what they really ask me to do is access without a password using an MFA based solution. That is, the user puts only his credentials and can access his session by pressing a push from his mobile or similar

You need to have workspace one access available, which you should be able to setup with passwordless authentication. Take alook at something like

https://theidentityguy.ca/2021/01/20/enabling-hypr-passwordless-authentication-with-workspace-one-ac...

for an example. Then you need truesso setup to  users to logon into horizon from workspace one.

Thanks for the quick reply!  luckily we have horizon enterprise licenses that allow integration with workspace. Would additional workspace licenses be necessary? I have no experience on this platform

For licensing, I'd always open a GSS ticket, but as long as your only using it for horizon your fine. Its when you setup integrations to other applications the gets a bit more cloudy. its possible but you need to track it  and make sure your never using more than the concurrent user count in your horizon license. Again don't go by me or anyone else, I'd get an SR you can track to be sure if your are concerned. I'm pretty sure this is also spelled out in one of the workspace documents somewhere.

Hello again, I have continued investigating about this solution and have been raised multiple options:

One of them is the following one:

Configure from the UAG with Identity providers as pingidentity MFA and that this solution provides access via passwordless. I really don't know if this form is valid. Can you confirm that this type of solution provides passwordless access to my horizon platform?

Thanks

Hi,

you have two options:

1.) use VMware Workspace ONE Access and enable VMware Verify for a PW-less experience (either by using WS1 Mode in Horizon, or redirect on UAG)

2.) use a third party Identity Provider which offers PW-less and integrate into UAG and Horizon

For both variants TrueSSO is required to translate the AuthN token to something Windows can use for Logon (a pseudo-smart-card) to provide a passwordless experience.

- Alex

Hi!

thank you for the repli:

When you say tocken,  I suppose it will be something like Push to the mobile or similar?

I still have the doubt if okta or ping identity can provide passwordless solution without the need for third parties such as Hypr or Double octopus.

Or put another way, passwordless mfa is the same as passwordless?

Thanks

From Client to Horizon, there is a chain of authentication options, and its up to you to choose what you need.

The first scenario I described (using Workspace ONE Access + VMware Verify) goes like this:

If you already have Okta or Ping your route can be different:

Unfortunately the answer as always is "it depends" on your requirements and available services. If you answer this questions, I maybe can you help find a proper solution:

Do you already have an Identity Provider (IdP)? If no, get one.

If yes, which one (Workspace ONE Access, ADFS, Ping, Okta, AzureAD, ...)?

Does your IdP already offer a passwordless authentication method?

To your last question: in essence a Passwordless authentication approaches the auth model as

• something that you have (mobile device or security key) with
• something that you are (Biometrics, PIN) in a unified auth flow,

thereby replacing the requirement of something you know (password) and there by getting its name – Password-less!

Hope this helps a little to better understand, that there is no simple answer to your question 😉.

- Alex

Here I have the option to mount workspace one access for the licenses I have (enterpise horizon).

But I was evaluating the option of pingindentity to integrate it directly from UAG. (it seems simple to install)

I was asked the combination of ping federate + ping MFA. In the authentication sequence options, the first option is to send a push to the mobile, which supposedly allows the user to authenticate without using their password

And this is where I have the doubt if this solution can really serve as a passwordless solution since the validation option I am looking for is (username + otp or push)

Now I got you.

As you already evaluate/investigate on Ping Identity if they allow you to create a Passwordless policy for authentication, maybe you like to share here what you found out. At least I cannot tell, maybe someone else in the VMware community.

I successfully achieved (username + push) using WS1 Access + Verify - if you want to use a cloud service instead, maybe worth looking at Horizon Universal License as it contains WS1 Access as SaaS installation.

- Alex

Ciao 

I have successfully implemented Azure MFA, UAG and TRUESSO integration and access only requires authentication with Azure MFA.

this is the guide I generated:

https://blog.pollaio.site/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-1/

https://blog.pollaio.site/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-2/

https://blog.pollaio.site/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-3/

https://blog.pollaio.site/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-4/

https://blog.pollaio.site/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-5/