Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

ADFS with VMware Unified Access Gateway (UAG)

This article talks about configuration of ADFS with VMware Unified Access Gateway without the use of Workspace One Access.

There’re two use cases here to configure ADFS with Unified Access Gateway

  1. Use Case #1: ADFS as MFA, so users first authenticate using ADFS, and then authenticate using standard credential to get the list of available resources (desktop or apps)
  2. Use Case #2: ADFS for single authentication method, so users will authenticate once with ADFS and then will connect to VDI VMs or published apps without the need to enter any other credentials. This use case of course required VMware TrueSSO to works

Initial configuration is the same for both and to make it short here the different steps required:

  1. Change Expiration Period for Service Provider Metadata
    1. https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/
  2. Deploy UAG
    1. Configure Edge Service and specify a Connection Server fqdn (not the load-balancer)
    2. Check connection is working
  3. Connect to <federation fqdn> and save the FederationMetadata.xml file
  4. Import FederationMetadata.xml in UAG (Upload Identity Provider Metadata)
  5. Configure UAG for SAML or SAML and Passthrough auth methods
  6. Specify Identity Provider
  7. Download SAML Service Provided .xml file
  8. Configure ADFS
    1. Add a new Relying Party Trusts
    2. Specify UAG SP .xml file as source
    3. Configure Claim Issuance Policy
  9. Connect to UAG as β€œclient”
    1. Auth using ADFS
    2. Auth using AD credential

Now if we want to go further and implement ADFS with TrueSSO:

  1. Generate SAML IdP Settings
    1. Import signed cert or use Generated one
    2. Copy Content of Download IDP Settings
  2. Configure Horizon Connect Server for SAML auth with UAG and ADFS
    1. Connect to admin console of Horizon Connection Server
    2. Add SAML Authenticator for UAG
      1. Mode Static
      2. Past Content of UAG Download IDP Settings
      3. Change EntityId if required
    3. Add SAML Authenticator for ADFS
      1. Mode Static
      2. Past Content of FederationMetadata.xml
  3. Enable TrueSSO for UAG and ADFS
    1. Using vdmUtil, enable both authenticator
  4. Check True SSO connection
    1. Connect to UAG as Client
    2. Once authenticated to ADFS, the list of available resource appears, and you can login without any other cred

That said, let see with some nice pictures how we do that :

Let’s start with Use Case #1

Ok the first thing is to change the expiration delay of the SP SAML certificat of your Horizon Connection Servers and wait a maximum of 24h do get the new one generated (I personaly set mine to 10 years):

https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/

And the second thing is to get the FederationMetada.xml so, you should be able to get it by connecting to https://<federation fqdn>/FederationMetadata/2007-06/FederationMetadata.xml, just check on the AD FS Management:

AD FS Management

Then connect to the UAG and move to Identity Bridging Settings \ Upload Identity Provider Metadata, click the wheel:

Select the FederationMetadata.xml file and click save (no need to specify EntityID, it will be filled automaticaly from the xml file

Now move to General Settings \ Horizon Settings :

Click “More”:

Select “SAML and Paththrough” for “Use Case #1″or “SAML” for “Use Case #2”

Select the Identity Provider and click “Download SAML service Provider metadata”

Go to the bottom and click “Save” :

Configure AD FS Relying Party Trust

Now connect to your AD FS server, directly or using the MMC on your admin station.

Open AD FS Management and click “Add Relying Party Trust”

Click “Start”

Select “Import data about the relying party from a file” and select the xml files you downloaded from the UAG (SAML service provider metadata)

Continue with all default options..

Click “Edit Claim Issuance Policy”

And add the following rule :

Now you should be prompted to enter your AD FS credential first before beeing able to login to Horizon and this is the end for “Use Case #1” πŸ™‚

Let’s move forward to “Use Case #2″…

Notes :
TrueSSO must be installed and configured

Horizon Edge Service must be configured for a direct connection to a Connection Server and not to the load-balancer in front of the connection servers.

Let start by configuring SAML connection between the UAG and the Connection Server :
For this, connect to https://<you connection server url>/SAML/metadata/sp.xml and copy the content of the .xml file

Connect to the UAG as admin and click on the wheel in front of “SAML Settings” in “Advanced Settings”

In “SAML Service Provider Settings”:

  • Specify a name
  • Past the SAML SP metadata from your connection server and click “Save

The new Service Provider appears and can be edited later if ever the certificate change (eg. because of expiration)… Click “Close”:

Now, go back to edit the Horizon Edge Service, click “More” to show all items and in “SAML SP”, enter the Service Provider Name you set in the previous step :

Move to the bottom of the page and click “Save

Click again on the wheel in front of “SAML Settings” in “Advanced Settings”

You can use the self signed certificate or upload Private Key and Signed certificates (preferred) if not already done

Specify external hostname of UAG and click download

Select and Copy the content of “Identity Provider Settings”:

Click “Close”:

Connect to the admin console of your connection server, then go to Settings \ Server \ Connection Servers

Select your Connection Server and click “Edit”

Go to “Authentication” and click “Manage SAML Authenticators”

Click “Add”

Create the SAML 2.0 Authenticator for the UAG:

  • Select “Static”
  • Enter a label (eg. UAG-01)
  • Past the content of “Identity Provider Settings” from the UAG
  • Click “OK”:

Note : if you have to create multiple SAML 2.0 Authenticator for UAGs change the entityID as it should be unique:

Create a second SAML 2.0 Authenticator for AD FS:

  • Select “Static”
  • Enter a label (eg. AD FS)
  • Past the content of “FederationMetadata.xml”
  • Click “OK”:

You should have at least 2 SAML authenticators :

  • One for UAG
  • One for ADFS

Now we need to enable “ADFS” SAML authenticator for True SSO:

  • From the connection server, type de following command to list all authenticator:
vdmUtil –-authAs <admin horizon> –-authDomain <domain> –-authPassword <password> –-truesso --list –-authenticator
  • And the following command to enable to enable “AD FS” SAML authenticator for True SSO:
vdmUtil –-authAs <admin horizon> –-authDomain <domain> –-authPassword <password> –-truesso –-authenticator –-edit –-name ADFS –-truessoMode ENABLED

Now, you should be able to connect to your Horizon resources using your ADFS credentials

You may also like...

1 Response

  1. Arnaud_Axians says:

    Hi, thanks for the article.
    Just one thing, are you sure of this: “Horizon Edge Service must be configured for a direct connection to a Connection Server and not to the load-balancer in front of the connection servers”
    Maybe the configuration is different with ADFS, but I made a similar setup except my IDP was Azure AD and UAG is well connected to the load balancer VIP (HA Proxy). And TrueSSO works fine.
    Regards

Leave a Reply

Your email address will not be published. Required fields are marked *