Introducing True SSO (Single Sign-On) in VMware Horizon 7
When you buy an app or music using your smartphone, you know how all it takes is your thumbprint, and you are done? What would it take for authentication to work that smoothly at work? A few weeks back we introduced the digital workspace—a completely new way of thinking about workspace services delivery. Workspace ONE unifies mobile, desktop, and applications with pervasive security and a dramatically better experience for the end user.
The core concept behind the digital workspace is the convergence of an enterprise-grade platform with a richer, simpler, consumer-like experience. When logging in to various applications at work, users traditionally have found themselves having a much less pleasant experience than they are used to in their personal, mobile, consumer life. If you have ever struggled with RSA tokens and strong passwords, you know this firsthand.
Now consider this same dilemma in a work setting—for example, clinicians at a healthcare campus. They might roam the facility and often badge-tap with a smart card to get into their workspace. If that workspace is a virtual desktop, they are prompted again, this time for their Active Directory (AD) credentials. Now the clinician, who is already running behind on patient visits, has to find those details and enter them. This process is inefficient, cumbersome, and error-prone, and can lead to compromising those credentials. In this example, the clinician would love to access their workspace in one simple motion.
We have been working very hard on simplifying the experience, and are now delighted to bring True SSO to market! True SSO is a new feature in Horizon 7 which integrates with VMware Identity Manager. With True SSO, the login experience is free of the requirement for complex AD credentials.
In Part 1 of this blog series, we introduce the feature. In later parts, we will walk through setting up True SSO in a lab environment, and then beyond, including setting up a production environment, supporting multiple domains and trusts, and troubleshooting deployments.
Overview of True SSO
True SSO provides a way to authenticate to Microsoft Windows, retaining all of the users’ normal domain privileges, without requiring them to provide AD credentials! True SSO is a VMware Horizon technology that integrates VMware Identity Manager 2.6 with Horizon 7. VMware Identity Manager Standard is included in VMware Horizon 7 Advanced and Enterprise Editions.
With True SSO, a user can log into Identity Manager using any non-AD method (for example, RSA SecurID credentials) and once authenticated, the user is able to launch any entitled desktop or app (hosted from any domain) without ever being prompted for a password again!
True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, email@example.com) to the identity provider’s authentication system to access AD credentials. Horizon 7 then generates a unique, short-lived certificate for the Windows login process.
Benefits of True SSO
- Separates authentication (validating a user’s identity) from access (such as to a specific Windows desktop or application).
- Provides enhanced security. User credentials are secured by a digital certificate. No passwords are vaulted or transferred within the data center.
- Supports a wide range of authentication methods. Selecting or changing authentication protocols has a limited impact on the infrastructure of the enterprise.
How True SSO Works
Figure 1: The True SSO Authentication Process
Figure 1 shows the flow of data in True SSO:
- A user authenticates to VMware Identify Manager. The administrator can select from an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, and so on). After authentication, the user selects a desktop or application to launch from VMware Identity Manager.
- Horizon Client is launched with the user’s identity, and credentials are directed to the View Connection Server, the broker for Horizon 7.
- The broker validates the user’s identify with Identify Manager by sending a SAML assertion.
- Using the certificate Enrollment Service, Horizon 7 requests that the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.
- Horizon 7 presents the certificate to the Windows operating system.
- Windows validates the authenticity of the certificate with Active Directory.
- The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client.
True SSO does not rely on password vaulting, which risks compromising the credentials or having them become out of date, for example, with password changes. All authentication and access to enterprise assets are provided by digitally signed credentials and certificates.
Supported Authentication Methods for Identity Manager
Identity Manager supports the following authentication methods in conjunction with True SSO:
- RSA SecurID
- RADIUS authentication
- RSA Adaptive Authentication
- Standards-based third-party identity providers
Identity Manager also supports integration with third-party identity providers to federate authentication across the enterprise.
Of course, Identity Manager also supports user name and password credentials as well as smart card logins, but for either of these, True SSO is not needed.
True SSO requires a Horizon 7 environment, which includes the View Connection Server and Horizon Agent, as well as a new service called the Enrollment Service. The Enrollment Service can run on Windows Server 2008 R2 or Windows Server 2012 R2 (4 GB RAM is sufficient).
In addition, a Microsoft CA is required. The CA can run on Windows Server 2008 R2 or Windows Server 2012 R2.
For high availability (HA), VMware recommends a minimum of 2 certificate authorities and 2 Enrollment Servers. In an upcoming blog post in this series, we will discuss the various approaches to dealing with HA.
Desktop OS Support
True SSO is supported on all Windows guest operating systems that are supported for Horizon 7 desktops, from Windows 7 to Windows 10, along with Windows Server 2008 R2 and Windows Server 2012 R2. In addition, True SSO is supported on desktops and apps provided by Microsoft Remote Desktop Session Hosts running Windows Server 2008 R2 or Windows Server 2012 R2.
True SSO is supported with all display protocols, including Blast Extreme and HTML Access.
True SSO allows users to authenticate with Identity Manager using non-AD credentials and then single sign-on to the desktop or remoted application without providing any further credentials. True SSO delivers a fast, secure, streamlined experience for the end user.
Check back soon for part 2 of this blog series, when we discuss how to get started with a very simple test deployment in a lab environment.