VMware Horizon True SSO with UAG SAML

Last Modified: Mar 23, 2021 @ 4:37 pm



To configure SAML on Unified Access Gateway (UAG), you must have the following versions:

  • UAG 3.8 or newer
  • Connection Servers 7.11 or newer
  • For Windows 10 version 2004, deploy Horizon 2103 (8.2)

True SSO is optional.

  • SAML does not provide the user’s password to Horizon, which means that Horizon cannot perform single sign-on to the Horizon Agent machine and thus the Horizon Agent machine will prompt the user to login again. This usually means the user has to login twice.
  • To eliminate the second logon on the Horizon Agent machine, implement True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Horizon Enrollment Servers ask Microsoft Certificate Authority servers to generate the SSO certificates for each user. This is an identity operation and thus the Horizon Enrollment Servers should be treated like Domain Controllers.

  • The Horizon Enrollment Server software must be installed on standalone servers (no other Horizon components).
  • For High Availability you can build two Horizon Enrollment Servers.

When you use Horizon Client to connect to a UAG that is SAML-enabled:

  1. It opens the default browser and prompts the user to sign into your SAML Identity Provider. If the user is already signed in then the user won’t see any sign-in prompt.
  2. After sign-in, the browser will then prompt the user to open VMware Horizon Client.
  3. If the user locks the desktop then the user will need to know the local Active Directory password to unlock it.

Certificate Authority

Horizon Enrollment Servers can use a Microsoft Certificate Authority that already exists. Or you can install Microsoft Certificate Authority on the Horizon Enrollment Servers. If you have two Enrollment Servers, then install Microsoft Certificate Authority on both of the servers.

  1. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
  2. Select Active Directory Certificate Services.
  3. The only Role Service needed for True SSO is Certification Authority.

The Microsoft Certificate Authority must be an Enterprise CA.

  1. After role installation, click the flag icon and then click the link to Configure Active Directory Certificate Services.
  2. In the Setup Type page, select Enterprise CA.
  3. In the CA Type page, if you already have a Root CA, then you can select Subordinate CA. Otherwise, you need at least one Root CA in your environment.

After Microsoft CA is installed, run the following commands:

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
sc stop certsvc
sc start certsvc

If you just built a new Certificate Authority server then True SSO won’t work until you run gpupdate /force on all of your Domain Controllers and Horizon Agent machines. Or wait several hours for group policy to update.

Certificate Template

  1. On the Certificate Authority machine, from Start Menu, run Certification Authority.
  2. Right-click the Certificate Templates node and click Manage.
  3. Right-click the Smartcard Logon template and click Duplicate Template.
  4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2.
  5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2.
  6. On the General tab, name it True SSO or similar.
  7. Change the Validity Period to 1 day or similar.
  8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon.
  9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider.
  11. On the Server tab, check the top box for Do not store certificates and requests in the CA database.
  12. Uncheck the bottom box for Do not include revocation information in issued certificates.
  13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1 as the value.
  14. Change the drop-down for Policy type required in signature to Application policy.
  15. Change the drop-down for Application policy to Certificate Request Agent.
  16. At the bottom, change the selection to Valid existing certificate.
  17. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  18. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  19. Back in the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties.
  20. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  21. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  22. Close the Certificate Templates Console.
  23. Back in the Certification Authority Console, with Certificate Templates highlighted on the left, if your environment has multiple CAs but this CA is dedicated to True SSO, then delete all templates from the right. Note: Domain Controllers must have certificates installed so make sure you have at least one other CA that is issuing Domain Controller certificates.
  24. Right-click Certificate Templates and click New > Certificate Template to Issue.
  25. Select Enrollment Agent (Computer) and click OK.
  26. Issue another certificate template but this time select the True SSO template.
  27. Your CA should now show the two templates.
  28. If you have a second CA, and if it is dedicated to True SSO, then delete all templates from that CA. Then configure it to issue the same two templates.

Enrollment Server

Horizon Enrollment Server must be installed on dedicated machine(s) that don’t have any other Horizon components installed.

  1. Login to the new Horizon Enrollment Server that has at least 4 GB of RAM.
  2. Run certlm.msc.
  3. Expand Personal, then right-click Certificates, expand All Tasks, and click Request New Certificate.

    1. In the Before You Begin page, click Next.
    2. In the Select Certificate Enrollment Policy page, click Next.
    3. In the Request Certificates page, check the box next to Enrollment Agent (Computer) and then click Enroll.
    4. In the Certificate Installation Results page, click Finish.
    5. Notice the expiration date on the Enrollment Agent certificate. Make sure you renew it before it expires.
  4. Go to the downloaded Horizon software and run VMware-Horizon-Connection-Server-x86_x64.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms in the license agreement and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, change the selection to Horizon Enrollment Server and click Next.
  9. In the Firewall Configuration page, click Next.
  10. In the Ready to Install the Program page, click Install.
  11. In the Installer Completed page, click Finish.
  12. If Microsoft CA is installed on the Enrollment Server, then run regedit.
    1. Go to HKLM\Software\VMware, Inc.\VMware VDM.
    2. Create a new Key named Enrollment Service.
    3. Under Enrollment Service, create a new String (REG_SZ) value named PreferLocalCa and set it to TRUE.
  13. If you have two Enrollment Servers, then repeat this entire section on the other server. This includes requesting the Enrollment Agent certificate, installing the Enrollment Server software, and setting the PreferLocalCa registry value.


  1. Log in to a Connection Server and run certlm.msc.
  2. On the left, expand VMware Horizon View Certificates and then click Certificates.
  3. On the right, find the certificate with the Friendly Name vdm.ec, right-click it, expand All Tasks, and then click Export. All Connection Servers have the same certificate so you only need to export from one of the Connection Servers.
  4. In the Export Private Key page, select No, do not export the private key, and then click Next.
  5. In the Export File Format page, leave it set to DER, and then click Next.
  6. Save the certificate to a file that you can access from your Enrollment Server(s).
  7. Log in to an Enrollment Server and run certlm.msc.
  8. On the left, right-click VMware Horizon View Enrollment Server Trusted Roots, expand All Tasks, and click Import.
  9. In the Welcome to the Certificate Import Wizard page, click Next.
  10. In the File to Import page, browse to the certificate that you exported from the Connection Server and then click Next.
  11. In the Certificate Store page, VMware Horizon View Enrollment Server Trusted Roots should already be selected so just click Next.
  12. In the Completing the Certificate Import Wizard page, click Finish.
  13. Repeat the certificate import process on the other Horizon Enrollment Server.


  1. Login to your SAML Identity Provider (IdP) and create an application for Unified Access Gateway.
  2. For Okta, see VMware Tech Zone.
  3. Azure AD has a gallery application to make configuration easier. Or use the following values:
    • Identifier = https://*.HORIZON_UAG_FQDN.com/portal
    • Reply URL (Assertion Consume Service URL = https://<HORIZON_UAG_FQDN>/portal/samlsso
  4. When done, it should look something like this:
  5. Download the Federation Metadata XML from your Identity Provider. The Metadata Url doesn’t seem to work.
  6. Login to your UAG admin page (https://<HORIZON_UAG_FQDN>:9443/admin).
  7. Select Configure Manually.
  8. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.
  9. Click Select in the IDP Metadata row.
  10. Browse to the .xml file and then click Save.
  11. At the top of the page, next to Edge Service Settings click SHOW.
  12. Next to Horizon Settings click the gear icon.
  13. At the bottom of the page, click More.
  14. At the top of the page, change the drop-down for Auth Methods to SAML.
  15. Change the drop-down for Identity Provider to the SAML Identifier in the Metadata that you just imported.
  16. At the bottom of the page click Save.
  17. Login to Horizon Console.
  18. In the left menu, go to Settings > Servers.
  19. On the right, click the tab named Connection Servers.
  20. Highlight a Connection Server that UAG talks to and click Edit.
  21. Switch to the tab named Authentication.
  22. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
  23. Click the button named Manage SAML Authenticators.
  24. Click Add.
  25. Change the selection for Type to Static. Dynamic seems to only be valid for VMware Access (aka Identity Manager).
  26. Go to your Metadata .xml file and edit it with a text editor. Then copy its contents to your clipboard.
  27. Back in Horizon Console, in the SAML Metadata field, paste in the contents.
  28. Give your SAML 2.0 Authenticator a name and click OK.
  29. Click OK to close the Manage SAML Authenticators window.
  30. Edit other Connection Servers that UAG talks to and go to the Authentication tab.
  31. Set SAML 2.0 Authenticator to Allowed and then click the Manage SAML Authenticators button.
  32. The previously created SAML Authenticator should already be there so just click Edit.
  33. At the bottom, check the box next to Enabled for Connection Server and then click OK. Repeat on any other Connection Server that UAG talks to.
  34. In Horizon Console, if you go to Monitor > Dashboard and then click VIEW in the System Health section.
  35. On the left go to Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator.

Enable True SSO

Login to one of the Connection Servers and open a Command Prompt as administrator. The commands in this section have case sensitive parameter names. These commands are vdmutil, not vdmadmin.

Run the following command to add each Enrollment Server.

vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn,enroll-server2-fqdn

Run the following command to see the available certificate authorities and certificate templates for a particular domain.

vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

Run the following command to enable the Enrollment Servers for a particular domain. This syntax configures the Enrollment Servers as active/passive (failover).

vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --secondaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1,ca2-common-name --mode enabled

Run the following command to see the SAML Authenticators configured in Horizon Console.

vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

Run the following command to enable True SSO for a particular SAML Authenticator.

vdmUtil --authAs admin-role-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}

If you prefer to load balance your Enrollment Servers instead of active/passive, do the following:

  1. On a Connection Server, run adsiedit.msc.
  2. Change the Connection Point to dc=vdi,dc=vmware,dc=int.
  3. Change the Computer to localhost and then click OK.
  4. On the left, expand Properties, and then click Global.
  5. On the right, double-click Common.
  6. Find pae-NameValuePair in the list and Edit it.
  7. Enter cs-view-certsso-enable-es-loadbalance=true and then click Add.
  8. Click OK a couple times to close everything.

You can view the status of True SSO in Horizon Console.

  1. In Horizon Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW.
  2. With Components selected on the left, on the right is a tab named TrueSSO.

23 thoughts on “VMware Horizon True SSO with UAG SAML”

  1. Hey Carl,

    At the step to create the connector for True SSO I get this error and can’t figure out:

    Connector certificate servers {my dedicated ca and enrollment server} are not present on the primary enrolment server.

    Many thanks for your support.

    1. Hi Carl, Got it fixed now I’m stuck to the client dekstop auth page saying: The attempted logon is invalid. this is either due to a bad username or authentication information… etc

      1. This could be an issue with domain controllers not trusting the smart card certificate or some other crypto problem. There are event logs (e.g. CAPI2, Kerberos) that might provide more details.

  2. Carl,

    How do you setup the Azure enterprise app for multiple UAG? If you have uag01.domain.com uag02.domain.com, and they are behind vdi.domain.com? How can I configure the enterprise app for the two UAG names and the LB name? The UAG are both set to re-erite their host names and not hide behind the lb vdi.domain.com

    1. When UAG does the redirect to Azure AD for the authentication request is each UAG is sending a different Reply URL? I think Azure AD lets you add multiple Reply URLs to a single Enterprise App.

      Otherwise, send the Reply URL to the load balancer FQDN and either UAG can process the SAML Assertion. After that, SAML is no longer involved and the rest is Connection Server with True SSO.

  3. Great article. One thing to add is that if you do this over multiple pods the same enrolment servers can be used. We have two pods and to add the second pod it was as simple as importing the connection cert into the enrolment servers to setup trust then running the vdmutil commands on the pod.

  4. Hello Carl,

    We are currently on Horizon 7.12. and Im working on bringing a passwordless login to my users using a FIDO2 Biometric key. However once I started to check on the TrueSSO Feature VMWare states its not working when you use the Direct Connect Plugin which we do due to our Nvidia vGPUs. Do you know of a way to use TrueSSO in our scenario or is this limitation might be lifted in a later Horizon Version?

    1. I suspect that True SSO requires Connection Servers.

      Are you able to RDP to the machines intead of Direct Connect Plugin?

  5. We are implementing as below:

    Client –> UAG [Integrated with ADFS SAML (UserId/Passwd+2nd Factor )] –> VCS server TRUESSO enabled +SAML authenticator created

    This one not working as expected:
    1. When authentication happens 1st time — userID + Passwd AND 2nd Factor from ADFS
    2. It asks again UserID+Passwd and then user can see desktop pool
    3. Launch machine it login automaticall.

    Want to understand if above design is supported or not.
    If Yes then where could be an issue as we suspect NUs VCS server is not understanding the SAML reqst coming from UAG

    1. On the UAG, at Horizon Settings > More, is Authentication set to just SAML? Or is it set to SAML + Passthrough. It should be just SAML.

      1. Also now behavior has been changed some what.

        As per vmware feedback we provided UPN in SAML response instead SAMaccount name.

        Its gives error like serve expecting credential from different application.

        UAG — SAML only
        VCS SAML authenticator — Allowed
        SAML response — UPN format

        Log lines as below:

        User Principle Name in Ad : XXX@nus.edu.sg
        We have already tried with this and we end up in same error. I am attaching the older debug log file where we set passing parameter to XXX@nus.edu.sg

        2021-06-11T15:10:39.877+08:00 DEBUG (1224-1F24) [SamlUtil] (SESSION:1476_***_4886) Using SAML Authenticator: http://vafs-c.nus.edu.sg/adfs/services/trust
        2021-06-11T15:10:39.880+08:00 DEBUG (1224-1F24) [SamlAuthFilter] (SESSION:1476_***_4886) Processing Saml Type-A Assertion

        2021-06-11T15:10:39.882+08:00 DEBUG (1224-1F24) [SamlAuthFilter] (SESSION:1476_***_4886) SAML auth received a valid UPN: XXX@nus.edu.sg
        2021-06-11T15:10:39.882+08:00 DEBUG (1224-1F24) [WinAuthUtils] (SESSION:1476_***_4886) Sending UPN to winauth service: XXX@nus.edu.sg

        2021-06-11T15:10:39.905+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://ext.nus.edu.sg (The user name or password is incorrect.)
        2021-06-11T15:10:39.910+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://stf.nus.edu.sg (The user name or password is incorrect.)
        2021-06-11T15:10:39.917+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://stu.nus.edu.sg (The user name or password is incorrect.)

        2021-06-11T15:10:39.917+08:00 ERROR (1224-1F24) [ProperoAuthFilter] (SESSION:1476_***_4886) Error performing authentication: Error instantiating PAEContext for mohirech@nus.edu.sg: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user – sid not available – ErrorCode = 1

        2021-06-11T15:10:39.918+08:00 DEBUG (1224-1F24) [ProperoAuthFilter] (SESSION:1476_***_4886) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44)com.vmware.vdi.broker.filters.FatalAuthException: Error instantiating PAEContext for XXX@nus.edu.sg: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user – sid not available –

        We tried providing nameID in SAML as below format as well:

        all having similar issue.

  6. Hello
    I have used alot of your really great documentation/tutorials.

    For the POC that we are doing at the moment is UAG saml SSO. I dont know if it is missing in the documentation or if there is something with our setup. I found out that I needed “/view-client/(.*)” in proxy pattern settings in the UAG to be able reach the html client.

    / Henrik

  7. Hi Carl, did we absolutely need Horizon Entreprises licence for trueSSO? Can TrueSSO work with Horizon Standard licence ?

Leave a Reply