Unlock a Desktop With True SSO

After users use True SSO to login to the desktop, they can unlock the desktop after reauthentication from the Workspace ONE portal using the same logon credentials. The Horizon True SSO unlock mechanism currently depends on Workspace ONE Access.

Prerequisites

Note: TrueSSO unlock is currently ONLY supported with Workspace ONE Access. It is NOT supported with third-party Identity Providers.

Verify that you have VMware Horizon version 7.8 or later.
Verify that you have Workspace ONE version 19.03 or later.
This feature is supported on the following Horizon Clients:
- Horizon Client for Windows version 5.0 or later
- Horizon Client for Mac 2306 or later
- Horizon Client for Linux version 2306 or later

Procedure

Enable Workspace ONE and configure it for use with Connection Server.
See the Workspace ONE documentation at the Workspace ONE documentation Web page.
Configure Horizon Connection Server for True SSO.
See Configure Horizon Connection Server for True SSO.
To start virtual or published desktops, connect to a Connection Server in Workspace ONE mode that has True SSO configured. See, the Horizon Client documentation at the VMware Horizon Clients documentation Web page.
Start virtual or published desktops from the Workspace ONE portal so that the user can use single sign on with True SSO.
Lock the desktop.
To unlock the desktop, select VMware True SSO User and click Submit.
You are redirected to the browser to re-authenticate with Workspace ONE.
Enter the credentials and passcode of the locked desktop.

What to do next

You can disable this feature by setting a registry key on the machine where Horizon Agent is installed, in the following location:

HKLM\Software\VMware, Inc.\VMware VDM\Agent\CertSSO[DisableCertSSOUnlock=true]

You can also disable this feature on the Horizon Client you are using.

Horizon Client Steps to disable feature

Horizon Windows Client

Horizon Client	Steps to disable feature
Horizon Windows Client	Set the registry key `DisabledFeatures=TrueSSOUnlock` in the following locations: On a Windows 32-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client] or [HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client]. On a Windows, 64-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client] or [HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client]. If the registry key is set, the VMware True SSO User option does not appear when the user unlocks the desktop.
Horizon Linux Client	Set view.enableTrueSSOUnlock=‘FALSE'
Horizon Mac Client	EnableTrueSSOUnlock = ‘0’ in plist

Set the registry key DisabledFeatures=TrueSSOUnlock in the following locations:

On a Windows 32-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client] or [HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client].
On a Windows, 64-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client] or [HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client].

If the registry key is set, the VMware True SSO User option does not appear when the user unlocks the desktop.

Horizon Linux Client Set view.enableTrueSSOUnlock=‘FALSE'

Horizon Mac Client EnableTrueSSOUnlock = ‘0’ in plist