VMware Workspace ONE Access SAML integration
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.
VMware Horizon enables IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. VMware Workspace ONE Access (formerly VMware Identity Manager) combines the user's identity with factors such as device and network information to make intelligence-driven, conditional access decisions for applications delivered by Workspace ONE.
Arculix, as a SAML provider, improves the user login experience for Horizon users with convenient MFA. This manual illustrates how to configure both VMware Horizon and VMware Workspace ONE Access with the Arculix single sign-on (SSO) solution. Arculix’s solution for VMware Horizon and Workspace ONE Access eliminates the second logon on the Horizon Agent machine using True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.
Prerequisites
Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
Configured Certificate Authority server.
Configured VMware Horizon Enrollment server which has a trust relationship with Horizon Connection server.
Configured Horizon Workspace One Access Connector.
User account with administrative privileges for VMware Connection server and WorkSpace ONE Access.
Obtain VMware Workspace ONE Access service provider information
Log in to the VMwareWorkspace ONE Access console as a system administrator.
Select the Identity & Access Management tab, and then select the Identity Providers sub tab.
Click Add Identity Provider and then Create Third Party IDP.
Scroll down to the SAML Signing Certificate section.
Right-click the Service Provider (SP) metadata link and open it in a new tab.
In the SAML metadata file, find the values for the following:
entityID – For example,
https://wso.example.com/SAAS/API/1.0/GET/metadata/sp.xml
AssertionConsumerService Location for HTTP-POST binding – For example,
https://wso.example.com/SAAS/auth/saml/response
Arculix SAML configuration as an Identity Provider (IdP)
In this section, you'll add an application for VMware Workspace ONE Access and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name
Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, WorkspaceONE.
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests
Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
Issuer or Entity ID
Enter the Issuer/EntityID of your UAG instance.
For example,
https://WSO.example.com/SAAS/API/1.0/GET/metadata/sp.xml
.Log in URL
The URL used to log in to your UAG.
For example,
https://WSO.example.com/SAAS/auth/saml/response
.NameID Format
Set to Unspecified.
Name Identifier
Set to userPrincipalName.
ACS URL
Enter the service provider URL the identity provider will redirect to with its authentication response.
For example,
https://WSO.example.com/SAAS/auth/saml/response
.Response hosts
Enter the FQDN of your Workspace ONE Access.
For example,
https://WSO.example.com
.Save your changes.
Download your SAML metadata file.
Go to
https://sso.arculix.com/[organization identifier]/saml/download/metadata
to download your metadata file.
Workspace ONE Access configuration
In this section, you'll configure Workspace ONE Access as a service provider (SP). To configure Workspace ONE Access, complete the following tasks:
Add Arculix as a new Identity Provider in VMware Workspace ONE Access
Log in to the VMware Identity Manager console as a system administrator.
Select the Identity & Access Management tab, and then select the Identity Providers sub tab.
Click Add Identity Provider and then Create Third Party IDP.
Enter the Identity Provider Name.
Set Binding Protocol to HTTP POST.
In the SAML Metadata field, enter the Arculix metadata URL and click Process IdP Metadata.
Set the following configurations:
Identify User Using
Set this option to NameID Element.
Name ID Format
Click the + icon to add a new format and type
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
.Name ID Value
Set to userPrincipalName.
Name ID Policy in SAML Request
Set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
Continue with the following configurations: In Users, select the directories you want to authenticate using this identity provider.
Users
Select the directories you want to authenticate using this identity provider.
Network
Select the networks that can access this identity provider.
In Authentication Methods section set the following configurations:
Authentication Methods
Enter an optional name like Arculix auth method.
SAML Context
Set to urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.
Click Save.
Add Arculix authentication method to the default access policy in Workspace ONE Access
In the VMware Workspace ONE Access console, click the Identity & Access Management tab, then click Policies.
Click Edit Default Access Policy.
In the Edit Policy wizard, click Configuration.
Click the policy rule for Web Browser.
Set the authentication method to Arculix auth method.
Click Save.
Enable SAML authentication on VMware Horizon Connection Server
Log in to Horizon Console.
In the left menu, go to Settings > Servers.
On the right, select the Connection Servers tab.
Highlight a Connection Server and click Edit.
Select the Authentication tab.
Set Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
Click Manage SAML Authenticators.
Click Add.
Set the following configurations:
Label
Set a descriptive name for this SAML authenticator.
For example, WSO.
Metadata URL
Enter the URL of the IdP metadata for your Workspace ONE Access.
For example,
https://<Workspace_FQDN>/SAAS/API/1.0/GET/metadata/idp.xml
.Administration URL
Enter the Workspace ONE URL with 8443.
For example,
https://<Workspace_FQDN>:8443
.Click OK to close the Manage SAML Authenticators window.
In the Authentication tab, set the following configurations: check Enable Workspace ONE mode and enter Workspace ONE URL in the Workspace ONE Server Hostname field.
Enable Workspace ONE mode
Select this check box.
Workspace ONE Server Hostname
Enter the Workspace ONE URL.
For example,
https://<workspace>.acceptto.com
.In Horizon Console, do the following:
Go to Monitor > Dashboard.
In the System Health section, click VIEW.
On the left, select Other Components.
On the right, select the SAML 2.0 tab.
You should see your SAML authenticator name and status.
Enable True SSO on the Horizon Connection Server
On the Connection Server, open an elevated command prompt and run the following commands.
Note
The commands in this section are case sensitive.
To add the Enrollment Server, run the following command.
vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn
To see the available certificate authorities and certificate templates for a particular domain, run the following command.
vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
To enable the Enrollment Servers for a particular domain, run the following command.
vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1 --mode enabled
To see the SAML authenticators configured in Horizon Console, run the following command.
vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
To enable True SSO for a particular SAML authenticator, run the following command.
vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
In Horizon Connection console, do the following:
Go to Monitor > Dashboard.
In the System Health section, click VIEW.
On the left, select Components.
On the right, select the TrueSSO tab.
You should see the status of True SSO in Horizon Console.
Create Virtual Apps Collection for VMWare Horizon in Workspace ONE Access Console
In the Workspace ONE Access Admin Portal, click the Catalog tab, then click Virtual Apps Collection.
Click NEW.
On the source type page, select Horizon.
Enter a Name for the collection, select the Connector for Workspace ONE Access, then click Next.
In Pod and Federation, select ADD A POD.
Enter the Horizon Connection server URL, admin account, and password.
Enable True SSO.
Click ADD.
On the Configuration page, set Sync Frequency to Hourly and Activation Policy to User-Activated.
Check the Summary page then click Finish.
Test your application integration
Go to your Workspace ONE Access URL through a browser.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the Workspace ONE Access application.
Next, approve the verification stage on your Arculix Mobile app.
You will be redirected to your resource page. Click on the Windows icon.
You will be automatically logged in to your Windows machine through an integration between Arculix SSO and VMware TrueSSO, without any additional authentication.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.