Configuring TrueSSO for VMware Horizon with Okta
In this blog post, we will cover the basic guide on how to configure Okta and VMware Horizon to provide an end-to-end single sign-on experience to the end-user. We will focus on configuring TrueSSO on our Horizon environment, which enables users not to enter Active Directory credentials when using a remote desktop or applications.
Step 1: Configure Okta App Integration
In the Okta Admin Console, navigate to Applications > Applications > Create a new App Integration. Select SAML 2.0 and press Next. Enter your App name, upload an app logo (optional), and click Next. We will configure the SAML settings later, so skip this step for now.
Step 2: Download Okta Metadata
In the Sign On page, scroll down to the SAML 2.0 section, copy the Metadata URL, and open a new browser window. Save the file as my_metadata.xml.
Step 3: Assign App to Group
Go to the Assignments tab and select Assign > Assign to Groups. Assign your Active Directory group to the Application.
Step 4: Configure Identity Bridging Settings
Login to the VMware Unified Access Gateway by entering the correct credentials. Navigate to the Identity Bridging Settings. Press the gear button next to Upload Identity Provider Metadata. Upload the Okta metadata that you downloaded in step 2. Save your settings on the Unified Access Gateway.
Step 5: Configure SAML as Authentication Method
In the Horizon Administration Console, navigate to Settings > Servers > select the Connection Server. Click Edit. Set SAML 2.0 Authenticator to Allowed, and click Manage SAML Authenticators. Click Add button to create a new SAML Authenticator. Give your SAML 2.0 Authenticator a name, in the SAML Metadata field, paste the contents from step 2 (my_metadata.xml), and enable the Enabled for Connection Server option.
Step 6: Enable TrueSSO on Horizon Environment
Since our environment leverages Horizon TrueSSO, we need to enable TrueSSO on our Horizon environment. To do so, we need to login to the VMware Connection Servers and open a Command Prompt as administrator. We need to use the following command line to list all the authenticators and their True SSO mode status:
“list authenticators -type SAML 2.0 -enabled”
Replace:
If True SSO mode is DISABLED for the authenticator you are trying to configure, execute the following command line to enable:
“enable authenticators -type SAML 2.0 -name
After you enable True SSO, the True SSO mode for the authenticator you are enabling displays as ENABLE_IF_NO_PASSWORD.
Step 7: Test the End-to-End Single Sign-On Experience
In my demo, I am using an IGEL Thin Client to access my Horizon environment. But you can also install the Horizon Client on a Windows or macOS client machine. When you launch a remote desktop or application, you will be redirected to the Okta login page. Enter your credentials and click Log in. You will be redirected back to the remote desktop or application without entering any additional credentials.
That’s it! By following these steps, you have successfully configured TrueSSO for VMware Horizon with Okta, providing an end-to-end single sign-on experience to your end-users.