Access your Horizon infrastructure by entering the username and click Next. Note the login request comes from login.microsoftonline.com.

horizon-saml-true-sso-setup-pt3-28

Enter the password and click Sign in.

horizon-saml-true-sso-setup-pt3-29

Click Accept if you have configured a welcome screen. Note the URL now comes from the Horizon public DNS name (vdi.nolabnoparty.com in the example).

horizon-saml-true-sso-setup-pt3-30

The screen shows the Desktop Pool the user is entitled. Click on the icon to access the VDI.

horizon-saml-true-sso-setup-pt3-31

The login process takes place without prompting the Active Directory credentials.

horizon-saml-true-sso-setup-pt3-32

The user logged into the machine successfully, True SSO is working as expected. If the user logged in at least once, at next login he/she won't be prompted for credentials.

horizon-saml-true-sso-setup-pt3-33

The configuration of True SSO is now up and running and the users can take advantage of an easier login procedure.

VMware Horizon is available to download as 60-day trial.

signature

Leave a Reply