SAML MFA authentication for VMware Horizon using Thales Safenet Trusted Access


Background

I have been working on a project to integrate many platforms with Thales Safenet Trusted Access to enable multi-factor authentication to improve access security to those platforms. One of those platforms is VMware Horizon.

Since the release of Horizon version 7.11, SAML based authentication has been a supported protocol for enabling MFA. Prior to this, it was only possible to use RADIUS based authentication to enable MFA, which has some limitations. namely that as far as I know it does not support conditional access and does not support push notifications for One Time Passcode soft tokens.

Safenet Trusted Access support a lot of applications out of the box, but Horizon is not one of them. This guide will show you how to make it work.

 

How to

Before we begin, I am going to make a few assumptions. For this, to work, you need to be running a Horizon Unified Access Gateway appliance as well as a minimum of Horizon 7.11. I will also assume you have an active Thales Safenet Trusted Access subscription.

Step 1 – Configure a new application in STA

Login into STA and choose the option to add a new application.

UAGMFA-033

Locate the Generic Template option and click add.

UAGMFA-032

Give the application a meaningful name. I called mine VMware Horizon Access. Ensure SAML is selected.

UAGMFA-031

On the next screen, click to switch to manual configuration.

UAGMFA-030

Make a note of the two URLs and download the certificate, you will need these later.

UAGMFA-029

After clicking the next step button, click the manual configuration link for Step02: STA Setup

UAGMFA-028

As shown below, complete the URLs as shown. Replace the FQDN with the FQDN of your Unified Access Gateway. For step 4 below, you will need the certificate used to secure the UAG appliance.

UAGMFA-027

I used the full certificate chain in PEMfor mat for this.

UAGMFA-026

The certificate should then show something like below.

The reason the certificate is uploaded is so that STA will only accept requests originating from a source secured by this certificate.

UAGMFA-025

The only other thing to change is the user Login ID Mapping. This should be SASUser ID. The way the user name is stored in STA should match the name format a user uses when logging in with a domain account. If they don’t match, this won’t work.

UAGMFA-024

Then target the application to all users or a subset of users.

UAGMFA-019

Step 2 – Create SAML Metadata XML file

You may have noticed in the previous steps, there was an option to download a preconfigured Metadata file from the STA portal. For some reason, Horizon does not like this prebaked metadata file, so I will walk you through creating a new one.

The Metadata file contains all the relevant information about where the identity provider service runs from and how to access it. This file is imported into the UAG to allow it to communicate with STA.

Open the certificate downloaded in step one in your favorite text editor and select the contents of the certificate. This will be used as part of the metadata XML file creation.

UAGMFA-023

Head over to this webpage https://www.samltool.com/idp_metadata.php to create a new metadata XML file.

Paste the certificate into the cert box and paste the URL’s you copied earlier into the boxes as below.

UAGMFA-022

Scroll down the page and click Build IDP Metadata. Then copy the contents of the metadata generated.

UAGMFA-021

Paste the contents into a text document and save the file as an XML file as below.

UAGMFA-020

Step 3 – Configure Unified Access Gateway

Login to the admin portal for the UAG.

UAGMFA-018

Scroll down to Upload Identity Provider Metadata

UAGMFA-017

Select the Metadata.XML file created in step 2

UAGMFA-016

Click save.

UAGMFA-015

Open the Horizon Settings.

UAGMFA-014

Click the more settings button.

UAGMFA-013

Change Auth Methods to SAML and Passthrough and ensure the Safenet Identity Provider is selected and click save.

UAGMFA-034

Step 4 – Configure Connection Servers.

Log in to the admin interface on the connection servers the UAG is paired with. Browse to servers, connection servers and click edit.

UAGMFA-011

Click on authentication, change the delegation of authentication settings to allowed and then click Manage SAML Authenticators.

UAGMFA-010

Click Add.

UAGMFA-009

Give the authenticator a name and then paste the contents of the metadata.xml file into the SAML Metadata box.

UAGMFA-008

And that is the configuration part complete.

Step 5 – Login experience and conditional access

Browse to the UAG as if you were going to login to access a desktop resource.

UAGMFA-007

Clicking Horizon HTML access will redirect to the STA identity provider. Click Login.

UAGMFA-006

My setup triggers a push notification to my mobile phone where I verify access.

UAGMFA-005

Which then prompts for the usual username and password prompt.

UAGMFA-035

Which takes you to your assigned resources.

UAGMFA-004

Click the resource to launch and away you go.

Step 6 – Conditional Access

Back to the STA portal, we can define different access policies for the users. You may want to block access from certain IP ranges or versions of operating systems for example.

Click to add a scenario to the base access policy.

UAGMFA-002

In this example, users accessing VDI from a Windows 10 device will be granted access but will have to provide a password and one-time passcode.

UAGMFA-001

These policies can be built up to suit your access requirements to further lock down access to the Horizon environment.

Further reading

If you would like to take this a step further to enable full single sign-on, IE no password entry on the desktop, then take a look at TrueSSO from VMware. This can be integrated with the above setup to enable certificate-based authentication to the desktop and eliminate the requirement to enter a password.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.