Configure SAML Authentication to Work with True SSO

With the True SSO feature introduced in Horizon 7, users can log in to VMware Identity Manager 2.6 and later releases using smart card, RADIUS, or RSA SecurID authentication, and they will no longer be prompted for Active Directory credentials, even when they launch a remote desktop or application for the first time.

With earlier releases, SSO (single sign-on) worked by prompting users for their Active Directory credentials the first time they launched a remote desktop or published application if they had not previously authenticated with their Active Directory credentials. The credentials were then cached so that subsequent launches would not require users to re-enter their credentials. With True SSO, short-term certificates are created and used instead of AD credentials.

Although the process for configuring SAML authentication for VMware Identity Manager has not changed, one additional step has been added for True SSO. You must configure VMware Identity Manager so that True SSO is enabled.

Note: If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.

Prerequisites

Verify that single sign-on is enabled as a global setting. In Horizon Administrator, select Configuration > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.
Verify that VMware Identity Manager is installed and configured. See the VMware Identity Manager documentation, available at https://docs.vmware.com/en/VMware-Identity-Manager/index.html
Verify that the root certificate for the signing CA for the SAML server certificate is installed on the connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. See the topic "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the chapter "Configuring SSL Certificates for Horizon 7 Servers," in the Horizon 7 Installation document.
Make a note of the FQDN of the VMware Identity Manager server instance.

Procedure

In Horizon Administrator, select Configuration > Servers.
On the Connection Servers tab, select a server instance to associate with the SAML authenticator and click Edit.
On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu, select Allowed or Required.
You can configure each Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.
Click Manage SAML Authenticators and click Add.

Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.

Option	Description
Label	You can use the FQDN of the VMware Identity Manager server instance.
Description	(Optional) You can use the FQDN of the VMware Identity Manager server instance.
Metadata URL	URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the Horizon Connection Server instance. In the URL https://<YOUR HORIZON SERVER NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON SERVER NAME> and replace it with the FQDN of the VMware Identity Manager server instance.
Administration URL	URL for accessing the administration console of the SAML identity provider (VMware Identity Manager instance). This URL has the format `https://<Identity-Manager-FQDN>:8443.`

Click OK to save the SAML authenticator configuration.
If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for Horizon 7 and VMware Identity Manager.
The SAML 2.0 Authenticator drop-down menu displays the newly created authenticator, which is now set as the selected authenticator.
In the System Health section on the Horizon Administrator dashboard, select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if the VMware Identity Manager service is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.
Log in to the VMware Identity Manager administration console, navigate to the desktop pool from the Catalog > Virtual Apps page, and select the True SSO Enabled check box.

What to do next

Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server.
Use the vdmutil command-line interface to configure True SSO on a connection server. See Configure Horizon Connection Server for True SSO.

For more information about how SAML authentication works, see Using SAML Authentication.