Horizon Cloud on Azure – True SSO Implementation [Part-12]

True SSO is a notable feature available in Horizon to help users not to enter password multiple times.
After users logged into the Workspace One then user is not required to enter Active directory credentials again to launch app/desktop

Prerequisites

• Windows Certificate Authority Server
• Pairing bundle (can be downloaded from horizon admin console)
• New Windows server
• True SSO enrollment agent setup
• IPV4 subnet environment
• VMware recommends 2 EA servers for HA

CA Configuration

If your environment does not already have a CA server, please follow the this article

1. If you have a CA server configured then check whether non-persistent certificate processing, ignore offline CRL errors configure
   Use certutil –getreg to check
   
   
2. From the above, we see that non-persistent certificate processing, ignore offline CRL errors are not configured hence run the below commands the restart CA service to take effect
   
   certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
   certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
   net stop certsvc
   net start certsvc
   
   
   
   
   

Windows Enrollment Server

1. Build a new Windows server and add it to the domain
2. Create NSG / Firewall rules or peering between vNETS to allow communication from Active directory servers & POD Managers

Setup a Security Group

Security group will be used to assign permissions for issue certificates.
So, the servers added to this group will inherit permissions and we will add Enrolment servers to this group
Please note that we have to create a Group Scope as Universal

Certificate Template Creation on CA

Follow below screenshots thoroughly to complete this template creation

True SSO – Pairing Bundle

1. Download the True SSO paring token from Astro → Settings → Active Directory 
   
   
2. Extract the pairing bundle and you will see the certificates one per pod
   

Enrollment server Install

1. Download True SSO Enrollment Server package from MyVMware downloads
   
   
2. Install the software (straight forward, no changes are required)

Enrollment Server Configuration

Please follow through below screenshots step by step
In the first step, Open MMC in the Enrollment server and select Certificates and click OK

Upload Pairing Bundle certs to ES Server

As per the documentation for horizon cloud uploading the certs in VMware Horizon View Enrollment Server Trusted root folder is sufficient
But in my case after i uploaded the certs into both VMware Horizon View Enrollment Server Trusted root & VMware Horizon View Certificates it worked

Please follow through the below screenshots

Horizon Admin portal – True SSO configuration

1. Login to Horizon cloud admin portal
2. Navigate to Astro → Settings → Active Directory
3. Click on Microsoft Azure –> Add, as shown in below screenshot
   
   
4. Enter the enrollment server FQDN and click on TEST PAIRING –> If it succeds you will see Template Details & Certificate Authorities details are auto fetched
   Click on SAVE to complete the configuration
   

Enable True SSO on Workspace One Access

1. Login to Workspace One tenant admin console
2. Click on Catalog → Virtual Apps Collection
   
   
3. Select the Collection and Click on EDIT
   
   
4. Click on Tenant and click on the host to edit the collection
   
   
5. Navigate to TRUE SSO section and Enable the Toggle as shown below screenshot and click on SAVE