Skip to main content

VMware Workspace ONE Access SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only they know or have access to. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust ONE another’s users.

VMware Horizon enables IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. VMware Workspace ONE Access (formerly VMware Identity Manager) combines the user's identity with factors such as device and network information to make intelligence-driven, conditional access decisions for applications delivered by Workspace ONE.

Acceptto, as a SAML provider, improves the user login experience for Horizon users with convenient MFA. This manual illustrates how to configure both VMware Horizon and VMware Workspace ONE Access with the Acceptto single sign-on solution. Acceptto’s solution for VMware Horizon and Workspace ONE Access eliminates the second logon on the Horizon Agent machine using True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Prerequisites

To integrate Acceptto SSO with VMware Workspace ONE Access and enable single sign-on, you must have the following components and prerequisites in your environment:

  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • A user with administrative privileges for the Acceptto service.

  • An organization identifier provided by Acceptto (organization slug).

  • A configured Certificate Authority server.

  • A configured VMware Horizon Enrollment server which has a trust relationship with Horizon Connection server.

  • A Configured Horizon Workspace One Access Connector.

  • A user with administrative privileges for VMware Connection server and WorkSpace ONE Access.

Obtain VMware Workspace ONE Access Service Provider Information

  1. Log into the VMwareWorkspace ONE Access console as the System administrator.

  2. Click the Identity & Access Management tab, and then click Identity Providers.

  3. Click Add Identity Provider. Select Create Third Party IDP.

    vm-ws_create_idp.png

  4. Scroll to the bottom of the page to the SAML Signing Certificate section.

  5. Right click the Service Provider (SP) Metadata link and open it in a new tab.

  6. In the SAML metadata file, find the values for the following:

    entityID – For example, https://wso.example.com/SAAS/API/1.0/GET/metadata/sp.xml

    AssertionConsumerService Location for HTTP-POST binding – For example, https://wso.example.com/SAAS/auth/saml/response

Acceptto SAML Configuration as Identity Provider (IdP)

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application.

    Create new application

  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs. (e.g. WorkspaceONE)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and e-mail MFA requests (optional)

    vm-ws_add_app.png

  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – Enter the Issuer/EntityID of your UAG instance (e.g. https://WSO.example.com/SAAS/API/1.0/GET/metadata/sp.xml).

    • Sign in URL - The URL used to login to your UAG (e.g. https:// WSO.example.com /SAAS/auth/saml/response).

    • NameID Format - Select "Unspecified" from the dropdown menu

    • Name Identifier - Select "userPrincipleName" from the dropdown menu

    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider where the identity provider will redirect to with its authentication response (e.g. https:// WSO.example.com /SAAS/auth/saml/response).

    • Response hosts – FQDN of your Workspace ONE Access (e.g. https:// WSO.example.com).

    vm-ws_sp_settings.png

  5. Click Save to create the Application.

  6. Download your SAML IdP X509 certificate. Go to https://sso.acceptto.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  7. Download your SAML metadata file. Go to https://sso.acceptto.com/[organization identifier]/saml/download/metadata to download your metadata file.

Configure Workspace ONE Access

Add Acceptto as a new Identity Provider in VMware Workspace ONE Access

  1. Log into the VMware Identity Manager console as the System administrator.

  2. Click the Identity & Access Management tab, and then click Identity Providers.

  3. Click Add Identity Provider and then select Create Third Party IDP.

    vm-ws_create_idp.png

  4. Enter Identity Provider Name.

  5. Set Binding Protocol on HTTP POST.

  6. In the SAML Metadata field, enter the Acceptto Metadata URL and click on Process IdP Metadata.

    vm-ws_process_meta.png

  7. Set the Identify User Using option to NameID Element. In the Name ID format mapping from SAML Response section, click the + icon. In the Name ID format mapping, select Add a new format and type urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified. Then, select userPrincipleName in Name ID Value.

  8. In the Name ID Policy in SAML Request section, select the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    vm-ws_name_id.png

  9. In Users, select the directories you want to authenticate using this identity provider.

  10. In Network, select the networks that can access this identity provider.

    vm-ws_network.png

  11. In Authentication Methods section enter the following:

    • Authentication Methods: Enter an optional name like Acceptto Auth Method

    • SAML Context: select urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

    vm-ws_auth_methods.png

  12. Click Save.

Add Acceptto Authentication Method to the Default Access Policies in Workspace ONE Access

  1. In the VMware Workspace ONE Access console, click the Identity & Access Management tab, and then click Policies.

  2. Click Edit Default Access Policy.

  3. In the Edit Policy wizard, click Configuration.

  4. Click the policy rule for Web browsers.

  5. Set “Acceptto auth method” as the authentication method.

    vm-ws_set_acceptto.png

  6. Click Save.

    vm-ws_policy_rule.png

Enable SAML Authentication on VMWare Horizon Connection

  1. Log into your VMWare Horizon Console.

  2. In the left menu, go to the Settings > Servers.

  3. On the right, click the tab named Connection Servers.

  4. Highlight a Connection Server and click Edit.

  5. Switch to the tab named Authentication.

    vm_auth_tab.png

  6. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.

    vm_delegate_auth.png

  7. Click the button named Manage SAML Authenticators.

    vm_manage_saml.png

  8. Click Add.

    vm_add_saml.png

  9. In the Label field, enter a descriptive label.

  10. In the Metadata URL field, enter the URL of IdP metadata of your Workspace ONE Access e.g. https://<Workspace_FQDN>/SAAS/API/1.0/GET/metadata/idp.xml

  11. In the Administration URL field , enter the Workspace ONE URL with 8443.

    vm-ws_edit_saml.png

  12. Click OK to close the Manage SAML Authenticators window

  13. In the Authentication tab, check Enable Workspace ONE mode and enter Workspace ONE URL in the Workspace ONE Server Hostname field.

    vm-ws_edit_connection_server.png

  14. In Horizon Console,go to Monitor > Dashboard and then click VIEW in the System Health section.

  15. Navigate to Other Components, located on the left side of the window. Then, click on the SAML 2.0 tab. You should see your SAML Authenticator.

    vm-ws_saml_tab.png

Enable True SSO on VMWare Horizon Connection

Open an elevated Command Prompt on the Connection Server and run the below commands. Note that the commands in this section have case sensitive parameter names.

  1. Run the following command to add Enrollment Server (change the highlighted text to the required values).

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn
    vm_add_enrollment_cmd.png

  2. Run the following command to see the available certificate authorities and certificate templates for a particular domain.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
    vm_cert_cmd.png

  3. Run the following command to enable the Enrollment Servers for a particular domain.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1 --mode enabled
    vm_enable_enrollment_cmd.png

  4. Run the following command to see the SAML Authenticators configured in Horizon Console.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
    vm_see_saml_cmd.png

  5. Run the following command to enable True SSO for a particular SAML Authenticator.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
    vm_true_sso_cmd.png

  6. In Horizon Connection Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW. With Components selected on the left, go to the TrueSSO tab. Here, you can view the status of True SSO in the Horizon Console.

    vm_true_sso_tab.png

Create Virtual Apps Collection for VMWare Horizon in Workspace ONE Access Console

  1. In the Workspace ONE Access Admin Portal, click the Catalog tab, and then click Virtual Apps Collection.

    vm-ws_virtual_apps.png

  2. Click on NEW.

  3. In the source type page, select Horizon.

    vm-ws_source_type.png

  4. Enter a name for the collection, select the Workspace ONE Access Connector, and click Next.

    vm-ws_new_collection.png

  5. In Pod and Federation, select ADD A POD.

  6. Enter the Horizon Connection server URL, admin account and its password.

  7. Enable True SSO.

    vm-ws_enable_true_sso.png

  8. Click ADD.

  9. In the Configuration page set Sync Frequency on Hourly and Activation Policy on User-Activated.

  10. Check Summary and click Finish.

Test your application integration

  1. Go to your Workspace ONE Access URL through a browser.

    vm-ws_launch.png

  2. You will be redirected to the Acceptto SSO page.

    SSO login

  3. After successful authentication, you’ll see the Acceptto MFA options. Select your desired authentication method. Next, pass the verification stage on your It'sMe mobile app.

    Select MFA method
    vm-ws_itsme.png

  4. Finally, you will be redirected to your resource page. Click on the Windows icon.

    vm-ws_resource.png

  5. You will be automatically logged in to your Windows machine through an integration between Acceptto SSO and VMWare TrueSSO, without any excess authentication.

    vm-ws_windows.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: