The single-sign-on (SSO) feature allows end users to supply Active Directory login credentials only once.

If you do not use the single-sign-on feature, end users must log in twice. They are first prompted for Active Directory credentials to log in to the connection broker and then prompted to log in to their remote desktop. If smart cards are also used, end users must sign in three times because users must also log in when the smart card reader prompts them for a PIN.

For remote desktops, this feature includes a credential provider dynamic-link library.

True SSO

With the True SSO feature, users in Horizon environments are no longer required to supply Active Directory credentials at all. After users log in to VMware Identity Manager using any non-AD method (for example, RSA SecurID or RADIUS authentication), users are not prompted to also enter Active Directory credentials to use a remote desktop or application.

If a user authenticates by using smart cards or Active Directory credentials, the True SSO feature is not necessary, but you can configure True SSO to be used even in this case. Then any AD credentials that the user provides are ignored and True SSO is used.

True SSO works by generating a unique, short-lived certificate for the Windows logon process. You must set up a Certificate Authority, if you do not already have one, and a certificate Enrollment Server to generate short-lived certificates on behalf of the user. For VMware Horizon 8 environments, you install the Enrollment Server by running the Connection Server installer and selecting the Enrollment Server option.

True SSO separates authentication (validating a user's identity) from access (such as to a Windows desktop or application). User credentials are secured by a digital certificate. No passwords are vaulted or transferred within the data center. For more information, see the Horizon 8 Administration document.