• Separates authentication (validating a users identity) from access (such as to a specific Windows desktop or application).
• Provides enhanced security. User credentials are secured by a digital certificate. No passwords are vaulted or transferred within the data center.
• Supports a wide range of authentication methods. Selecting or changing authentication protocols has a limited impact on the infrastructure of the enterprise.

1. User authenticates to VMware Identity Manager using an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, etc). After authentication the user selects a desktop or application to launch.
2. Horizon Client is launched with the user's identity and credentials are directed to the Connection Server.
3. The connection server validates the user's identity with Identity Manager by sending a SAML assertion.
4. Using the certificate enrollment service, Horizon 7 requests the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.
5. Horizon 7 presents the certificate to the Windows operating system.
6. Windows validates the authenticity of the certificate with Active Directory.
7. The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client.

For True SSO to function, several components must be installed and configured within the environment.  The enrollment server is responsible for receiving certificate signing requests (CSR) from the Connection Server. The enrollment server then passes the CSRs to the Microsoft Certificate Authority to sign using the relevant certificate template. The Enrollment Server is a lightweight service that can be installed on a dedicated Windows Server 2016 instance, or it can co-exist with the MS Certificate Authority service. It cannot be co-located on a Connection Server.