To use True SSO, you must have or add a certificate authority (CA) and create an enrollment server (ES). These two servers communicate to create the short-lived Horizon virtual certificate that enables a password-free Windows logon. You can use True SSO in a single domain, in a single forest with multiple domains, and in a multiple-forest, multiple-domain setup.

VMware recommends having two CAs and two ESs deployed to use True SSO. The following examples illustrate True SSO in different architectures.

The following figure illustrates a simple True SSO architecture.

A simple True SSO architecture includes a single certificate authority, enrollment server, and Connection Server. SAML trust is established between the VMware Idenity Manager appliance and the Connection Server.

The following figure illustrates True SSO in a single-domain architecture.

A single-domain True SSO architecture for high availability includes redundant instances of certificate authorities, enrollment servers, and Connection Servers. You can optionally host the certificate authority and enrollment server on the same server.

The following figure illustrates True SSO in a single forest with multiple domains architecture.

An example of a single-forest True SSO architecture includes different certificate authorities on different root domains. An enrollment server in one domain tree can communicate with the certificate authority in another tree.

The following figure illustrates True SSO in a multiple-forest architecture.

A multiple-forest True SSO architecture consists of multiple forests joined by a two-way, transitive forest trust. A Connection Server in one forest can use the enrollment server in another forest.