Configure SAML Authentication
Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. WS1 Access provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.
In this section, you will configure SAML authentication in Horizon.
Configure SAML Authentication on Horizon Connection Server
To launch remote desktops and applications from Workspace ONE Access or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon.
A SAML authenticator contains the trust and metadata exchange between Horizon and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.
Edit Horizon Connection Server
- Expand Settings and select Servers
- Select Connection Servers
- Select HORIZON-02
- Select Edit...
- Select Authentication
Workspace ONE mode
- Review the options on the Authentication page.
Note there are options to configure Workspace ONE mode.
Workspace ONE Access administrators can configure access policies to restrict access to entitled desktops and applications in Horizon. To enforce policies created in WS1 Access you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements. When you log in to the Horizon Client, the access policy directs you to log in through Workspace ONE to access your published desktops and applications.
In order to enable and use this feature, the Delegation of authentication to VMware Horizon must be set to required.
Workspace ONE mode will not be used in this lab.
- Click the drop-down menu
- Select Allowed
Manage SAML Authenticator
- Select Manage SAML Authenticators
Add SAML Authenticator
- Select Add
SAML Authenticator Form
- Label = WS1Access
- Select the text <YOUR SAML AUTHENTICATOR NAME> and be sure to get the < > in the selection.
- Enter vidm-01.corp.local
Be careful not to modify the rest of the Metadata URL
- Click OK
Authenticator Status - Enabled
- Once the Authenticator is ready, click OK
Complete SAML Authenticator
- Click OK to close the Edit Connection Server Settings window
SAML Configuration Complete
You have successfully configured your Horizon Connection Server for SAML authentication.
Leave Chrome running as you will use it in the next lesson.