After you have registered an Active Directory domain with your Horizon Cloud environment and have integrated the environment with VMware Workspace ONE, you can configure True SSO for it. True SSO is a feature that integrates with Workspace ONE Access to allow users to single sign-on to the virtual Windows desktops and applications served by Horizon Cloud without needing to also enter their Active Directory credentials into the Windows operating system. When True SSO is configured for your environment, the end users authenticate at the Workspace ONE URL that you provide to them for accessing their entitled desktops and applications. After that authentication, the users are able to launch their entitled desktops or applications without a prompt for Active Directory credentials.

Important: The True SSO configuration is a tenant-wide type of configuration. The True SSO configuration will apply across all of your pod fleet's Horizon Cloud pods in Microsoft Azure. As a result, after you have successfully configured True SSO in your Horizon Cloud tenant for the first time, and then you later subsequently deploy additional Horizon Cloud pods into your Microsoft Azure subscriptions using the automated pod-deployment wizard, the system will send the same True SSO configuration to all of those pods and attempt to validate the same True SSO configuration against those pods.

Configuring True SSO for use with your environment is a multi-step process. At a high-level, the steps are:

  1. Set up the infrastructure required for True SSO to operate, which involves:
    1. Installing and configuring a Microsoft Windows Server Certificate Authority (CA) to be an enterprise CA . The procedures in this section are for Microsoft Windows Server 2012 R2. Very similar steps can be followed on the other Microsoft Windows Server versions that are supported for use with this feature.
    2. Setting up a certificate template on the CA.
      Important: Use only ASCII characters in the names of your True SSO templates. Due to a known issue, if your True SSO template names contain non-ASCII or high-ASCII characters, you cannot successfully configure True SSO with your Horizon Cloud environment.
    3. Downloading the Horizon Cloud pairing bundle from the Horizon Universal Console's Active Directory page. The pairing bundle is used when setting up the Enrollment Server.
    4. Setting up the Enrollment Server.
      Important: After setting up the Enrollment Server, make sure you meet the port requirements for the Enrollment Server described in First-Gen Tenants - Horizon Cloud on Microsoft Azure Deployments - Host Name Resolution Requirements, DNS Names.
  2. Adding the Enrollment Server information to the Horizon Universal Console's Active Directory page.

When the configuration is complete, the enterprise CA and Enrollment Server work together to issue short-lived certificates that are used to log the users in to their entitled desktops and applications. The Horizon Cloud pod asks the Enrollment Server for a certificate for a specific entitled user. The Enrollment Server contacts the CA to generate the requested certificate and then returns the certificate to the Horizon Cloud pod.


Before configuring True SSO, you must have at least one Workspace ONE Access environment configured with your Horizon Cloud environment. See the documentation topic About Using a Horizon Cloud Environment with VMware Workspace ONE and with the Optional True SSO Feature and follow the integration procedure that is appropriate for your Horizon Cloud environment's configuration.


After completing the steps, your environment is configured with True SSO.