VMware True Single Sign-On with VMware Horizon Cloud Service on IBM Cloud

Aug 8, 2019
Shrestha Upendra


Shrestha Upendra is part of the EUC Business unit as Sr. architect for EUC Field Engineering at VMware. He is the lead for Field Engineering for all of APJ. His primary focus is VMware Horizon services hosted on cloud (VMC, SoftLayer and Azure), Workspace ONE and Horizon Enterprise.

Share This Post On

In this blog post, I will focus on differentiating users’ login experience with and without True SSO, logical work-flow of True SSO and install/integration of True SSO with VMware Horizon Cloud on IBM Cloud.

True Single Sign-on (True SSO) Overview

True SSO is a Horizon component with built-in integration to VMware Workspace ONE, which eliminates the requirement of entering an Active Directory (AD) password more than once while the end user accesses their entitled desktops and published applications.

Users can log in to Workspace ONE using non-AD authentication with RSA SecurID, Radius authentication or any means of non-AD mechanisms, and from the Workspace ONE user portal, they are able to launch entitled desktops and applications without being prompted for their AD password.

Users’ Login Scenario with and without True SSO

True SSO

Prerequisites for True SSO

Below are the minimum requirements to utilize the True SSO feature.

  • Horizon 7.0 or later, Horizon Cloud Service on IBM Cloud 17.2 or later
  • VMware Workspace ONE 2.6 or later
  • Enterprise Certificate Authority
  • Horizon Enrollment Server
  • Horizon Client 4.0 or later

You must have at least one certificate authority (CA) and one enrollment server (ES). However, VMware recommends having two CAs and two ESs deployed to use True SSO. CA and ES communicate to create the short-lived Horizon virtual certificate that enables a password-free Windows logon. This feature can be enabled in Horizon 7 on-premises, Horizon 7 on VMware Cloud (VMC) on AWS, Horizon Cloud on IBM Cloud and Horizon Cloud on Microsoft Azure.

Note: Visit VMware Product Compatibility Guide for the detail of compatibility information.


VMware True SSO allows users to authenticate Workspace ONE using non-AD authentication and single sign-on to the desktop and application. It generates a short-live certificate which bypasses the requirement of AD password for Windows logon. As per the above video, users are able to launch desktops without being prompted for AD passwords while the True SSO feature is enabled in Workspace ONE. After the feature is disabled, users are prompted for their AD password while launching their desktop. This is the key benefit of True SSO in a Workspace ONE integrated Horizon environment.

Hopefully this blog helps you to better understand how the user login experience is different with and without the True SSO feature in a Workspace ONE integrated Horizon environment.

I would like to thank Stephane Asselin, VMware EUC Field Engineering, for his input on this blog.

468 ad