Configure SAML Authentication
Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. Identity Manager provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.
In this section, you will configure SAML authentication in Horizon.
Note - This process must be completed using Horizon View Administrator.
Authenticate to the Horizon View Administrator Console
- From the Desktop of the Main Console, double-click Google Chrome
Note - If you still have Chrome running, simply open a new tab
Navigate to Horizon Console
- Select Horizon from the bookmarks bar
- Select Horizon-02-NewAdminConsole
Modify URL for Horizon Administrator
- Highlight and delete the portion of the URL: newadmin/#/login
- Replace the text with: admin and press Enter
Configuring SAML authentication is one of just a few tasks where using the legacy, Flex-based Horizon Administrator is recommended.
Log In to Horizon View Administrator
- User name: administrator
- Password: VMware1!
- Verify Domain: CORP
- Select Log In
Configure SAML Authentication on Horizon Connection Server
To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon Administrator.
A SAML authenticator contains the trust and metadata exchange between Horizon 7 and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.
Edit Horizon Connection Server
- Expand View Configuration and select Servers
- Select Connection Servers
- Select HORIZON-02
- Select Edit...
- Select Authentication
Workspace ONE mode
- Review the options on the Authentication page.
Note there are options to configure Workspace ONE mode.
Workspace ONE, or VMware Identity Manager (vIDM) administrators can configure access policies to restrict access to entitled desktops and applications in Horizon 7. To enforce policies created in vIDM you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements. When you log in to the Horizon Client, the access policy directs you to log in through Workspace ONE to access your published desktops and applications.
In order to enable and use this feature, the Delegation of authentication to VMware Horizon must be set to required.
Workspace ONE mode will not be used in this lab.
- Click the drop-down menu
- Select Allowed
Manage SAML Authenticator
- Select Manage SAML Authenticators...
Add SAML Authenticator
- Select Add
SAML Authenticator Form
- Label = vIDM
- Left-click right in the middle of the text YOUR SAML AUTHENTICATOR NAME
Only the portion of the Metadata URL that needs to be modified will be highlighted
- Enter vidm-01.corp.local
Be careful not to modify the rest of the Metadata URL
- Select OK
- Select OK
Authenticator Status - Enabled
- Once the Authenticator is ready, select OK
Complete SAML Authenticator
- Select OK to close the Edit Connection Server Settings window
SAML Configuration Complete
You have successfully configured your Horizon 7 Connection Server for SAML authentication.
Leave Chrome running as you will use it in the next lesson.