To give a brief overview of Workspace ONE Access (Identity Manager) support of Horizon TrueSSO,
True SSO provides a way to authenticate to Microsoft Windows, retaining all the users’ normal domain privileges, without requiring them to provide AD credentials. With True SSO, a user can log into Workspace ONE using any non-AD method (for example, RSA SecurID credentials). After a user is authenticated, they can use any entitled desktop or app (hosted from any domain) without being prompted for a password.
- Separates Authentication: validating a user’s identity from Access.
- Enhanced security: use credentials are secured by a digital certificate that means No passwords are vaulted or transferred within the data center.
- Supports a wide range of authentication methods: change authentication protocols with limited impact to the infrastructure.
How it works
- Users authenticate to VMware Workspace One Access using a variety of any number of authentication options such as any 2-factor or certificate based authentication method.
- Once the user is authenticated, they can select any hosted application or desktop without needing to additionally present Active Directory or SmartCard credentials.
This essentially uses the Secure Addressable Markup Language standard to allow Horizon to use the SAML Assertion from Identity Manager to authenticate the user. TrueSSO generates a unique, short-lived certificate to manage the Windows logon process.
Authentication Methods Supported with True SSO
Following authentication methods are supported by True SSO
- RSA SecurID
- RADIUS authentication
- RSA Adaptive Authentication
- Standards-based third-party identity providers
TrueSSO – Components
- Horizon environment including an Enrollment Server:
- Workspace ONE Access
- Enterprise Certificate Authority
TrueSSO requires a new component “Enrolment Server”. The Enrollment Server is responsible for taking CSR requests from the virtual machine via the Connection server and requesting a logon certificate from the CA and then passing this short lived logon certificate back to the Connection server.