Mastering SAML Authenticators in VMware Horizon: A Step-by-Step Guide

[Ramesh V]

In the realm of virtual desktop infrastructure (VDI), security and seamless user experience are paramount. VMware Horizon, a leading VDI solution, offers robust security features, including the use of SAML (Security Assertion Markup Language) authenticators for secure authentication and single sign-on (SSO) capabilities. This blog post will guide you through the process of configuring SAML authenticators in VMware Horizon, ensuring that your users can securely access their virtual desktops and applications.

Understanding SAML Authenticators

SAML is an XML-based standard for exchanging authentication and authorisation data between an identity provider (IdP) and a service provider (SP). In the context of VMware Horizon, SAML authenticators facilitate the trust and metadata exchange between Horizon and an external IdP, such as VMware Workspace ONE Access or a third-party device. This allows for SSO, where users can authenticate once and gain access to their virtual resources without re-entering their credentials.

Configuring SAML Authenticators in Horizon Console

To configure SAML authenticators in VMware Horizon, follow these steps:

1. Navigate to Settings > Servers: In the Horizon Console, go to the Settings menu and select Servers.

2. Select a Connection Server Instance: On the Connection Servers tab, choose a server instance to associate with the SAML authenticator and click Edit.

3. Enable SAML Authentication: On the Authentication tab, select Allowed or Required from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu to enable SAML authentication.

4. Manage SAML Authenticators: Click Manage SAML Authenticators and then Add to create a new SAML authenticator.

5. Configure the SAML Authenticator: In the Add SAML 2.0 Authenticator dialog box, configure the authenticator with the appropriate settings:

   • Type: Choose Static for Unified Access Gateway or third-party devices, or Dynamic for VMware Workspace ONE Access.

   • Label: Assign a unique name to identify the SAML authenticator.

   • Description: Optionally, provide a brief description of the SAML authenticator.

   • Metadata URL: Specify the URL for retrieving SAML information.

   • Administration URL: Provide the URL for accessing the administration console of the IdP.

6. Save the Configuration: Click OK to save the SAML authenticator configuration.

7. Verify the Configuration: In the System Health section of the Horizon Console dashboard, verify that the newly created authenticator is listed and its health status is green, indicating a successful configuration.

Prerequisites and Considerations

Before configuring SAML authenticators, ensure the following prerequisites are met:

• Verify that the IdP (e.g., VMware Workspace ONE Access) is installed and configured.

• Install the root certificate for the signing CA of the SAML server certificate on the Connection Server host.

• Note the FQDN or IP address of the IdP server.

Additionally, consider the following:

• Each Connection Server instance can have different SAML authentication settings based on your requirements.

• You can associate a SAML authenticator with multiple Connection Server instances in a multi-server deployment.

• The entity-ID of each SAML authenticator configured on a Connection Server must be unique.

Extending the Expiration Period for Service Provider Metadata

To prevent remote sessions from being terminated after 24 hours, extend the expiration period for the Connection Server metadata. This ensures that SAML assertions remain valid for a longer duration, reducing the frequency of metadata exchange.

Troubleshooting SAML Authenticators

If the health status of an authenticator is red, it may indicate issues such as an untrusted certificate, an unavailable IdP service, or an invalid metadata URL. You can attempt to verify and accept the certificate if it is untrusted.

Conclusion

Configuring SAML authenticators in VMware Horizon is a critical step in enhancing the security and user experience of your VDI environment. By following the step-by-step guide provided in this blog post, you can effectively set up SAML authenticators, enabling SSO and ensuring that your users can securely access their virtual desktops and applications with ease. Remember to refer to the official VMware documentation for the most up-to-date information and best practices.