Has anyone actually been able to successfully configure Office 365 SSO with Horizon Workspace? I have configured the provided "Office 365 Outlook" from the VMware Cloud Application Catalogue, only adding my activated Office 365 domain to the value field for {tenant} under Application Parameters. I do have SSO working successfully in other Webapps like Google Apps without issues.
Below are my test results from using the Office 365 SSO test from: https://testconnectivity.microsoft.com
The results to me, point to something internally wrong in the metadata that I have no control over (I have modified the actual domain...).
Testing Single sign-on for user: testuser@mydomain.com. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Single sign-on test failed. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This is the actual command run against my office 365 pod to setup federation for reference:
Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication Federated -IssuerURi https://externalurl.mydomain.com/SAAS/API/1.0/GET/metadata/idp.xml -FederationBrandName 'mydomain' -PassiveLogOnUri https://externalurl.mydomain.com/SAAS/API/1.0/POST/sso -LogOffUri https:/externalurl.mydomain.com/SAAS/auth/logout -ActiveLogOnUri https://externalurl.mydomain.com/SAAS/auth/wsfed/active/logon -MetadataExchangeUri https://externalurl.mydomain.com/SAAS/auth/wsfed/services/mex -SigningCertificate <SAML Cert Goes Here....>
The release notes for Horizon Workspace 1.8.1 additional say this:
From what I see though, there is no new application actually available...
Attached full results of the test, only modifying identifying information.
I actually finally got this working after banging my head against the wall for the past few days.
For the command: Set-MsolDomainAuthentication the switch "IssuerURi" was wrong. Honestly I had no idea what I was suppose to set it to, although It turned out being fairly straightforward.
It seems that if your external URL (Horizon Workspace FQDN set in the configurator-va) is, https://externalurl.mydomain.com, then the "IssuerURi" is just "externalurl".
(This is also seen in the very top right hand corner when logged into the "VMware Horizon - Dashboard")
Hopefully this info ends up helping someone else.
Seems that regardless of me getting SSO working through the SaaS application from Workstation, it doesn't matter because it breaks access to all rich clients (Outlook 2013, Apple Mail (Desktop/iPhone).
Setting the password on the SaaS application as instructed does nothing to mitigate this problem. Since this is in the official documentation as a working solution, has anyone else gotten past these problems?
Please open a Support Ticket with VMware Support.
I think I finally got the issues with the rich clients worked out. The accounts that were setup for testing had different UPNs vs their primary SMTP address. Since the email addresses in this case were already what was desired, I changed the account names in AD to match them, then manually changed the UPN of the synced account in office 365 using: Windows Azure cmdlet: Set-MsolUserPrincipalName. Finally I performed another DirSync, and in about 15 mins or so, SSO with Outlook 2013 and iOS Mail started working. The Apple OS X native Mail client still doesn't work, but since it is not listed on VMware's documentation as a "Supported Client", I will just infer that this one is a lost cause.
I think in most cases the UPN and primary SMTP addresses would already be the same, but I can think of situations where a company could easily break this for an account, such as a user getting married/divorced and wants their primary email addressed changed (assuming that most organizations don't bother changing the actual AD account name since it can be a bit of a PITA on the client end in some situations).
Anyways its been working for about 12 hours now...so I'll keep my fingers crossed.