Horizon UAG – Integrating Azure MFA with Unified Access Gateway (UAG)


From UAG 3.8 onwards , VMware supports third party IDP’s authentication using SAML.
In this article , we will try to learn how to integrate Azure Multi-Factor Authentication (MFA) with VMware Unified Access Gateway


  • VMware UAG (minimum version 3.8)
  • Azure AD Subscription
  • MFA feature included Azure license
  • Azure AD connect to synchronise on-primse users & groups from Active Directory
  • Existing UAG URL
  • Global Administrator account in Azure AD

Azure side configuration

  • Login to the Azure Portal (an user having Global admin privilages)
  • Search for Azure Active Directory & Click on it

  • Select Enterprise applications – For this case I have Azure AD Premium P2 license

  • From All applications – select New application

  • Search for VMware Horizon and Select VMware Horizon – Unified Access Gateway

  • Click on Create

  • Wait till the application is added to the portal

  • Click on VMware Horizon – Unified Access Gateway and once you are inside the application , Click on Single sign-on

  • Select SAML

  • Edit Basic SAML Configuration & Enter the details as below -> Save

    Identifier (Entity ID) –> https://<UAG FQDN>/portal
    Reply URL (Assertion Consumer Service URL) –> https://<UAG FQDN>/portal/samlsso
    Sign on URL (Optional) –> https://<UAG FQDN>/portal/samlsso

  • Now download the Federation Metadata XML

UAG configuration

  • Login to UAG as admin using URL –> https://<uag fqdn >:9443
  • click on configure manually
  • In the Advanced settings section , click on settings icon button of Upload identity Provider Metadata

  • Click on select which is next to IDP Metadata

  • Upload the downloaded Federation Metadata XML file from azure side configuration and click on Save

  • Under General settings section , click on settings icon button of Horizon Settings

  • From Auth Methods drop down , select SAML
    We can see Identity Provider is chosen as Azure MFA (https://sts.windows.net)