Configure SAML Authentication to Work with True SSO

With the True SSO feature, users can log in to VMware Workspace ONE Access using smart card, RADIUS, or RSA SecurID authentication, and they will no longer be prompted for Active Directory credentials, even when they launch a remote desktop or application for the first time.

With earlier releases, SSO (single sign-on) worked by prompting users for their Active Directory credentials the first time they launched a remote desktop or published application if they had not previously authenticated with their Active Directory credentials. The credentials were then cached so that subsequent launches would not require users to re-enter their credentials. With True SSO, short-term certificates are created and used instead of AD credentials.

Although the process for configuring SAML authentication for VMware Workspace ONE Access has not changed, one additional step has been added for True SSO. You must configure VMware Workspace ONE Access so that True SSO is enabled.

Note: If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.

Prerequisites

Verify that single sign-on is enabled as a global setting. In Horizon Console, select Settings > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.
Verify that VMware Workspace ONE Access is installed and configured. See the VMware Workspace ONE Access documentation, available at https://docs.vmware.com/en/VMware-Workspace-ONE-Access/index.html.
Verify that the root certificate for the signing CA for the SAML server certificate is installed on the connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. See the topic "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the chapter "Configuring SSL Certificates for Horizon Servers," in the Scenarios for Setting Up TLS Certificates for Horizon document.
Make a note of the FQDN of the VMware Workspace ONE Access server instance.

Procedure

In Horizon Console, select Settings > Servers.
On the Connection Servers tab, select a server instance to associate with the SAML authenticator and click Edit.
On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu, select Allowed or Required.
You can configure each Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.
Click Manage SAML Authenticators and click Add.

Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.

Option	Description
Label	You can use the FQDN of the VMware Workspace ONE Access server instance.
Description	(Optional) You can use the FQDN of the VMware Workspace ONE Access server instance.
Metadata URL	URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the Horizon Connection Server instance. In the URL https://<YOUR HORIZON SERVER NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON SERVER NAME> and replace it with the FQDN of the VMware Workspace ONE Access server instance.
Administration URL	URL for accessing the administration console of the SAML identity provider (VMware Workspace ONE Access instance). This URL has the format `https://<Identity-Manager-FQDN>:8443.`

Click OK to save the SAML authenticator configuration.
If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for Horizon and VMware Workspace ONE Access.
The SAML 2.0 Authenticator drop-down menu displays the newly created authenticator, which is now set as the selected authenticator.
In the System Health section on the Horizon Console dashboard, click View and select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if the VMware Workspace ONE Access service is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.
Log in to the VMware Workspace ONE Access administration console, navigate to the desktop pool from the Catalog > Virtual Apps page, and select the True SSO Enabled check box.

What to do next

Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server.
Use the vdmutil command-line interface to configure True SSO on a connection server. See Configure Horizon Connection Server for True SSO.

For more information about how SAML authentication works, see Using SAML Authentication.