Home > Blogs > Horizon Tech Blog


Using the SAML Protocol to Integrate a Web Application with VMware Horizon Workspace

By Gerald Cheong, contractor, End-User Computing Solutions Management, VMware, and

Manrat Chobchuen, Solutions Architect, End-User Computing Solutions Management, VMware

Overview

One of the challenges in enterprise application management is the large number of applications that the average enterprise user needs to access. Single sign-on (SSO) is an effective way to make access more convenient for the user and at the same time more secure for the enterprise.

Some SSO solutions are based on integrated Active Directory (AD) on the corporate intranet. One big drawback of this approach is that it restricts the Web application to the corporate intranet. This results in lack of flexibility in deployment options as well as certain security compromises.

VMware Horizon Workspace uses the Security Assertion Markup Language (SAML) 2.0 standard to support SSO. This support allows more flexibility and better security than an integrated AD solution. This article describes SAML concepts and shows how to set up a sample Web application in Horizon Workspace with SAML, so you can see SSO in action. It also discusses the considerations and integration points for a Web application to support SAML 2.0 integration with Horizon Workspace.

VMware-Horizon-Workspace-Application-Integration

This diagram describes the roles involved in the basic SAML flow described in this article. Three major components are involved in SAML:

  • The SAML Identity Provider is the system that performs the actual authentication. In this case, Horizon Workspace acts as the Identity Provider.
  • The SAML Service Provider is the system that performs services for the user, for example, a Web application. This system does not perform any authentication. Instead, it relies on the SAML Identity Provider to perform the authentication.
  • The Web browser accesses these providers, as described in the following steps, to complete the authentication process.

The flow steps are:

  1. The browser visits the Identity Provider, in this case, Horizon Workspace. User authentication takes place at this point.
  2. After successful user authentication, the Identity Provider displays in its Web UI a list of Web applications that the authenticated user can access.
  3. The user clicks one of the Web applications on this list.
  4. The Identity Provider creates a SAML response, signs it, and then prepares an HTTP POST on the browser. The Identity Provider can perform this signing process because it possesses the private key for SAML authentication.
  5. The browser performs an HTTP POST to the dispatch URL of the Service Provider.
  6. The Service Provider receives the SAML response at its dispatch URL, via HTTP POST. The Service Provider has the public key for SAML authentication and uses that public key to validate the SAML response. Once the SAML response is validated, the Service Provider grants access to the authenticated user.

The SAML Response may contain a Name ID to uniquely identify the user. It may also contain other attributes from Horizon Workspace.

NOTE: The SAML flow steps in this article reflect one simple possibility for a Web application. Other combinations of steps are also possible but are outside of the scope of this article.

Service Provider Considerations

When designing the Service Provider Web application, consider what field to use as the unique ID for each user account. Horizon Workspace can be configured to use different fields as the Name ID.

By default, the Name ID is the user email. The advantage of using this value is simplicity and readability. However, if it is possible for a user account to have a changed user email, then this approach may not be ideal. In particular, an existing user may be treated as a new user if their user email changes.

Another field that can be used as the Name ID is the ExternalId. This ID is less readable but globally unique.

Another consideration is the user account provisioning process. A Service Provider Web application may need to store the information about a user account. In our sample application, the number of times the user has logged in (logincount) is stored. More sophisticated applications may store other information about the user.

For the Web application to provision a user account, the Web application developer can take different approaches based on requirements, for example

  • Self-provisioning: The Web application can automatically provision a new account for any valid incoming SAML response. Our sample Web application uses this approach.
  • Approval required:  For users not explicitly provisioned, the Web application may deny access for incoming SAML responses, even if such responses are valid. In this case, the Web application can have separate administrative functionality to explicitly approve and provision each new user.

Sample Code and Configuration

This section describes where to download the code for the provided sample Web application and how to configure the code as a Web application inside Horizon Workspace. You can download the sample project from

https://github.com/eucmobileproject/horizonphpsamldemo

See the README file for steps to configure the Web application.

Once the Service Provider Web application is set up, you can configure Horizon Workspace to access it. Simply add a new Web application. The screenshot below shows the options available:

VMware-Horizon-Workspace-Application-Integration-Screenshot

Specifically, to configure Horizon Workspace to work with our sample application

  1. Select Configure Via  > Manual configuration.
  2. Insert the SAML dispatch URL into both the Assertion Consumer and Recipient Name fields.
  3. Choose a Name ID Value. The default value is ${user.Email}.

To validate this configuration, log in as an entitled user, then click on the demo Web application (SAML Demo) to access it.Horizon-Workspace-Web-Application-Integrated

User Account Provisioning Integration

In our sample Web application, a PHP file named samldispatch.php handles incoming SAML responses. The self-provisioning of user accounts goes through the following steps, as illustrated by the source code:

1. The SAML Response is sent to the Web application by Horizon Workspace, using an HTTP POST.

2. The Web application processes this response by creating a SAML 2.0 Response object using the POST data:

$samlResponse = new OneLogin_Saml_Response($settings, $_POST[‘SAMLResponse’]);

3. The Web application determines if the SAML response is valid before proceeding:

if ($samlIsValid) {   . . .   }

4. When there is a valid response, the Web application may also extract attributes out of this SAML response:

if (!empty($attributes)) {

foreach ($attributes as $attributeName => $attributeValues) {

foreach ($attributeValues as $attributeValue) { . . . }

}

}

5. The Web application determines whether this user has logged into the Web application before.

NOTE: This logic is application dependent. For our particular example, a SQL table named accounts is maintained to keep track of such user account information:

$sth = $dbh->prepare(“SELECT * FROM accounts WHERE nameid = :nameid”);

$sth->execute($selectdata);

if ($result = $sth->fetch(PDO::FETCH_ASSOC)) { . . . }

6. If the user account has not been provisioned, self-provisioning is performed by the Web application.

NOTE: The logic for self-provisioning is application dependent. For our particular example, the user provisioning is performed by inserting a new row into the SQL table named accounts:

$insertsth =

$dbh->prepare(“INSERT INTO accounts (nameid, externalid, principalname, logincount) values (:nameid, :externalid, :principalname, :logincount)”);

$insertsth->execute($data);

Session Mapping

In most Web applications, it is necessary to keep the user state in a session. However, before a user logs in, there is no session. Therefore, an approach is needed such that when a single sign-on is performed using Horizon Workspace, the Web application session can be created. This section describes the process of mapping a SAML response to the Web application session.

Different Web applications use different strategies to handle sessions. For example, some Web applications use cookies, and others use a combination of cookies and server session states. In our Web application, the PHP SESSION mechanism is used.

More specifically, the mapping happens as follows:

1. The PHP file named samldispatch.php handles incoming SAML responses and  checks to see if the response is valid:

if ($samlIsValid) { . . . }

2. After any self-provisioning process or user account update process completes, the dispatch handler code now starts a session:

session_start();

3. Session mapping happens by mapping a SAML response, in particular, the unique ID nameid, into the session as a session variable:

$_SESSION[“nameid”] = $nameid;

4. Other SAML attributes may also be mapped into PHP session variables:

$_SESSION[“userfirstname”] = $userfirstname;

$_SESSION[“userlastname”] = $userlastname;

5. Once the session has been set up, any other PHP pages in this Web application can access it. By redirecting the browser to the entry page of the Web application, the user may now start using the Web application:

header(“Location: main.php”);

exit;

The sample project also provides a logout link. After the above session mapping, the Web application relies completely on the PHP session mechanism to manage its session. Therefore, logout is simply a matter of destroying the PHP session, for instance, as seen in :

session_start();

session_destroy();

Conclusion

This article describes the benefits of SAML as a solution for SSO, Horizon Workspace support of SAML 2.0 as an Identity Provider, and a walk-through of how to set up a custom Service Provider Web application.

The SAML specification and Horizon Workspace provide a rich combination of configuration possibilities. This article uses a basic combination to illustrate the concepts. Different variations are possible.

One significant capability that the integration in this article exhibits is that if Horizon Workspace is used in the private cloud as an Identity Provider, Service Provider Web applications can reside in either the private cloud or the public cloud. This flexibility gives the enterprise multiple benefits: flexible deployment, ability to outsource Web application development without the need to provide internal access, and necessary security isolation, without compromising the convenience of single sign-on.

 

8 thoughts on “Using the SAML Protocol to Integrate a Web Application with VMware Horizon Workspace

  1. cork

    Excellent article. I will be dealing with a few of these issues as
    well..

    Reply
  2. Karim Bouzerda

    Hi,

    We are evaluating for some of our customers the fact to use an their own IdP to perfom authentication and access to VmWare Horizon View.

    We have some question regarding the support of SAML2.0.

    1-“The SAML Identity Provider is the system that performs the actual authentication. In this case, Horizon Workspace acts as the Identity Provider”

    Rather than having Horizon Workspace acting as an Identity Provider, could we have an external IdP?

    2- “users who have logged in to Horizon Workspace with Active Directory (AD) credentials can launch Horizon View desktops without having to go through a second login procedure”.

    Is it possible that Horizon workspace delegates authentication to another IdP?
    Is it possible that Horizon View desktops delegates authentication to another IdP ?(which is not Horizon Workspace)
    Is Active Directory irequired? is it required to have account in Active Directory or is it possible to put in place a Federation?

    Thanks for your help.

    Best Regards.

    Karim

    Reply
  3. adopteunmec gratuit

    Nice post. I learn something new and challenging on websites
    I stumbleupon every day. It will always be exciting to read through articles from other authors and practice something from their sites.

    Reply
  4. unasperfecta.com

    fantastic put up, very informative. I ponder
    why the opposite specialists of this sector don’t understand this.

    You must proceed your writing. I’m confident, you have a great readers’ base already!

    Reply
  5. landscaping services philippines

    The fence should be six feet or higher with boards or panels
    to provide privacy. The scope of a maintenance and repair business is endless and
    includes outdoor painting, plumbing works, roofing works, tress works for garages and railings, insulation works, fencing related works, gardening and landscaping works, and others.
    When you think of grass you generally think of the color green.

    Reply
  6. paul

    great blog. it was nice reading your blog. it contains valuable knowledge on intranet web application provider .

    Reply
  7. Rinamax

    Nice Blog. It contained a helpful information on office intranet web application .

    Reply
  8. continue

    There is certainly a lot to learn about this topic.
    I really like all of the points you have made.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*