Skip to main content

VMware Horizon and UAG SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

VMware Horizon enables IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. In a normal mode, the Unified Access Gateway (UAG) is an appliance used to ensure incoming traffic comes from a strongly authenticated remote user. Unified Access Gateway directs authentication users to the appropriate server and only to desktop and application resources to which the user is actually entitled.

Arculix, as a SAML provider, improves the user login experience for Horizon users with convenient MFA. This manual illustrates how to configure both VMware Horizon and UAG with Arculix’s single sign-on solution. Arculix’s solution for VMware Horizon and UAG eliminates the second logon on the Horizon Agent machine using True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Prerequisites

  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • Configured VMware Horizon Enrollment server which has a trust relationship with Horizon Connection server.

  • Configured Certificate Authority server.

  • User account with administrative privileges for VMware Connection server and UAG.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for VMware Horizon and UAG and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name 

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, UAG.

    Type 

    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_uag.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    Enter the Issuer/EntityID of your UAG instance.

    For example, https://<HORIZON_UAG_FQDN/portal.

    Log in URL 

    The login URL for UAG.

    For example, https://HORIZON_UAG_FQDN/portal.

    NameID Format 

    Set to Email Address.

    Name Identifier 

    Set to Email.

    vm-uag_sp_settings.png
  5. Save your changes.

UAG configuration

In this section, you'll configure UAG as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Log in to your UAG admin page with an admin account.

    For example, your login URL might be https://<HORIZON_UAG_FQDN>:9443/admin.

    vm-uag_login.png
  3. Select Configure Manually.

  4. Scroll down to the Identity Bridging Settings section and click the gear icon for Upload Identity Provider Metadata.

    vm-uag_upload_meta1.png
  5. Next to IDP Metadata, click the Select link.

    vm-uag_upload_meta2.png
  6. Find the xml metadata file you downloaded earlier from Arculix. Click Save.

  7. At the top of the page, next to Edge Service Settings, click SHOW.

    vm-uag_show_edge_service.png
  8. Next to Horizon Settings, click the gear icon.

    vm-uag_horizon_settings.png
  9. At the bottom of the page, click the More link.

    vm-uag_more.png
  10. In the middle of the page, change the Auth Methods setting to SAML.

    vm-uag_saml_method.png
  11. Change the Identity Provider setting to the one for Arculix (formerly Acceptto). Then, click Download SAML service provider metadata to download the file. We will need this file to configure the Horizon Connection server.

    vm-uag_change_idp.png
  12. At the bottom of the page, click Save.

    vm-uag_save.png

Horizon Connection Server configuration

To integrate the VMware Horizon connection server with Arculix and enable SAML authentication, follow these steps.

  1. Log in to Horizon Console.

  2. In the left menu, go to Settings > Servers.

  3. On the right, select the Connection Servers tab.

  4. Highlight a Connection Server to which UAG talks and click Edit.

  5. Select the Authentication tab.

    vm_auth_tab.png
  6. Set Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.

    vm_delegate_auth.png
  7. Click Manage SAML Authenticators.

    vm_manage_saml.png
  8. Click Add.

    vm_add_saml.png
  9. Set the authenticator Type to Static.

    Dynamic is valid only for VMware Access (aka Identity Manager).

    vm-uag_static_saml_auth.png
  10. With a text editor, open the metadata.xml file you just downloaded from UAG, and copy its contents to your clipboard. Then, go back to the Horizon Console and paste in the SAML Metadata field.

  11. Give your SAML 2.0 Authenticator a name in the Label field and click OK.

    vm-uag_edit_saml.png
  12. In Horizon Console, do the following:

    1. Go to Monitor > Dashboard.

    2. In the System Health section, click VIEW.

    3. On the left, select Other Components.

    4. On the right, select the SAML 2.0 tab.

      You should see the SAML authenticator name and status for Arculix.

      vm-uag_saml_tab.png

Enable True SSO on the Horizon Connection Server

On the Connection Server, open an elevated command prompt and run the following commands.

Note

The commands in this section are case sensitive.

  1. To add the Enrollment Server, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn
    
    vm_add_enrollment_cmd.png
  2. To see the available certificate authorities and certificate templates for a particular domain, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
    
    vm_cert_cmd.png
  3. To enable the Enrollment Servers for a particular domain, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1 --mode enabled
    
    vm_enable_enrollment_cmd.png
  4. To see the SAML authenticators configured in Horizon Console, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
    
    vm_see_saml_cmd.png
  5. To enable True SSO for a particular SAML authenticator, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
    
    vm_true_sso_cmd.png
  6. In Horizon Connection console, do the following:

    1. Go to Monitor > Dashboard.

    2. In the System Health section, click VIEW.

    3. On the left, select Components.

    4. On the right, select the TrueSSO tab.

      You should see the status of True SSO in Horizon Console.

      vm_true_sso_tab.png

Test your application integration

  1. Go to your UAG URL through a browser or VMWare Horizon client.

    vm-uag_launch.png
  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the VMware Horizon application.

    Select MFA method
  4. You will be redirected to your resource page. Click the Windows icon.

    vm-uag_resource.png
  5. You will be automatically logged into your Windows machine without any additional authentication through an integration between Arculix SSO and VMWare TrueSSO.

    vm-uag_windows.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.