Configuring the SAML Workflow with VMWare Horizon

Imprivata OneSign SAML Workflow Introduced

Configuring the SAML workflow eliminates the need to send an encrypted user name and password between Imprivata OneSign and VMware Horizon View when authenticating Imprivata OneSign users. When the SAML workflow is enabled:

  • Imprivata OneSign functions as the Identity Provider — During user authentication, the Imprivata agent requests a SAML artifact from the Imprivata appliance.
  • VMware Horizon View functions as the Service Provider — The Imprivata agent use the SAML artifact to authenticate the user to the Horizon Client. The VMware Horizon Connection Server validates the SAML artifact with the Imprivata appliance.

NOTE: The Imprivata OneSign SAML Workflow is not supported in offline mode.

Before You Begin

Before you begin:

Configuring the SAML Workflow

Configuring the SAML workflow requires that you:

To configure the VMware Horizon Connection Server:

  1. Note the fully qualified domain name (FQDN) of a single Imprivata appliance in the enterprise. This information is required to configure the connection.
  2. See "Configure a SAML Authenticator in View Administrator" in the VMware Horizon documentation to configure the connection. When configuring the connection, be sure to select Dynamic for the type of connection and enter the Metadata URL as follows:

    https://<fqdn_of_imprivata_appliance>/sso/vmware/idp/SAML2

The VMware Horizon Connection Server is configured to use Imprivata OneSign as an external identity provider.

Establish the trust relationship between Imprivata OneSign and VMware Horizon View by importing the following certificates into the View Connection Server host certificate store:

  • The Imprivata OneSign root CA certificate.
  • The server certificate from each Imprivata appliance in the enterprise.

Step 2a: Export the Root CA Certificate and Server Certificates

To export the required certificates:

  1. In the Imprivata Admin Console, click the certificate (lock) icon on the address bar.
  2. Click View certificates to open the Certificates window.
  3. Open the Certification Path tab. The root CA certificate is listed as the parent of the server certificate. For example:

    Example of a certificate path.

  4. Select the root certificate and click View Certificate.
  5. Click Copy to File to open the Certificate Export Wizard.
  6. In the Certificate Export Wizard, click Next, select Base-64 encoded X.509 (.CER), and then click Next.
  7. Name and save the file to a location that is accessible to the View Connection Server host.
  8. Return to the Certificates window and export the server certificate using the same encoding format.

NOTE: For every other Imprivata appliance in the enterprise, use the above steps to export the server certificate only.

Step 2b: Install the Certificates into the VMware Horizon Server Host Certificate Store

Install the SAML root certificate
  1. Log in to the View broker as the administrator.
  2. Double click the root certificate.
    If the certificate is saved as a test file: Right click the certificate and open with Crypto Shell Extensions. The Welcome to the Certificate Import Wizard page opens.
  3. Select Local Machine and click Next. The Certificate Store page opens.
  4. Check Place all certificates in the following store. Browse and select Trusted Root Certificate Authorities. Click Next. The Completing the Certificate Import Wizard page opens.
    The root certificate appears in the "You have specified the following settings" box.
  5. Click Finish.
Install the SAML appliance certificate
  1. Log in to the View broker as the administrator.
  2. Double click the appliance certificate.
    If the certificate is saved as a test file: Right click the certificate and open with Crypto Shell Extensions. The Welcome to the Certificate Import Wizard page opens.
  3. Select Local Machine and click Next. The Certificate Store page opens.
  4. Check Place all certificates in the following store. Browse and select Personal. Click Next. The Completing the Certificate Import Wizard page opens.
    Now, the root and appliance certificates appear in the "You have specified the following settings" box.
  5. Click Finish.

To enable the SAML workflow:

  1. In the Imprivata Admin Console, go to the Computers menu > Virtual desktops page.
  2. Do one of the following:
    • Go to the VMware Horizon – Desktops section and select Use SAML authentication.
    • Go to the VMware Horizon – Apps section and select Imprivata SAML credentials from the Authenticate using menu.
  3. Click Save.

The SAML workflow is enabled.