With the True SSO feature, users can log in to VMware Workspace ONE Access using smart card, RADIUS, or RSA SecurID authentication, and they will no longer be prompted for Active Directory credentials, even when they launch a remote desktop or application for the first time.
With earlier releases, SSO (single sign-on) worked by prompting users for their Active Directory credentials the first time they launched a remote desktop or published application if they had not previously authenticated with their Active Directory credentials. The credentials were then cached so that subsequent launches would not require users to re-enter their credentials. With True SSO, short-term certificates are created and used instead of AD credentials.
Although the process for configuring SAML authentication for VMware Workspace ONE Access has not changed, one additional step has been added for True SSO. You must configure VMware Workspace ONE Access so that True SSO is enabled.
Prerequisites
- Verify that single sign-on is enabled as a global setting. In Horizon Console, select Settings > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.
-
Verify that VMware Workspace ONE Access is installed and configured. See the VMware Workspace ONE Access documentation, available at https://docs.vmware.com/en/VMware-Workspace-ONE-Access/index.html.
- Verify that the root certificate for the signing CA for the SAML server certificate is installed on the connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. See the topic "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the chapter "Configuring SSL Certificates for Horizon Servers," in the Scenarios for Setting Up TLS Certificates for Horizon document.
- Make a note of the FQDN of the VMware Workspace ONE Access server instance.
Procedure
What to do next
- Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server.
- Use the vdmutil command-line interface to configure True SSO on a connection server. See Configure Horizon Connection Server for True SSO.
For more information about how SAML authentication works, see Using SAML Authentication.