Recently I’ve had a customer requirement for MFA in the form of VMware Verify against Horizon applications and desktops. This is a great way of protecting access into your virtual desktop infrastructure through Workspace ONE.
A couple of things to bare in mind here, VMware Verify is a MFA solution powered within Workspace ONE Access that will require a mobile device for authentication and Horizon by default does not require authentication through Workspace ONE, it’s a feature that we’ll need to configure so our users will be forced to authenticate through Workspace ONE Access, be presented with our Verify authentication, then load the Horizon application or desktop.
Work flow (Browser):
- User logs in to our Workspace ONE Access front end.
- User presented with all applications
- User selects Horizon Desktop/App
- User presented with Verify authentication
- Horizon desktop/app loads in browser or native Horizon application
Work flow (Native Horizon App):
- User connects to front facing connection server
- Browser opens to Workspace ONE
- User selects desktop/app
- User authenticates with Verify
- Horizon desktop/ap loads in browser or native Horizon application
In order to enable this workflow, there’s a couple of bits we need to configure…
Before starting the config, we’re assuming the following setup:
- Horizon desktops/apps have been added into Workspace ONE Access, synced and assigned to the users
- Users can connect to the front facing connection server (UAG) and load their desktops/apps (page30)
- True SSO setup within Horizon with Enrollment server providing automated user sign in
- Verify has been enabled as a Auth adapter in Workspace ONE access
What we need to finish the configuration:
- SAML authentication into Horizon
- Horizon set to Workspace ONE mode
- Authentication policy changed within Workspace ONE access to force Verify for Horizon desktop/app
SAML authentication into Horizon
Enabling SAML in Horizon is very straight forward:
- Navigate to your Workspace ONE access admin console and grab the idp.xml information here: Catalogue->Web Apps->Settings->SAML Metadata click ‘Copy URL’ on the IDP Metadata link
2. After you’ve copied the idp link, navigate to your Horizon instance. Within the Admin page navigate to Settings->Servers-> Connection Servers and hit edit. This will bring up the following box. Select Authentication.
3. Click on ‘Manage SAML Authenticators’ and hit Add
4. ‘Label’ your Authenticator and paste the metadata URL copied in step 1. Add your administration URL and enable it for your Horizon instance.
Enabling Workspace ONE Mode
5. Once this has been completed you can decide whether or not you want to require or allow this form of authentication. You’ll notice that if you select allow, the Workspace ONE mode box will be greyed out so select ‘Required’ and check the ‘Enable Workspace ONE mode’ box. If you fire up a local native Horizon client now, you’ll be re-directed to Workspace ONE when you try and connect to your connection server.
6. Now our Horizon instance is setup to force users to authenticate with Workspace ONE, this allow us to put additional authentication around the VDI machines and Apps.
Creating your Verify policy
7. I’d recommend creating a separate policy to prompt for Verify authentication. This will allow you to tie this specific authentication to the specified app whilst leaving your default access policy alone, I’ve created one that looks like this:
8. To apply this policy to your Horizon desktop/app, find the ‘Virtual App’ that you would like to add the addition authentication to:
9. In my example I’m going to add Verify to my Windows RDS desktop. Click on the desktop/application:
10. You’ll notice in the bottom left there is the ‘Access Policy’ section. Click edit in the top and change the policy to your newly created Verify access policy and Voila!
This will work exactly the same way with Windows 10/macOS using the native Horizon apps as well!
Sales Engineer specialising in Unified Endpoint Management (UEM) and the Digital Workspace.