To launch remote desktops and applications from VMware Workspace ONE Access or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon Console. A SAML authenticator contains the trust and metadata exchange between VMware Horizon and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.
You can allow one static authenticator and multiple dynamic authenticators to go live at a time. You can configure vIDM (Dynamic) and Unified Access Gateway (Static) authenticators and retain them in active state. You can make connections through either of these authenticators.
You can configure more than one SAML authenticator to a Connection Server and all the authenticators can be active simultaneously. However, the entity-ID of each of these SAML authenticators configured on the Connection Server must be different.
The status of the SAML authenticator in dashboard is always green as it is predefined metadata that is static in nature. The red and green toggling is only applicable for dynamic authenticators.
For information about configuring a SAML authenticator for VMware Unified Access Gateway appliances, see the Unified Access Gateway documentation.
Prerequisites
-
Verify that Workspace ONE, VMware Workspace ONE Access, or a third-party gateway or load balancer is installed and configured. See the installation documentation for that product.
- Verify that the root certificate for the signing CA for the SAML server certificate is installed on the Connection Server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. For information about certificate authentication, see the Horizon Installation and Upgrade document.
- Make a note of the FQDN or IP address of the Workspace ONE server, VMware Workspace ONE Access server, or external-facing load balancer.
- (Optional) If you are using Workspace ONE or VMware Workspace ONE Access, make a note of the URL of the connector Web interface.
- If you are creating an authenticator for a Unified Access Gateway appliance or a third-party appliance that requires you to generate SAML metadata and create a static authenticator, perform the procedure on the device to generate the SAML metadata, and then copy the metadata.
Procedure
What to do next
Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server.