If you are using a SAML 2.0 identity provider, you can directly integrate the identity provider with Unified Access Gateway to support Horizon Client user authentication. To use SAML third-party integration with UAG, you must use Horizon Connection Server 7.11 or later versions.

The authentication sequence can be SAML and Passthrough for SAML authentication and AD password authentication or only SAML when used with Horizon True SSO.

Unified Access Gateway supports unauthenticated access to a Horizon Client user logging into Unified Access Gateway when integrated with a SAML identity provider. After the initial authentication with Unified Access Gateway, the user can receive entitlements for published applications with no additional authentication. The SAML and Unauthenticated method supports this feature.

With the Unified Access Gateway and third-party SAML identity provider integration support, Workspace ONE Access installation is not used.

Note: When Horizon SAML 2.0 is used with Horizon True SSO to avoid the initial AD password prompt, and if the session is manually locked or locks due to inactivity, the user must either enter their AD password to unlock the session or close the client and reconnect. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.

To integrate Unified Access Gateway with the identity provider, you must configure the identity provider with service provider (Unified Access Gateway) information, upload the identity provider's metatdata file to Unified Access Gateway and configure Horizon settings on the Unified Access Gateway Admin UI console.

For information about authenticating users to Horizon Client without being prompted for Active Directory credentials, see Authenticating Users Without Requiring Credentials and related information in the Horizon Administration guide at VMware Docs.