This blogpost describes the step-by-step guide to configure Azure AD / MFA authentication for the following platforms:

• Horizon DaaS 9.x
• Horizon Cloud on Azure
• Horizon Cloud on IBM Cloud

Special thanks to Praveet Zain, CTO Backbone UK, for sharing his knowledge and screenshots!

Before we continue, this article assumes you already have a hybrid solution and syncing Active Directory user and group objects from the on-prem data center to the Azure tenant so we will not cover that part. If you want more information on how to set this up, you can take a look at the official Microsoft Docs page.

Requirements

Other requirements for the Azure AD / MFA integration with Horizon DaaS and Horizon Cloud are:

• Workspace ONE Access environment with Horizon DaaS / Horizon Cloud integration and on-prem Active Directory. I already created a step-by-step guide on how to do this.
• VMware True SSO setup for Horizon DaaS / Horizon Cloud. Please follow my previous blog post for the configuration.

Note: Workspace ONE Access is a requirement for enabling True SSO for Horizon DaaS or Horizon Cloud. For Horizon 7 or Horizon 8 (on-prem) environments, you can configure the Azure AD IDP configuration directly in the UAG 3.8 and newer.

Azure Portal

Lets begin with the configuration. As a first step, we will create a new Enterprise Application in the Azure Portal.

Log in to the Azure Portal and Click Enterprise Applications -> New Application

Click Create your own application

Give the new application a name, for example Workspace ONE Access, select Integrate any other application you don’t find in the gallery and click Create

Once the application is created, click Setup single sign on from the menu or click the button in the middle. Next, click SAML

In the Basic SAML Configuration (1) section, click Edit and add the Identifier (Entity ID) and Reply URL

The Identity ID and Reply URL can be found in the SP metadata XML from your Workspace ONE Access environment. Open the following URL in your browser:

• h ttps://<your Workspace ONE Access URL>/SAAS/API/1.0/GET/metadata/sp.xml

• Identifier = EntityID Value from the .xml file (on top of the file)
• Reply URL = The POST Value from the Assertion Consumer Service in the .xml file (almost at the bottom)

Save the settings.

Next, Edit User Attributes & Claims (2)

First, configure the Unique User Identifier (Name-ID) with the user.mail Value.

You will notice the Azure AD portal will automatically fill in an URL in front of the Claim Names. You will have to Remove all these URL’s.

After you removed the URL’s, type the Claim names and Values exactly as you see in the screenshot and notice the capitals. This is important, if you miss a capital or make a typo the authentication will not work.

Note: distinguishedName is not necessarily required.

Also make sure, the claims match your AD attributes in the Workspace ONE Access portal. With a Horizon DaaS or Cloud integration, the following attributes are usually mapped (as a Best Practice):

• distinguishedName
• email
• firstName
• lastName
• userName
• userPrincipalName

Next, scroll down to SAML Signing Certificate (3) and Download the Federation Metadata XML.

Also copy the Logout URL in Step 4. You will need both the XML and Logout URL for the 3rd party IDP configuration in Workspace ONE Access.

And finally, decide for yourself if you want to give User or AD group permission to this newly created Enterprise Application, or if you want to disable user assignment. Pick at least one of these two options, otherwise authentication will not work.

Workspace ONE Access

In the Workspace ONE Access Admin Console, go to the Identity & Access Management, Identity Providers menu. Add/Create a SAML IDP Identity Provider.

Give the IDP a name, for example Azure AD.

Paste the complete content of the Federation Metadata XML you’ve downloaded earlier Azure Portal. Click Process IDP Metadata.

You will see that the SAML AuthN Request binding field will change to HTTP Redirect. Leave this default.

Next, add two Name ID Formats:

• unspecified = userName
• emailAddress = emails

Set the Name ID policy in SAML request (optional) to unspecified.

Leave Just-in-Time User Provisioning disabled. Select the on-prem Active Directory domain and the correct network (in my case ALL RANGES).

Fill in the Authentication Methods name, for example Azure AD. Select the SAML 2.0 classes Password SAML Context.

Scroll down and enable the Single Sign-Out Configuration. Paste the Logout URL you’ve copied from the Azure Portal. This will allow the end-users to log off from the Workspace ONE Access portal when they select this option from the menu. If you do not configure anything, the end-users will stay logged on.

The IDP is now correctly configured! Save the settings.

Next, we will add the new Authentication Method to the Authentication Policy. Click the Policies menu and edit the default policy.

Edit the Device Type policies and select the newly created Azure AD Authentication Method.

Click SAVE and you’re done!

Horizon Admin portal

In most cases, you want to make sure the end-users are not able to bypass the newly created Azure AD / MFA authentication from Workspace ONE by directly accessing the tenant user portal (via the UAG). In that case, you will have to enable Workspace ONE Redirection.

From the Horizon Admin portal, go to Settings, Identity Management. Click Edit and enable the redirection.

Next, click Configure and enable for external and/or internal connections.

The User Experience

When the end-users access the Workspace ONE Access URL, they will be immediately redirected to the Azure authentication portal. After they fill in their Azure AD password, and optionally their Azure MFA token details, they are authenticated redirected to the Workspace ONE Access portal. At this step, you will need to have True SSO in place to be able to launch the Horizon DaaS or Horizon Cloud resources.