True SSO Configuration
When True SSO is enabled in Horizon, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can enable True SSO to prevent a password dialog box from being shown to users.
True SSO and SSO
Many user authentication options are available for logging in to VMware Workspace ONE Access. Active Directory credentials are only one of these many authentication options. Ordinarily, using anything other than AD credentials would prevent a user from being able to single-sign-on to a Horizon virtual desktop or published application. After selecting the desktop or published app from the catalog, the user would be prompted to authenticate again, this time with AD credentials.
True SSO provides users with SSO to Horizon desktops and applications regardless of the authentication mechanism used. True SSO uses SAML, where Workspace ONE is the Identity Provider and the Horizon server is the Service Provider. True SSO generates unique, short-lived certificates to manage the login process.
High Level Configuration for True SSO
The high-level steps that need to be completed are below but we will not be performing them in this lab. They have already been set up for us in this lab to save time.
- Configure Horizon and VMware Identity Manager Integration.
- Install and configure Microsoft Certificate Authority service.
- Set up a certificate template for use with True SSO.
- Install and configure the enrollment servers. Setup Software on Enrollment Server.
- Export Horizon certificate import to the Enrollment Server
- Run the following commands on the Connection Server (Horizon-01)
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --add --enrollmentServer truesso-01.corp.local
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --list --enrollmentServer truesso-01.corp.local --domain corp.local
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --create --connector --domain corp.local --template TrueSSOHOL --primaryEnrollmentServer truesso-01.corp.local --certificateServer controlcenter-ca --mode enabled
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --list --authenticator
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --authenticator --edit --name vidm-01 --truessoMode enabled
Note: These steps are already set up in this lab. The next steps are to turn on TrueSSO in Workspace ONE Access under the Virtual Apps. We will set up another Authentication source (RADIUS). We can then connect to vIDM with our RADIUS login and launch an application with no password prompt.
For more information on how to install and configure True SSO, see Setting Up True SSO.