I am looking for a solution for a client based on access to the vdi in passwordless mode.
I do not find much information about it, any idea or third-party tool to integrate it?
Thank you very much
There is this
or are you looking for something else?
what they really ask me to do is access without a password using an MFA based solution. That is, the user puts only his credentials and can access his session by pressing a push from his mobile or similar
You need to have workspace one access available, which you should be able to setup with passwordless authentication. Take alook at something like
for an example. Then you need truesso setup to users to logon into horizon from workspace one.
Thanks for the quick reply! luckily we have horizon enterprise licenses that allow integration with workspace. Would additional workspace licenses be necessary? I have no experience on this platform
For licensing, I'd always open a GSS ticket, but as long as your only using it for horizon your fine. Its when you setup integrations to other applications the gets a bit more cloudy. its possible but you need to track it and make sure your never using more than the concurrent user count in your horizon license. Again don't go by me or anyone else, I'd get an SR you can track to be sure if your are concerned. I'm pretty sure this is also spelled out in one of the workspace documents somewhere.
Hello again, I have continued investigating about this solution and have been raised multiple options:
One of them is the following one:
Configure from the UAG with Identity providers as pingidentity MFA and that this solution provides access via passwordless. I really don't know if this form is valid. Can you confirm that this type of solution provides passwordless access to my horizon platform?
you have two options:
1.) use VMware Workspace ONE Access and enable VMware Verify for a PW-less experience (either by using WS1 Mode in Horizon, or redirect on UAG)
2.) use a third party Identity Provider which offers PW-less and integrate into UAG and Horizon
For both variants TrueSSO is required to translate the AuthN token to something Windows can use for Logon (a pseudo-smart-card) to provide a passwordless experience.
thank you for the repli:
When you say tocken, I suppose it will be something like Push to the mobile or similar?
I still have the doubt if okta or ping identity can provide passwordless solution without the need for third parties such as Hypr or Double octopus.
Or put another way, passwordless mfa is the same as passwordless?
From Client to Horizon, there is a chain of authentication options, and its up to you to choose what you need.
The first scenario I described (using Workspace ONE Access + VMware Verify) goes like this:
|Client ->||Workspace ONE Access ->||VMware Verify ->||Workspace ONE Access ->||Horizon True SSO ->||Horizon|
|Initiate Authentication||Access Policy demands VMware Verify||Verify performs authentication||Translate Verify to SAML Token||Translate SAML Token to Smart Card||Logon with Smart Card|
If you already have Okta or Ping your route can be different:
|Client ->||UAG ->||Okta ->||UAG ->||Horizon True SSO ->||Horizon|
|Initiate Authentication||Requires SAML; redirect to Identity Provider||Performs Auth according your needs and returns a SAML Token||Accept SAML token and allow access to Horizon||Translate SAML Token to Smart Card||Logon with Smart Card|
Unfortunately the answer as always is "it depends" on your requirements and available services. If you answer this questions, I maybe can you help find a proper solution:
Do you already have an Identity Provider (IdP)? If no, get one.
If yes, which one (Workspace ONE Access, ADFS, Ping, Okta, AzureAD, ...)?
Does your IdP already offer a passwordless authentication method?
To your last question: in essence a Passwordless authentication approaches the auth model as
thereby replacing the requirement of something you know (password) and there by getting its name – Password-less!
Hope this helps a little to better understand, that there is no simple answer to your question 😉.
Here I have the option to mount workspace one access for the licenses I have (enterpise horizon).
But I was evaluating the option of pingindentity to integrate it directly from UAG. (it seems simple to install)
I was asked the combination of ping federate + ping MFA. In the authentication sequence options, the first option is to send a push to the mobile, which supposedly allows the user to authenticate without using their password
And this is where I have the doubt if this solution can really serve as a passwordless solution since the validation option I am looking for is (username + otp or push)
Now I got you.
As you already evaluate/investigate on Ping Identity if they allow you to create a Passwordless policy for authentication, maybe you like to share here what you found out. At least I cannot tell, maybe someone else in the VMware community.
I successfully achieved (username + push) using WS1 Access + Verify - if you want to use a cloud service instead, maybe worth looking at Horizon Universal License as it contains WS1 Access as SaaS installation.
I have successfully implemented Azure MFA, UAG and TRUESSO integration and access only requires authentication with Azure MFA.
this is the guide I generated: