Unified Access Gateway / VMware Horizon integration into Workspace ONE Access
Overview
- Traditional Federation with VMware Horizon and Workspace ONE Access has been a popular approach and is used by many organizations.
- Organizations with high security requirements do not like a SAML Artifact being validated internally
- In this session we look at the option to validate the SAML Artifact on the Unified Access Gateway instead of forwarding the Artifact internally.
Part 1. Enabling SAML federation with the VMware Unified Access Gateway for Workspace ONE Access as the IDP
The Federation of Unified Access Gateway and VMware Horizon with Workspace ONE Access will be done in three phases
- Phase 1. We enable and configure the SAML federation on 4 VMware Unified Access Gateway servers in a multi-site scenario
- Phase 2. We enable and configure the SAML Integration as a Web App in Workspace ONE Access
- Phase 3. We will create deep links in Workspace ONE Access for our Desktop entitlements
- On your ControlCenter server
- Open your Workspace ONE Access, Admin console URL
- Under Username
- enter Administrator
- Under Password
- enter VMware1!
- Select Sign In
- Under Username
- Open your Workspace ONE Access, Admin console URL
- In the Web Intelligent Hub Console
- To the right,
- select TA
- From the dropdown
- select Workspace ONE Access Console
- To the right,
- In the Workspace ONE Access Console
- Select Resources
- Under the Resources > WEB Apps area
- Select SETTINGS
- In the Settings window
- below SaaS Apps
- select SAML Metadata
- below SaaS Apps
- In the Settings window
- in the right pane
- below SAML Metadata
- select & right click Identity Provider (IdP) metadata
- in the drop down menu
- select Save link as...
- in Flle Explorer Save As window
- ensure Downloads is selected Quick Access (default)
- at the bottom of the window
- select Save
- below SAML Metadata
- in the right pane
- On your Site 1 Browser profile
- In the Favourites bar
- select the UAG-HZN-01a shortcut
- In the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter VMware1!
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
-
scroll down to Identity Bridging Settings
- to the right of Upload Identity Provider Metadata
- select the GEAR icon
- to the right of Upload Identity Provider Metadata
-
scroll down to Identity Bridging Settings
- In the Upload Identity Provider Metadata window
- next to Entity ID
- enter Workspace ONE Access
- next to IDP Metadata
- click Select
- next to Entity ID
- In the File Explorer - Open window
-
Quick Access > Downloads folder
- (this should be the default)
- select idp.xml
- (this should be the default)
- in the bottom right corner
- select Open
-
Quick Access > Downloads folder
- In the Upload Identity Provider Metadata window
- next to Always force SAML auth
- switch the Toggle from OFF to ON
- select Save
- switch the Toggle from OFF to ON
- scroll back up to the top of UAG admin console
- next to Always force SAML auth
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
- below Auth Methods
- next to Identity Provider*
- from the dropdown
- select Workspace ONE Access
- from the dropdown
- next to Identity Provider*
- below Auth Methods
- In the Horizon Settings window
- below Identity Provider*
- select Download SAML service provider metadata
- below Identity Provider*
- In the Download SAML service provider metadata window
- next to External Host Name
- enter corp.euc-livefire.com
- select Download
- next to External Host Name
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your Site 1 Browser profile
- In the Favourites bar
- select the UAG-HZN-01B shortcut
- In the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter VMware1!
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
-
scroll down to Identity Bridging Settings
- to the right of Upload Identity Provider Metadata
- select the GEAR icon
- to the right of Upload Identity Provider Metadata
-
scroll down to Identity Bridging Settings
- In the Upload Identity Provider Metadata window
- next to Entity ID
- enter Workspace ONE Access
- next to IDP Metadata
- click Select
- next to Entity ID
- In the File Explorer - Open window
-
Quick Access > Downloads folder
- (this should be the default)
- select idp.xml
- (this should be the default)
- in the bottom right corner
- select Open
-
Quick Access > Downloads folder
- In the Upload Identity Provider Metadata window
- next to Always force SAML auth
- switch the Toggle from OFF to ON
- select Save
- switch the Toggle from OFF to ON
- scroll back up to the top of UAG admin console
- next to Always force SAML auth
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
- below Auth Methods
- next to Identity Provider*
- from the dropdown
- select Workspace ONE Access
- from the dropdown
- next to Identity Provider*
- below Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your ControlCenter server
- switch to your Site 2 Browser profile
- In the Favourites bar
- select the UAG-HZN-02a shortcut
- In the Favourites bar
- switch to your Site 2 Browser profile
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter VMware1!
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
-
scroll down to Identity Bridging Settings
- to the right of Upload Identity Provider Metadata
- select the GEAR icon
- to the right of Upload Identity Provider Metadata
-
scroll down to Identity Bridging Settings
- In the Upload Identity Provider Metadata window
- next to Entity ID
- enter Workspace ONE Access
- next to IDP Metadata
- click Select
- next to Entity ID
- In the File Explorer - Open window
-
Quick Access > Downloads folder
- (this should be the default)
- select idp.xml
- (this should be the default)
- in the bottom right corner
- select Open
-
Quick Access > Downloads folder
- In the Upload Identity Provider Metadata window
- next to Always force SAML auth
- switch the Toggle from OFF to ON
- select Save
- switch the Toggle from OFF to ON
- scroll back up to the top of UAG admin console
- next to Always force SAML auth
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
- below Auth Methods
- next to Identity Provider*
- from the dropdown
- select Workspace ONE Access
- from the dropdown
- next to Identity Provider*
- below Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your ControlCenter server
- on your Site 2 Browser profile
- In the Favourites bar
- select the UAG-HZN-02b shortcut
- In the Favourites bar
- on your Site 2 Browser profile
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter VMware1!
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
-
scroll down to Identity Bridging Settings
- to the right of Upload Identity Provider Metadata
- select the GEAR icon
- to the right of Upload Identity Provider Metadata
-
scroll down to Identity Bridging Settings
- In the Upload Identity Provider Metadata window
- next to Entity ID
- enter Workspace ONE Access
- next to IDP Metadata
- click Select
- next to Entity ID
- In the File Explorer - Open window
-
Quick Access > Downloads folder
- (this should be the default)
- select idp.xml
- (this should be the default)
- in the bottom right corner
- select Open
-
Quick Access > Downloads folder
- In the Upload Identity Provider Metadata window
- next to Always force SAML auth
- switch the Toggle from OFF to ON
- select Save
- switch the Toggle from OFF to ON
- scroll back up to the top of UAG admin console
- next to Always force SAML auth
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
- below Auth Methods
- next to Identity Provider*
- from the dropdown
- select Workspace ONE Access
- from the dropdown
- next to Identity Provider*
- below Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
Part 2. Configuring the SAML Federation for Horizon
For TrueSSO to work the Horizon SAML authenticator is required.
We configure this on both Site 1 and Site 2
- On your ControlCenter desktop
- On your Site 1 Chrome Browser
- Open a new tab
- In the Favourites bar
- Select the Horizon shortcut
- In the User Name area
- enter administrator
- In the Password area
- enter VMware1!
- Select Sign in
- On your Site 1 Chrome Browser
- In the Horizon Admin Console
- In the Inventory
- expand Settings,
- select Servers
- In the Servers area
- select the Connection Servers tab
- expand Settings,
- In the Inventory
- Under Servers
- Select the radio button to next HORIZON-01a
- Select Edit
- On the Edit Connection Server Settings page
- Select the Authentication tab.
- On the Authentication tab
- below Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator):
- On the Drop down Arrow
- Select Allowed,
- On the Drop down Arrow
- Select the Manage SAML Authenticators box
- below Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator):
- On the Manage SAML Authenticators box
- Select Add
- In the Add SAML 2.0 Authenticator window.
- Ensure Dynamic radio button is selected,
- Enter the following:
- Under Label:
- type Workspace ONE Access
-
Under Metadata URL : enter
-
https://YOUR CUSTOM Access URL/SAAS/API/1.0/GET/metadata/idp.xml
- e.g. https://aw-euclivefirefran.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml
-
https://YOUR CUSTOM Access URL/SAAS/API/1.0/GET/metadata/idp.xml
- Under * TrueSSO Trigger Mode
- from the dropdown
- select Enabled
- from the dropdown
- Select OK
- Under Label:
-
In the Manage SAML Authenticators window
- Select OK to close
- In the Connection Server Settings
- Select OK
- On your ControlCenter desktop
- switch to your Site 2 Chrome browser
- Open a new tab
- from the Favourites bar
- select the Horizon Site 2 shortcut
- In the User Name area
- login as administrator
- In the Password area
- type VMware1!
- Select Sign in
- switch to your Site 2 Chrome browser
- In the Horizon Admin Console
- Inventory pane
- expand Settings,
- select Servers
- In the middle pane
- select the Connection Servers tab
- expand Settings,
- Inventory pane
- Under Servers
- select the radio button to next HORIZON-02a
- select Edit
- On the Edit Connection Server Settings page
- select the Authentication tab.
- In the Edit Connection Server Settings window
- on the Authentication tab,
- under Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator):
- from the Drop down Arrow
- select Allowed,
- from the Drop down Arrow
- below SAML Authenticator
- select the Manage SAML Authenticators box
- under Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator):
- on the Authentication tab,
- On the Manage SAML Authenticators box
- Select Add
- In the Add SAML 2.0 Authenticator window.
- ensure Dynamic radio button is selected,
- enter the following:
- under Label:
- type Workspace ONE Access
-
Under Metadata URL : enter
-
https://YOUR CUSTOM Access URL/SAAS/API/1.0/GET/metadata/idp.xml
- e.g. https://aw-euclivefirefran.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml
-
https://YOUR CUSTOM Access URL/SAAS/API/1.0/GET/metadata/idp.xml
- under * TrueSSO Trigger Mode
- from the dropdown
- select Enabled
- from the dropdown
- select OK
- under Label:
- enter the following:
- ensure Dynamic radio button is selected,
-
In the Manage SAML Authenticators window
- Select OK to close
- In the Connection Server Settings
- Select OK
Part 3. Configuring Workspace ONE Access for VMware Unified Access as the Service Provider
In this section perform the Workspace ONE Access part of the SAML Federation process with VMware Unified Access Gateway
- On your ControlCenter server
- Open your Workspace ONE Access, Admin console URL
- Under Username
- enter Administrator
- Under Password
- enter VMware1!
- Select Sign In
- Under Username
- Open your Workspace ONE Access, Admin console URL
- In the Web Intelligent Hub Console
- To the right,
- select TA
- From the dropdown
- select Workspace ONE Access Console
- To the right,
- In the Workspace ONE Access Console
- select Resources
- Under the Resources > WEB Apps area
- select NEW
- In the New SaaS Application window
-
In the Definition area
- under Name
- enter Unified Access Gateway SAML SP
-
Under Icon
- select SELECT FILE ...
- under Name
-
In the Definition area
- In the File Explorer > Open window
- In the Quick Access pane
- select Desktop
- in the Desktop area
- select software > UAG > Icons
-
in the Icons folder
- select UAG.png
- select Open
-
in the Icons folder
- select software > UAG > Icons
- In the Quick Access pane
- In the New SaaS Application window
- In the Definition area
- Select NEXT
- In the Definition area
- On the ControlCenter server
- from the Taskbar
- select the Folder icon
- from the Taskbar
- In the File Explorer window
- from the Quick Access pane
- select Downloads
- from the Quick Access pane
- In the File Explorer window
-
Downloads folder
- select corp.euc-livefire.com
- select & right-click Edit with Notepad++
- select corp.euc-livefire.com
-
Downloads folder
- In the Notepad++ application
- with your keyboard
- enter CTRL + A
- enter CTRL + C
- switch back to the New SaaS Application wizard
- with your keyboard
- In the New SaaS Application window
- In the Configuration area
- the box below URL / XML
- paste your corp.euc-livefire.com.xml metadata
-
scroll down the Configuration area to the bottom
- below Show in User Portal
- change the Toggle from ON to OFF
- below Show in User Portal
- select NEXT
- the box below URL / XML
- In the Configuration area
- In the New Saas Application window,
- In the Access Policies section
- Select NEXT
- In the Access Policies section
- In the New Saas Application window,
- In the Summary section
- Select SAVE & ASSIGN
- In the Summary section
- In the Assign window
- Under Users / Groups
- Enter Sales
- Select [email protected]
- Enter Devel
- Select [email protected]
- Enter Sales
- Under Deployment type
- From the dropdowns
- Ensure both Sales and Developers are set to
- Automatic
- Ensure both Sales and Developers are set to
- From the dropdowns
-
In the bottom right corner
- select SAVE
- Under Users / Groups
- In your Workspace ONE Access Console
-
Web Apps interface
- Note your Unified Access Gateway SAML SP Web APP
-
Web Apps interface
Part 4. Deploying VMware Horizon Deep Links for entitlements
As we are not using the Workspace ONE Access Connector to sync entitlements, we will create Deep Links for our Entitlements and assign these to our Security Groups
In this Part we will create Deep Links for existing entitlements
- On your ControlCenter server
- Open your Workspace ONE Access, Admin console URL
- Under Username
- enter Administrator
- Under Password
- enter VMware1!
- Select Sign In
- Under Username
- Open your Workspace ONE Access, Admin console URL
- In the Web Intelligent Hub Console
- To the right,
- select TA
- From the dropdown
- select Workspace ONE Access Console
- To the right,
- In the Workspace ONE Access Console
- select Resources
- Under the Resources > WEB Apps area
- select NEW
- In the New SaaS Application window
-
In the Definition area
- under Name
- enter Enterprise Instant Clone Windows 11 Desktops
-
under Icon
- select SELECT FILE ...
- under Name
-
In the Definition area
- In the File Explorer > Open window
- In the Quick Access pane
- select Desktop
- in the Desktop area
- select software > software > Icons
-
in the Icons folder
- select Enterprise Desktop.jpg
- select Open
-
in the Icons folder
- select software > software > Icons
- In the Quick Access pane
- In the New SaaS Application window
- In the Definition area
- Select NEXT
- In the Definition area
- In the New SaaS Application window
- In the Configuration area
- below Authentication Type *
- from the dropdown
- select Web Application Link
- from the dropdown
- below Authentication Type *
- In the Configuration area
- In the New SaaS Application window
- In the Configuration area
- below Target URL *
- enter the following URL
- below Target URL *
- In the Configuration area
https://corp.euc-livefire.com/portal/nativeclient/Enterprise_Desktop?action=start-session&desktopProtocol=BLAST&launchMinimized=false
- In the bottom right corner
- select NEXT
- In the New Saas Application window,
- In the Summary section
- Select SAVE & ASSIGN
- In the Summary section
- In the Assign window
- Under Users / Groups
- Enter Devel
- Select [email protected]
- Enter Devel
- Under Users / Groups
- In the Assign window
- Under Users / Groups
- Enter sales
- select [email protected]
- Enter sales
- Under Deployment type
- From the dropdowns
- Ensure both Sales and Developers are set to
- Automatic
- Ensure both Sales and Developers are set to
- From the dropdowns
- In the bottom right corner
- select SAVE
- Under Users / Groups
- In your Workspace ONE Access Console
-
Web Apps interface
- Note your Enterprise Instant Clone Windows 11 Desktops Web Application Link
-
Web Apps interface
- In the Workspace ONE Access Console
- under the Resources > WEB Apps area
- select NEW
- under the Resources > WEB Apps area
- In the New SaaS Application window
-
In the Definition area
- under Name
- enter Enterprise Full Clone Desktops
-
under Icon
- select SELECT FILE ...
- under Name
-
In the Definition area
- In the File Explorer > Open window
- In the Quick Access pane
- select Desktop
- in the Desktop area
- select software > software > Icons
-
in the Icons folder
- select desktop-developer.jpg
- select Open
-
in the Icons folder
- select software > software > Icons
- In the Quick Access pane
- In the New SaaS Application window
- In the Definition area
- Select NEXT
- In the Definition area
- In the New SaaS Application window
- In the Configuration area
- below Authentication Type *
- from the dropdown
- select Web Application Link
- from the dropdown
- below Authentication Type *
- In the Configuration area
- In the New SaaS Application window
- In the Configuration area
- below Target URL *
- enter the following URL
- below Target URL *
- In the Configuration area
https://corp.euc-livefire.com/portal/nativeclient/Developers?action=start-session&desktopProtocol=BLAST&launchMinimized=false
- In the bottom right corner
- select NEXT
- In the New Saas Application window,
- In the Summary section
- Select SAVE & ASSIGN
- In the Summary section
- In the Assign window
- Under Users / Groups
- Enter Devel
- Select [email protected]
- Enter Devel
- Under Users / Groups
- In the Assign window
- Under Deployment type
- From the dropdown
-
Developers are set to
- Automatic
-
Developers are set to
- From the dropdown
- In the bottom right corner
- select SAVE
- Under Deployment type
- In your Workspace ONE Access Console
-
Web Apps interface
- Note your Enterprise Full Clone Desktops Web Application Link
-
Web Apps interface
0 Comments
Add your comment