This article created based on my understanding while working on Universal broker.
I have already discussed on Universal Broker configuration for Horizon cloud on Azure in this article
Now let’s discuss on how the authentication and desktop launch flow works.
Authentication and Session launch flow
- By using Horizon client / browser user connects/launch the Universal Broker URL and enter his credentials.
- If 2 factor auth is configured, then the request goes to UAG and UAG contacts the MFA server for authentication complete.
- Once the 2FA auth is succeeded then it returns to Horizon Client / browser prompting for AD authentication
- User enters AD credentials
- Universal Broker connects (sends the credentials as encrypted) to Smart Node via UB Client (CBCS service which get started part of UB transition or Broker selection)
- Smart Node validates the credentials with Active directory
- Sends the AD authentication validation message back to Universal Broker
- If the user entered credentials are valid then Universal Broker sends the entitlements information to Horizon Client / Browser (these entitlements info sync from control plane to Universal Broker periodically)
- User clicks on the entitlement (assignment)
- Universal Broker connects to Smart Node via UB client and start allocating the session based on the vm availability (checks for agent status and etc)
- Smart Node sends the VM info to universal broker
- Universal Broker sends the UAG FQDN of the VM with session launch details (VM name, IP & etc required to launch the protocol session) to Horizon Client
- & 14 Session launch (secondary protocol) happens from the UAG directly to the assigned VDI
Note: VDI to Smart node communication happens through JMS