VMware Horizon authentication using AzureAD (with multifactor)

This is part of a series of post for setting up VMware Horizon authentication using AzureAD.

SAML setup

In the next part, we will set up the SAML authentication. This consists of 3 steps: First, we need to create the SAML application on Azure, then we will configure the UAG to use that SAML application for authentication, and finally, we need to configure Horizon to accept that SAML authentication.

Azure AD SAML setup

Open your Microsoft 365 Admin center and go to the Azure Active Directory admin center: https://aad.portal.azure.com/

Go to Enterprise applications and create a new application. If you don’t see “Enterprise applications” check under “All services”.

In the “Browser Azure AD Gallery” type “Horizon” in the search box and select “VMware Horizon – Unified Access Gateway” from the results.

Optionally change the name of this application and click “Create” at the bottom of the page.

After a few seconds, you should get a popup showing the application was added successfully

Next, we need to assign users that have access to this application. Here you’ll have to give all users access who will log in using Azure AD authentication.

Click on the overview on “1. Assign users and groups” or go to “Users and groups” in the left column

Click “Add user/group”

Click “None selected”

Search the users/groups you want to add in the search box and select each of those you want to add.

When done, click “Select” at the bottom of the page.

Back at the Assignment page, it warns you that only users directly in the group will have access, so nested groups are not supported! If everything is correct, click “Assign” at the bottom of the page.

Next, go to “Single sign-on” in the left column and choose “SAML”

On the SAML-based Sign-on page, click “Edit” on the first step

For the Identifier (Entity ID) click “Add identifier”

Enter the URL of your Unified Access Gateway preseeded by “https://” and appended by “/portal”: e.g. https://horizon.myuag.com/portal

Next, add a Reply URL. This is the same URL as above, but appended with “/samlsso”: e.g. https://horizon.myuag.com/portal/samlsso

To finish, click the SAVE button at the top of the page. When it’s done saving, close the overlay screen by clicking the cross in the upper right corner

If you get the question to test the SAML configuration, say “No, I’ll test later”

Back on the SAML-based Sign-on page, check if the URLs in step 1 are correct. Next, go to step 3 and click the download link next to “Federation Metadata XML”

Save this XML on your computer. We will need it later on.

Unified Access Gateway SAML setup

Now, open the admin interface of the Unified Access Gateway you will use to set up for Azure Authentication. If you have multiple UAGs remember to do the following steps on all of them. If you want to test Azure authentication first without changing your current settings, you can deploy a new UAG, connect it to an existing Horizon Connection server, and set up this UAG for Azure authentication.

Scroll down to “Identity Bridging Settings” and click on the settings icon next to “Upload Identity Provider Metadata

Don’t enter anything in the Entity ID field, it will be retrieved from the XML file we downloaded before. Just click “select” next to IDP Metadata and choose the XML file we downloaded from the Azure portal and click Save

Next, go to the Edge Service Settings and click on the Horizon Settings icon.

Click “More” to show additional settings.

For “Auth Methods” choose “SAML”

A new option will appear under “Auth Methods”, called “Identity Provider”. In this list, select the sts.windows.net entry. This entry was added by uploading the Metadata XML on the UAG.

Next, save the configuration.

That’s it for the SAML configuration on the UAG.

VMware Horizon SAML setup

The last step is to configure Horizon to allow this SAML authentication from Azure. Open the Horizon Admin console and go to Servers – Connection servers. Select a connection server and click Edit.

Go to the Authentication tab and set Delegation of authentication to VMware Horizon…” to “Allowed”

Next, click the “Manage SAML Authenticators” button and click “Add” to add a new SAML authenticator.

Choose type Static and enter a label and optional description for the SAML Authenticator. In the SAML Metadata, you copy the contents of the XML file we downloaded earlier from the Azure portal. Make sure the selection box “Enabled for Connection server” is selected.

Click OK on the “Edit Connection Server settings page” to close the settings page.

If you have multiple connection servers, edit each one of them. You won’t need to add the SAML Authenticator again for the other ones, but you do have to enable that connector for this connection server. So if you click on “SAML Authenticators” you will already see the authenticator, but it will be disabled for all other connection servers. Select the newly created authenticator, click Edit and enable the checkbox at the bottom