True SSO Overview
True SSO provides a way to authenticate to Microsoft Windows, retaining all of the users normal domain privileges, without requiring them to provide AD credentials. True SSO is a VMware Horizon technology that integrates VMware Identity Manager with Horizon 7. With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory credentials in order to use a virtual desktop or published desktop or application.
True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, [email protected]) to the identity providers authentication system to access AD credentials. Horizon 7 then generates a unique, short-lived certificate for the Windows login process.
Benefits of True SSO
- Separates authentication (validating a users identity) from access (such as to a specific Windows desktop or application).
- Provides enhanced security. User credentials are secured by a digital certificate. No passwords are vaulted or transferred within the data center.
- Supports a wide range of authentication methods. Selecting or changing authentication protocols has a limited impact on the infrastructure of the enterprise.
How True SSO Works
- User authenticates to VMware Identity Manager using an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, etc). After authentication the user selects a desktop or application to launch.
- Horizon Client is launched with the user's identity and credentials are directed to the Connection Server.
- The connection server validates the user's identity with Identity Manager by sending a SAML assertion.
- Using the certificate enrollment service, Horizon 7 requests the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.
- Horizon 7 presents the certificate to the Windows operating system.
- Windows validates the authenticity of the certificate with Active Directory.
- The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client.
For True SSO to function, several components must be installed and configured within the environment. The enrollment server is responsible for receiving certificate signing requests (CSR) from the Connection Server. The enrollment server then passes the CSRs to the Microsoft Certificate Authority to sign using the relevant certificate template. The Enrollment Server is a lightweight service that can be installed on a dedicated Windows Server 2016 instance, or it can co-exist with the MS Certificate Authority service. It cannot be co-located on a Connection Server.