You can add an SSO configuration for a VMware CA to deploy on the Horizon Edge Gateway.

Add an SSO configuration for each domain forest from which users will launch desktops that use SSO.


Decide which the Certificate Authority mode to use for your VMware CA, root CA or intermediate CA. See About Using a VMware CA for SSO with Horizon Cloud Service - next-gen.


  1. Click Integrations in the navigation bar.
  2. Click Manage on the Identity and Access tile.
  3. Click SSO Configurations, then select Add > VMware CA to navigate to the Add SSO Configuration page.
    The Add SSO Configuration dialog box with the VMware CA type selected
  4. Add a unique Name for your SSO configuration.
  5. Select a Certificate Authority mode between Root and Intermediate to determine the type of Certificate Authority (CA) bundle to download and install on the AD server.

    Root mode creates a CA bundle with a self-signed root certificate. Intermediate mode creates a CA bundle with a certificate signing request (CSR) file. The PowerShell script displays a UI allowing the administrator to choose the Enterprise CA to which the CSR will be sent to obtain a certificate.

  6. Add a Configuration domain name to determine the configuration naming context of the AD forest for your SSO configuration.

    The Configuration domain name usually consists of CN=Configuration and forest root domain Relative Distinguished Names (CN=Configuration,DC=company,DC=com). To identify the configuration naming context, connect to a domain-joined machine and run the PowerShell command "C:> Get-ADRootDSE -Server ".

  7. Select the Domains for your SSO configuration and click Add.
    You can add multiple domains for your SSO configuration. Domains must belong to the same AD forest. Each domain can be in only one SSO configuration.
  8. After adding the SSO configuration, click its menu (three vertical dots) and download the certificate authority (CA) bundle to install on the AD.

What to do next

  • Publish the downloaded bundle. See Publish the VMware SSO CA Bundle to the Active Directory Forest.
  • Before a VMware SSO CA certificate expires, request a new CA Bundle.
    Note: Notifications appear in the Horizon Universal Console to inform you that the expiration of your CA certificates is approaching.
    • You can check the expiration date of your CA certificates on the SSO Configurations page, specifically in the Certificate Expiry Time column.
    • Request the CA Bundle on the SSO Configuration page at any time by clicking that SSO configuration’s menu (three vertical dots) and selecting Generate new CA bundle. This action generates the CA bundle and downloads it to your system. See Publish the VMware SSO CA Bundle to the Active Directory Forest.
  • Now that your SSO configuration is complete, you can associate that SSO configuration with a specific Horizon Edge. Select Capacity > Horizon Edges, select a Horizon Edge with which to associate your newly added SSO configuration, and click Edit. In the Edit Horizon Edge wizard, click Next for each step of the wizard until you reach the Horizon Edge Gateway section and select the Use SSO toggle to activate it. Select the name of your newly added SSO configuration and click Next as required to complete the wizard.