VMware Horizon Community
fabio1975
Commander
Commander
Jump to solution

Azure MFA, UAG and Horizon

Dear all,

I have successfully implemented an integration between UAG and Azure MFA. However, I would now like to delete the double authentication that I am required to access the VMs
VDI (Azure MFA and Horizon). is that possible? I only found documentation that tells me about TRUE SSO.

 

Thank you 

Fabio

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
1 Solution
12 Replies
nburton935
Hot Shot
Hot Shot
Jump to solution

Are you using SAML or RADIUS?

If SAML, you will need to implement True SSO. The UAG has no chance to capture credentials for the Windows login with SAML.

If RADIUS, use the Enable Windows SSO option to pass the same username/password used in the initial prompt to the CS.

-Nick

Reply
0 Kudos
fabio1975
Commander
Commander
Jump to solution

Thank you Nick, I will use UAG and SAML, now I am studing to active true SSO

Bye Fabio

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
larstr
Champion
Champion
Jump to solution

Fabio,

It is indeed possible to avoid double authentication without using True SSO. You need to select SAML and Passthrough as authentication method.

 

Lars

Reply
0 Kudos
fabio1975
Commander
Commander
Jump to solution

Hello Lars,

I currently have my two UAGs on which I have configured the integration with Azure AD and MFA as indicated by this Microsoft guide

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/vmware-horizon-unified-access-gate...

and the integration with MFA works perfectly, but once authenticated with Azure AD / MFA I have to enter the domain credentials to authenticate on the Horizon infrastructure.

If I configure SAML and Passthrough I guess I have to configure the connection servers to communicate with Azure AD or what else?

 

Thank You 

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
fabio1975
Commander
Commander
Jump to solution

 


Hello lars,
is there any documentation for the configuration? i tried but it doesn't work.

 

Thank You

Fabio 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
larstr
Champion
Champion
Jump to solution

Fabio,

I don't think I found the exact documentation when this was setup, but it is working fine here:

larstr_0-1611512853011.png

This means, if the user is already logged into Office365 they will also not be challenged to logon to the UAG as they're already logged in.

 

Lars

Reply
0 Kudos
fabio1975
Commander
Commander
Jump to solution

In summary, I configure the integration between Azure AD (Enterprise application) and UAG, then I proceed with the implementation of trueSSO (vIDM-workspaceOne, CA, etc. ..). It is not clear to me, however, if when the user connects he will land on the Workspace One portal or on the classic horizon portal?

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
fabio1975
Commander
Commander
Jump to solution

it could work!!

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ITVisionIT
Enthusiast
Enthusiast
Jump to solution

Hello,

We are seeing a similar situation with the duplicate authentication.  One for O365/MFA, and then again when Horizon Client launches.  We do have our UAG set to "match windows logon" but this just auto populates the user name field of the view cleint.  They still need to enter in their password again.

Is implementing TrueSSO the only way around this?

Also, what we have started to see since we have recently upgraded our UAGs to 2103, is that the option from Azure/O365/MFA auth to stay signed in, and don't show again is no longer sticking. We are going to try and down grade our UAG and see if that is the cause for this.

ITVisionIT_0-1623330023077.png

 

Reply
0 Kudos
ITVisionIT
Enthusiast
Enthusiast
Jump to solution

Ok...part of the issue resolved.

when uploading the IDP metadata to the UAG I had "Always force SAML auth" ON.  Re uploaded to the metadata file with that optioned turned off and not the option to "stay signed in" is working properly.  However, still getting the second pormpt to logon from the Horizon Cleint but I think my staff can deal with that for now.  I am assuming TrueSSO is needed to for that.

GKOIDEXX
Contributor
Contributor
Jump to solution

Shameless plug, let me know if you have any questions: https://geoffreyobrien.com/?p=74