VMware Horizon Community
JMichaelLynn
Contributor
Contributor
‎01-19-2022 12:07 PM

Delegation of of Authentication SAML for Internal users being bypassed on 1 connection server.

Hey folks, 

    After a lot of great help from support we have SAML working correctly for our external users but I have a lingering security issue with my internal users I have to button up.   

     So we are running horizon 7.13 on premise and UAG 3.10 with no cloud.   The problem comes up with my internal users.   If they know the FQDN of  broker2 they can bypass SAML and login just using the client.   In view under broker1 I have the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator): set to required and it does as it should.   If I do that on broker 2 then nobody can login internally or externally.   On UAG Broker2 is the designated connection server and Saml is set for auth method saml and passthrough.

    The IDP metadata is static.   No cloud no Workspace ONE, no Identity Manager.   So yes I can accept that Gordon Ramsay voice in my head saying I am missing the plot but any of you know how to straighten me out on this one?  Oh I would add we only doing blast and html. Thanks

Reply
0 Kudos
3 Replies
nburton935
Hot Shot
Hot Shot
‎01-20-2022 02:21 PM

Just to clarify here:

- 2 Connection Servers, broker1 and broker2

- 1 UAG, pointed to broker2, with saml+passthrough for auth (no True SSO)

- broker1 is set to SAML required

- If you change broker2 to SAML required, nobody can login. Is current setting Allowed? Given that NOBODY can login when changed, are internal users pointing to this as well? 

- No VIPs in play here?

- Are you using split DNS of some sort so that the same name is used internally/externally? (Internal = CS and external = UAG). 

 

I assume you want everyone, internal + external to use SAML for login, but you do not have Workspace ONE Access. Is the intent to send everyone to the UAG for auth to your third-party IdP? That would be the only workflow supported in this scenario. 

-Nick

Reply
JMichaelLynn
Contributor
Contributor
‎01-21-2022 10:08 AM

Hey Nick,

 

   Thanks for answering.   So yes we want everyone to go to the IDP page first and then after entering their login information they go to the horizon html client.   Externally it works fine.  Internally it works when the go to the URL for the UAG.   Only the UAG can be seen externally.   If they enter the unpublished url for broker1 it is handled properly.   As I have it set to required on the horizon side.   The screenshot below shows Broker1 with the required setting that works but setting broker2 that way breaks authentication for all.

JMichaelLynn_0-1642788299988.png

   If I set it to required for broker 2 nobody can authenticate.   If I set it to allowed you just get the spinning prompt.  The security teams wants to shut me down because the unpublished FQDN for broker 2 is accessible internally only and allows the user to skip SAML.  

Reply
0 Kudos
JMichaelLynn
Contributor
Contributor
‎01-25-2022 08:42 AM

   I would also add this in case it is significant.   My broker 2 is a replica of broker 1.   

Reply
0 Kudos