Horizon Cloud environment with VMware Workspace ONE is a prerequisite for using the True SSO feature. When Horizon Cloud environment has True SSO configured, end users authenticated to Workspace ONE user portal will be able to launch entitled desktops or applications without prompting for Active Directory credentials. See below video to understand how the user experience is different with and without True SSO.
As of November 2020, Horizon Cloud on Azure provides two distinct brokering methods for delivering remote resources from your HCS Azure pods to end users: 1) Universal Broker and 2) Single-POD Broker. True SSO integration method is slightly different depending on the brokering method you have chosen.
- True SSO with Universal Broker
- Workspace ONE Intelligent Hub integration with Horizon Cloud Environment.
- Install and configure Workspace ONE Access Connector.
- Configure True SSO in Horizon Cloud admin console.
- TrueSSO feature is enabled by default in Workspace ONE HUB service.
- True SSO Single-POD Broker
- Workspace ONE Access integration with Horizon Cloud Environment.
- Install and configure Workspace ONE Access Connector.
- Create a Virtual App Collection in Workspace ONE Access admin console and turn the TrueSSO toggle on.
- Configure True SSO in Horizon Cloud admin console.
Note: The information about supported Workspace ONE Access connector version can be found here.
In this post, I will provide the step by step guidance on True SSO configuration for Universal Broker enabled Horizon Cloud tenant.
Prerequisites for True SSO with Universal Broker
– Certificate Authority
– Enrollment Server
– Workspace One Access cloud tenant and connector software 20.10.0
– Universal Broker enabled Horizon Cloud tenant
Note: Certificate Authority and Enrollment Server configuration steps are same for the Single-POD broker as well.
Integration of Workspace ONE Intelligent Hub with Universal Broker
Find my previous blog post for the steps integration of Workspace ONE Intelligent Hub with Universal Broker enabled Horizon Cloud POD.
Configuration of Certificate Authority
- The Certificate Authority role can be installed on same Active Directory server or separate Windows Server machine as per your requirement.
Open server manager > navigate to [Manage] > [Add Roles and Features] and follow the on screen instructions.
2. Perform below steps on the Certificate Authority machine.
- Configure CA for non-persistent certificate processing
- <certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS>
- Configure CA to ingore offline CRL erros
- <certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE>
- Restart the CA service
- <net stop certsvc>
- <net start certsvc>
Installation of True SSO Enrollment Server
3. Enrollment Server software can be downloaded from Myvmware.com.
Configure a Group for True SSO
4. Create a Security Group for True SSO in Active Directory and register the Enrollment Server machine a a member of Security Group.
Configure certificates template for True SSO
5. Configure the certificate template for True SSO on Certificate Authority.
Smartcard logon and Enrollment Agent (computer) template need to be configured.
Horizon Cloud True SSO Pairing Token
6. Download True SSO pairing token from Horizon Cloud admin console.
Log into Horizon Cloud admin console> navigate to [Settings] > [Active Directory] > select [Download Pairing Token] on True SSO Configuration section. A zip file will be dowloaded.
Extract the zip file and copy the certificate files to Enrollment Server.
Import certificates on Enrollment Server
7. Import the necessary certificates.
On Enrollment Server machine, select [Start] > [Run] > MMC
Navigate to [File] > [Add/Remove Snap-in…]
Select [Certificates] > [Add]
Select [Computer account]
Select [Local computer: ( the computer this console is running on)] > [Finish] > [OK]
Expand [Certificate (Local Computer)] > [Personal] > [All Tasks] > [Request New Certificate] > [Next]
Select [Active Directory Enrollment Policy] > [Next] > select [Enrollment Agent (Computer)] > [Enroll]
Confirm Enrollment Agent (computer) status as [Succeeded] > [Finish]
Confirm the certificate has been imported under [Personal] > [Certificates]
On the same window, right click on [VMware Horizon View Enrollment Server Trusted Roots] > [All Tasks] > [Import] > [Next] and follow the on screen instruction to import the Horizon Cloud True SSO token (certificate) downloaded in step# 6.
Follow the same steps to import the second certificate and confirm the certificates are exist under [Certificate] folder. There should be 2 certificates if Horizon Cloud is deployed with HA mode.
Configure True SSO on Horizon Cloud
8. Configure True SSO on Horizon Cloud admin console.
Log into Horizon Cloud admin console and navigate to [Active Directory] > select [Add] under True SSO Configuration section.
Define Enrollment server FQDN and select [TEST PAIRING].
Confirm the True SSO template is showing in [Template] section and CA certificate in [Certificate Authorities] section > [Save].
Confirm True SSO configuration has been saved successfully.
Note: There is no option available in Workspace ONE Intelligent Hub admin console to disable the TrueSSO. If you need to disable the True SSO configuration, you need to delete the configuration from Horizon Cloud admin console.
Connectivity test
9. If everything is configure properly you should be able to lunch the desktop from Workspace ONE Access user portal without being prompted for Active directory credential as seen in below video clip.
