To configure SAML and SAML and Passthrough authentication methods in Horizon, you must upload the identity provider's SAML certificate metadata XML file to UAG ( Unified Access Gateway). The upload allows UAG to trust the identity provider by verifying the signature of an assertion using the public key of the identity provider.


You must have downloaded the SAML metadata XML file from the identity provider and saved this file to a computer you can access.


  1. In the Configure Manually section of the UAG Admin console, click Select.
  2. In the Advanced Settings > Identity Bridging Settings section, select the Upload Identity Provider Metadata gearbox icon.
  3. Enter the entity ID for the identity provider in the Entity ID text box.
    If you do not enter a value in the Entity ID text box, the identity provider name in the metadata file is parsed and used as the entity ID of the identity provider.
  4. In the IDP Metadata section, click Select and browse to the location where you have saved the metadata file.
  5. Select PEM as the certificate format type from the Encryption Certificate Type drop-down menu.
    Note: You must select PEM if you want to use encrypted assertion to validate SAML authentication. Encryption and decryption of the assertion requires a combination of a public and private key. The Identity provider encrypts the assertion with a public key which can be decrypted by UAG only with a public and a private key combination, thus ensuring enhanced security.
  6. For the Private Key, click Select and browse to the location where you have saved the private key for the certificate in PEM format.
  7. For the Certificate Chain, click Select and browse to the location where you have saved the certificate chain in PEM format.
  8. To enable the Allow unencrypted SAML assertions option, turn on the toggle. If the toggle is turned off, unencrypted assertions are not allowed during SAML authentication.
  9. To enable the Always force SAML auth function, turn on the toggle. When the toggle is turned on, it always forces the SAML auth page to be presented to the user when this Identity provider is used, provided the IDP is also configured to force SAML auth.
    Note: When you enable the Always force SAML auth function, SAML ForceAuthn="true" is set as an attribute for the AuthnRequest to the IdP. The IdP is notified to ignore any previous security context while authenticating the user.
  10. Click Save.
    The following message is displayed: Configuration is saved successfully.

What to do next

Configure the Horizon settings on UAG for selecting the authentication method and choosing the required identity provider.