Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Monthly Archive: February 2022

Unified Access Gateway

ADFS with VMware Unified Access Gateway (UAG)

February 16, 2022

This article talks about configuration of ADFS with VMware Unified Access Gateway without the use of Workspace One Access.

There’re two use cases here to configure ADFS with Unified Access Gateway

  1. Use Case #1: ADFS as MFA, so users first authenticate using ADFS, and then authenticate using standard credential to get the list of available resources (desktop or apps)
  2. Use Case #2: ADFS for single authentication method, so users will authenticate once with ADFS and then will connect to VDI VMs or published apps without the need to enter any other credentials. This use case of course required VMware TrueSSO to works

Initial configuration is the same for both and to make it short here the different steps required:

  1. Change Expiration Period for Service Provider Metadata
    1. https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/
  2. Deploy UAG
    1. Configure Edge Service and specify a Connection Server fqdn (not the load-balancer)
    2. Check connection is working
  3. Connect to <federation fqdn> and save the FederationMetadata.xml file
  4. Import FederationMetadata.xml in UAG (Upload Identity Provider Metadata)
  5. Configure UAG for SAML or SAML and Passthrough auth methods
  6. Specify Identity Provider
  7. Download SAML Service Provided .xml file
  8. Configure ADFS
    1. Add a new Relying Party Trusts
    2. Specify UAG SP .xml file as source
    3. Configure Claim Issuance Policy
  9. Connect to UAG as “client”
    1. Auth using ADFS
    2. Auth using AD credential

Now if we want to go further and implement ADFS with TrueSSO:

  1. Generate SAML IdP Settings
    1. Import signed cert or use Generated one
    2. Copy Content of Download IDP Settings
  2. Configure Horizon Connect Server for SAML auth with UAG and ADFS
    1. Connect to admin console of Horizon Connection Server
    2. Add SAML Authenticator for UAG
      1. Mode Static
      2. Past Content of UAG Download IDP Settings
      3. Change EntityId if required
    3. Add SAML Authenticator for ADFS
      1. Mode Static
      2. Past Content of FederationMetadata.xml
  3. Enable TrueSSO for UAG and ADFS
    1. Using vdmUtil, enable both authenticator
  4. Check True SSO connection
    1. Connect to UAG as Client
    2. Once authenticated to ADFS, the list of available resource appears, and you can login without any other cred

That said, let see with some nice pictures how we do that :

Continue reading…
Horizon Cloud / Workspace One Access (Aka Identity Manager)

Get Horizon Cloud Managed desktop and apps on WS1 Access

February 3, 2022

Here a recent behavior I met at a customer and on my own labs, :

Normally and that was the case few months ago, when you entitled VMs or Apps (whatever it was on Azure or On-Premise but “Cloud Managed”) they were automatically available on the configured WS1 Tenant, and especially if you asked to create one from the Horizon Universal Console rather to attach an existing one.

Look like there a recent change, and some pre-requisites are required (mentioned in the documentation but to be honest the documentation is a little bit abstruse). So, if entitlements are not any more synchronized, or you don’t see any entitlement on WS1 you need to check 2 things :

1 – Ensure you gather appropriate User Attributes for WS1 :

In Identity & Access Management  \ Setup \ User Attributes make sure you have the 3 following attributes (none of them are by default):

  • objectGUID
  • sid
  • netBios

2 – Ensure you mapped these attributes with the right Active Directory Attribute

In Identity & Access Management \ Manage \ Directories, edit the Sync parameters of your AD and go to Mapped Attributes, make sure you mapped them as this :

Workspace ONE Access AttributeActive Directory Attribute
userPrincipalNameuserPrincipalName
objectGuidobjectGUID
sidobjectSid
netBiosmsDS-PrincipalName

Once done, just synchronize your directory and it works.