Skip to main content

VMware Workspace ONE Access SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

VMware Horizon enables IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. VMware Workspace ONE Access (formerly VMware Identity Manager) combines the user's identity with factors such as device and network information to make intelligence-driven, conditional access decisions for applications delivered by Workspace ONE.

Arculix, as a SAML provider, improves the user login experience for Horizon users with convenient MFA. This manual illustrates how to configure both VMware Horizon and VMware Workspace ONE Access with the Arculix single sign-on (SSO) solution. Arculix’s solution for VMware Horizon and Workspace ONE Access eliminates the second logon on the Horizon Agent machine using True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Arculix.

  • An organization identifier provided by Arculix (organization slug).

  • Configured Certificate Authority server.

  • Configured VMware Horizon Enrollment server which has a trust relationship with Horizon Connection server.

  • Configured Horizon Workspace One Access Connector.

  • User account with administrative privileges for VMware Connection server and WorkSpace ONE Access.

Obtain VMware Workspace ONE Access service provider information

  1. Log in to the VMwareWorkspace ONE Access console as a system administrator.

  2. Select the Identity & Access Management tab, and then select the Identity Providers sub tab.

  3. Click Add Identity Provider and then Create Third Party IDP.

    vm-ws_create_idp.png
  4. Scroll down to the SAML Signing Certificate section.

  5. Right-click the Service Provider (SP) metadata link and open it in a new tab.

  6. In the SAML metadata file, find the values for the following:

    entityID – For example, https://wso.example.com/SAAS/API/1.0/GET/metadata/sp.xml

    AssertionConsumerService Location for HTTP-POST binding – For example, https://wso.example.com/SAAS/auth/saml/response

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for VMware Workspace ONE Access and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, WorkspaceONE.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_workspaceone.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID

    Enter the Issuer/EntityID of your UAG instance.

    For example, https://WSO.example.com/SAAS/API/1.0/GET/metadata/sp.xml.

    Log in URL

    The URL used to log in to your UAG.

    For example, https://WSO.example.com/SAAS/auth/saml/response.

    NameID Format

    Set to Unspecified.

    Name Identifier

    Set to userPrincipalName.

    ACS URL

    Enter the service provider URL the identity provider will redirect to with its authentication response.

    For example, https://WSO.example.com/SAAS/auth/saml/response.

    Response hosts

    Enter the FQDN of your Workspace ONE Access.

    For example, https://WSO.example.com.

    arculix_new_app_workspaceone_saml.png
  5. Save your changes.

  6. Download your SAML metadata file.

    Go to https://sso.arculix.com/[organization identifier]/saml/download/metadata to download your metadata file.

Workspace ONE Access configuration

In this section, you'll configure Workspace ONE Access as a service provider (SP). To configure Workspace ONE Access, complete the following tasks:

Add Arculix as a new Identity Provider in VMware Workspace ONE Access

  1. Log in to the VMware Identity Manager console as a system administrator.

  2. Select the Identity & Access Management tab, and then select the Identity Providers sub tab.

  3. Click Add Identity Provider and then Create Third Party IDP.

    vm-ws_create_idp.png
  4. Enter the Identity Provider Name.

  5. Set Binding Protocol to HTTP POST.

  6. In the SAML Metadata field, enter the Arculix metadata URL and click Process IdP Metadata.

    vm-ws_process_meta.png
  7. Set the following configurations:

    Identify User Using

    Set this option to NameID Element.

    Name ID Format

    Click the + icon to add a new format and type urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.

    Name ID Value

    Set to userPrincipalName.

    Name ID Policy in SAML Request

    Set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    vm-ws_name_id.png
  8. Continue with the following configurations: In Users, select the directories you want to authenticate using this identity provider.

    Users

    Select the directories you want to authenticate using this identity provider.

    Network

    Select the networks that can access this identity provider.

    vm-ws_network.png
  9. In Authentication Methods section set the following configurations:

    Authentication Methods

    Enter an optional name like Arculix auth method.

    SAML Context

    Set to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.

    vm-ws_auth_methods.png
  10. Click Save.

Add Arculix authentication method to the default access policy in Workspace ONE Access

  1. In the VMware Workspace ONE Access console, click the Identity & Access Management tab, then click Policies.

  2. Click Edit Default Access Policy.

  3. In the Edit Policy wizard, click Configuration.

  4. Click the policy rule for Web Browser.

  5. Set the authentication method to Arculix auth method.

    vm-ws_set_acceptto.png
  6. Click Save.

    vm-ws_policy_rule.png

Enable SAML authentication on VMware Horizon Connection Server

  1. Log in to Horizon Console.

  2. In the left menu, go to Settings > Servers.

  3. On the right, select the Connection Servers tab.

  4. Highlight a Connection Server and click Edit.

  5. Select the Authentication tab.

    vm_auth_tab.png
  6. Set Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.

    vm_delegate_auth.png
  7. Click Manage SAML Authenticators.

    vm_manage_saml.png
  8. Click Add.

    vm_add_saml.png
  9. Set the following configurations:

    Label

    Set a descriptive name for this SAML authenticator.

    For example, WSO.

    Metadata URL

    Enter the URL of the IdP metadata for your Workspace ONE Access.

    For example, https://<Workspace_FQDN>/SAAS/API/1.0/GET/metadata/idp.xml.

    Administration URL

    Enter the Workspace ONE URL with 8443.

    For example, https://<Workspace_FQDN>:8443.

    vm-ws_edit_saml.png
  10. Click OK to close the Manage SAML Authenticators window.

  11. In the Authentication tab, set the following configurations: check Enable Workspace ONE mode and enter Workspace ONE URL in the Workspace ONE Server Hostname field.

    Enable Workspace ONE mode

    Select this check box.

    Workspace ONE Server Hostname

    Enter the Workspace ONE URL.

    For example, https://<workspace>.acceptto.com.

    vm-ws_edit_connection_server.png
  12. In Horizon Console, do the following:

    1. Go to Monitor > Dashboard.

    2. In the System Health section, click VIEW.

    3. On the left, select Other Components.

    4. On the right, select the SAML 2.0 tab.

      You should see your SAML authenticator name and status.

      vm-uag_saml_tab.png

Enable True SSO on the Horizon Connection Server

On the Connection Server, open an elevated command prompt and run the following commands.

Note

The commands in this section are case sensitive.

  1. To add the Enrollment Server, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn
    
    vm_add_enrollment_cmd.png
  2. To see the available certificate authorities and certificate templates for a particular domain, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
    
    vm_cert_cmd.png
  3. To enable the Enrollment Servers for a particular domain, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1 --mode enabled
    
    vm_enable_enrollment_cmd.png
  4. To see the SAML authenticators configured in Horizon Console, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
    
    vm_see_saml_cmd.png
  5. To enable True SSO for a particular SAML authenticator, run the following command.

    vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
    
    vm_true_sso_cmd.png
  6. In Horizon Connection console, do the following:

    1. Go to Monitor > Dashboard.

    2. In the System Health section, click VIEW.

    3. On the left, select Components.

    4. On the right, select the TrueSSO tab.

      You should see the status of True SSO in Horizon Console.

      vm_true_sso_tab.png

Create Virtual Apps Collection for VMWare Horizon in Workspace ONE Access Console

  1. In the Workspace ONE Access Admin Portal, click the Catalog tab, then click Virtual Apps Collection.

    vm-ws_virtual_apps.png
  2. Click NEW.

  3. On the source type page, select Horizon.

    vm-ws_source_type.png
  4. Enter a Name for the collection, select the Connector for Workspace ONE Access, then click Next.

    vm-ws_new_collection.png
  5. In Pod and Federation, select ADD A POD.

  6. Enter the Horizon Connection server URL, admin account, and password.

  7. Enable True SSO.

    vm-ws_enable_true_sso.png
  8. Click ADD.

  9. On the Configuration page, set Sync Frequency to Hourly and Activation Policy to User-Activated.

  10. Check the Summary page then click Finish.

Test your application integration

  1. Go to your Workspace ONE Access URL through a browser.

    vm-ws_launch.png
  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Workspace ONE Access application.

    Select MFA method
  4. Next, approve the verification stage on your Arculix Mobile app.

    vm-ws_itsme.png
  5. You will be redirected to your resource page. Click on the Windows icon.

    vm-ws_resource.png
  6. You will be automatically logged in to your Windows machine through an integration between Arculix SSO and VMware TrueSSO, without any additional authentication.

    vm-ws_windows.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.