Skip to main content

VMware Horizon and UAG SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only they know or have access to. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

VMware Horizon enables IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. In a normal mode, the Unified Access Gateway (UAG) is an appliance used to ensure incoming traffic comes from a strongly authenticated remote user. Unified Access Gateway directs authentication users to the appropriate server and only to desktop and application resources to which the user is actually entitled.

Acceptto, as a SAML provider, improves the user login experience for Horizon users with convenient MFA. This manual illustrates how to configure both VMware Horizon and UAG with Acceptto’s single sign-on solution. Acceptto’s solution for VMware Horizon and UAG eliminates the second logon on the Horizon Agent machine using True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Prerequisites

To integrate Acceptto SSO with Unified Access Gateway (UAG) and enable single sign-on, you must have the following components and prerequisites in your environment:

  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • A user with administrative privileges for the Acceptto service.

  • An organization identifier provided by Acceptto (organization slug).

  • A configured Certificate Authority server.

  • A configured VMware Horizon Enrollment server which has a trust relationship with Horizon Connection server

  • A user with administrative privileges for VMware Connection server and UAG.

Acceptto SAML Configuration as Identity Provider (IdP)

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application.

    Create new application
  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs. (e.g. UAG)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)

    vm-uag_add_app.png
  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – Enter the Issuer/EntityID of your UAG instance (e.g. https://HORIZON_UAG_FQDN /portal).

    • Sign in URL - The URL used to login to your UAG (e.g. https://HORIZON_UAG_FQDN /portal).

    • NameID Format - Select "Email Address" from the dropdown menu

    • Name Identifier - Select "Email" from the dropdown menu

    vm-uag_sp_settings.png
  5. Click Save to create the Application.

  6. Download your SAML IdP X509 certificate. Go to https://sso.acceptto.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  7. Download your SAML metadata file. Go to https://sso.acceptto.com/[organization identifier]/saml/download/metadata to download your metadata file.

Configure UAG as a SAML service provider

  1. Login to your UAG admin page at https://<HORIZON_UAG_FQDN>:9443/admin with an admin account.

    vm-uag_login.png
  2. Select Configure Manually.

  3. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.

    vm-uag_upload_meta1.png
  4. Click Select in the IDP Metadata row.

    vm-uag_upload_meta2.png
  5. Navigate to the xml metadata file you downloaded earlier from Acceptto admin panel. Click Save.

  6. At the top of the page, next to Edge Service Settings, click SHOW.

    vm-uag_show_edge_service.png
  7. Next to Horizon Settings, click the gear icon.

    vm-uag_horizon_settings.png
  8. At the bottom of the page, click More.

    vm-uag_more.png
  9. At the middle of the page, change the drop-down for Auth Methods to SAML.

    vm-uag_saml_method.png
  10. Change the drop-down for Identity Provider to the Acceptto. Then click “Download SAML service provider metadata” to download the file. We need this file to configure the Horizon Connection server.

    vm-uag_change_idp.png
  11. At the bottom of the page, click Save.

    vm-uag_save.png

Configure Horizon Connection Server

  1. Login to Horizon Console.

  2. In the left menu, go to Settings > Servers.

  3. On the right, click the tab named Connection Servers.

  4. Highlight a Connection Server that UAG talks to and click Edit.

  5. Switch to the tab named Authentication.

    vm_auth_tab.png
  6. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.

    vm_delegate_auth.png
  7. Click the button named Manage SAML Authenticators.

    vm_manage_saml.png
  8. Click Add.

    vm_add_saml.png
  9. Change the selection for Type to Static. Dynamic seems to only be valid for VMware Access (aka Identity Manager).

    vm-uag_static_saml_auth.png
  10. Open the metadata .xml file you just downloaded from UAG with a text editor and copy its contents to your clipboard. Then, go back to the Horizon Console and paste in the SAML Metadata field.

  11. Give your SAML 2.0 Authenticator a name in the Label field and click OK.

    vm-uag_edit_saml.png
  12. In Horizon Console, go to the Monitor > Dashboard and then click VIEW in the System Health section. On the left, select Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator’s name and status.

    vm-uag_saml_tab.png

Enable True SSO on Horizon Connection Server

Open an elevated Command Prompt on the Connection Server and run the below commands. Note that the commands in this section have case sensitive parameter names.

  1. Run the following command to add Enrollment Server. (Change the colored text to the required values)

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn
    
    vm_add_enrollment_cmd.png
  2. Run the following command to see the available certificate authorities and certificate templates for a particular domain.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
    
    vm_cert_cmd.png
  3. Run the following command to enable the Enrollment Servers for a particular domain.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1 --mode enabled
    
    vm_enable_enrollment_cmd.png
  4. Run the following command to see the SAML Authenticators configured in Horizon Console.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
    
    vm_see_saml_cmd.png
  5. Run the following command to enable True SSO for a particular SAML Authenticator.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
    
    vm_true_sso_cmd.png
  6. In Horizon Connection Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW. With Components selected on the left, go to the TrueSSO tab. Here, you can view the status of True SSO in Horizon Console.

    vm_true_sso_tab.png

Test your application integration

  1. Go to your UAG URL through a browser or VMWare Horizon client.

    vm-uag_launch.png
  2. You will be redirected to the Acceptto SSO page.

    SSO login
  3. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method. Next, pass the verification stage on your It'sMe mobile app.

    Select MFA method
  4. Finally, you will be redirected to your resource page. Click on Windows icon.

    vm-uag_resource.png
  5. You will be automatically logged into your Windows machine without any excess authentication through an integration between Acceptto SSO and VMWare TrueSSO.

    vm-uag_windows.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.