After you have registered an Active Directory domain with your Horizon Cloud environment and have integrated the environment with VMware Workspace ONE, you can configure True SSO for it. True SSO is a feature that integrates with Workspace ONE Access to allow users to single sign-on to the virtual Windows desktops and applications served by Horizon Cloud without needing to also enter their Active Directory credentials into the Windows operating system. When True SSO is configured for your environment, the end users authenticate at the Workspace ONE URL that you provide to them for accessing their entitled desktops and applications. After that authentication, the users are able to launch their entitled desktops or applications without a prompt for Active Directory credentials.
Configuring True SSO for use with your environment is a multi-step process. At a high-level, the steps are:
Before configuring True SSO, you must first have at least one Workspace ONE Access configuration on the Identity Management page. See Identity Management Page.
- Set up the infrastructure required for True SSO to operate, which involves:
- Installing and configuring a Microsoft Windows Server Certificate Authority (CA) to be an enterprise CA . The procedures in this section are for Microsoft Windows Server 2012 R2. Very similar steps can be followed on the other Microsoft Windows Server versions that are supported for use with this feature.
- Setting up a certificate template on the CA.
Note: Use only ASCII characters in the names of your True SSO templates. Due to a known issue, if your True SSO template names contain non-ASCII or high-ASCII characters, you cannot successfully configure True SSO with your Horizon Cloud environment.
- Downloading the Horizon Cloud pairing bundle from the Horizon Cloud Administration Console's Active Directory page. The pairing bundle is used when setting up the Enrollment Server.
- Setting up the Enrollment Server.
- Adding the Enrollment Server information to the Horizon Cloud Administration Console's Active Directory page.
When the configuration is complete, the CA will issue certificates on behalf of the users, and those certificates will be used to log the users in to their allocated desktops. Horizon Cloud appliance will ask the ES to issue certificates on behalf of users. The ES will generate the requested certificate on behalf of the requested user via the CA and return it to the Horizon Cloud appliance.
Your environment is now configured with True SSO.