Authentication Methods for Unified Access Gateway and Third-Party Identity Provider Integration

SAML, SAML and Passthrough, and SAML and Unauthenticated are the supported authentication methods to integrate UAG (Unified Access Gateway) with a third-party identity provider for controlling access to Horizon desktops and applications. The authentication method determines how the Horizon user is authenticated.

While configuring Horizon settings in the UAG, you must select one of the authentication methods.

SAML

In the SAML authentication method, UAG first validates the SAML assertion. If the SAML assertion is valid, UAG passes the SAML assertion to the Horizon Connection Server. For the Horizon Connection Server to accept the assertion, the Connection Server must be configured with the identity provider's metadata. When a user accesses the Horizon Client, the user is presented with entitlements without being prompted to provide the Active Directory credentials.

Note: If the TrueSSO setting is enabled on Horizon Connection Server, SAML authentication method must be used.

SAML and Passthrough

In the SAML and Passthrough authentication method, UAG validates the SAML assertion. If the SAML assertion is valid, the user is prompted to provide the Active Directory authentication credentials when accessing the Horizon Client. In this authentication method, UAG does not pass the SAML assertion to the Horizon Connection Server.

SAML and Unauthenticated

In the SAML and Unauthenticated method, Unified Access Gateway combines SAML user authentication with Horizon's unauthenticated access feature. If the SAML assertion is valid, the user can access RDS hosted applications with no further authentication required. In the Horizon unauthenticated access feature, a role-based user alias is used with Horizon to determine application entitlements. The user alias can be used as the default alias by Horizon. This alias can also be specified as a default in Unified Access Gateway configuration (Default Unauthenticated Username) or this can be the value of a named SAML attribute presented as a claim in the SAML assertion sent by the identity provider.

Unified Access Gateway Admin UI has two text boxes - SAML Unauthenticated Username Attribute and Default Unauthenticated Username - which can be used to specify the user alias. These text boxes are available on the Admin UI when the authentication method is SAML and Unauthenticated.

If the SAML Unauthenticated Username Attribute text box is set in the Admin UI, when Unified Access Gateway validates the SAML assertion and if the name is present in the SAML assertion, Unified Access Gateway uses that value as Horizon's unauthenticated access user alias.

When the SAML Unauthenticated Username Attribute text box is empty or the attribute name specified in this text box is missing in the SAML assertion, Unified Access Gateway uses the default user name configured in the Default Unauthenticated Username text box as Horizon's unauthenticated access user alias.

If SAML Unauthenticated Username Attribute is not used and the Default Unauthenticated Username text box is empty, Unified Access Gateway uses the default user alias configured in Horizon.

For more information about setting up configuration for the unauthenticated access users, see Providing Unauthenticated Access for Published Applications and related information in the Horizon Administration guide at VMware Docs.

For more information about providing entitlements (published applications) to the unauthenticated access users, see Entitle Unauthenticated Access Users to Published Applications and related information in the Horizon Administration guide at VMware Docs.