VMware Horizon True SSO with UAG SAML

Last Modified: Jun 13, 2022 @ 4:43 pm

Navigation

Overview

To configure SAML on Unified Access Gateway (UAG), you must have the following versions:

  • UAG 3.8 or newer
  • Connection Servers 7.11 or newer
  • For Windows 10 version 2004, deploy Horizon 2103 (8.2)

True SSO is optional.

  • SAML does not provide the user’s password to Horizon, which means that Horizon cannot perform single sign-on to the Horizon Agent machine and thus the Horizon Agent machine will prompt the user to login again. This usually means the user has to login twice.
  • To eliminate the second logon on the Horizon Agent machine, implement True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Horizon Enrollment Servers ask Microsoft Certificate Authority servers to generate the SSO certificates for each user. This is an identity operation and thus the Horizon Enrollment Servers should be treated like Domain Controllers.

  • The Horizon Enrollment Server software must be installed on standalone servers (no other Horizon components).
  • For High Availability you can build two Horizon Enrollment Servers.

When you use Horizon Client to connect to a UAG that is SAML-enabled:

  1. It opens the default browser and prompts the user to sign into your SAML Identity Provider. If the user is already signed in then the user won’t see any sign-in prompt.
  2. After sign-in, the browser will then prompt the user to open VMware Horizon Client.
  3. If the user locks the desktop then the user will need to know the local Active Directory password to unlock it.

Certificate Authority

Horizon Enrollment Servers can use a Microsoft Certificate Authority that already exists. Or you can install Microsoft Certificate Authority on the Horizon Enrollment Servers. If you have two Enrollment Servers, then install Microsoft Certificate Authority on both of the servers.

  1. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
  2. Select Active Directory Certificate Services.
  3. The only Role Service needed for True SSO is Certification Authority.

The Microsoft Certificate Authority must be an Enterprise CA.

  1. After role installation, click the flag icon and then click the link to Configure Active Directory Certificate Services.
  2. In the Setup Type page, select Enterprise CA.
  3. In the CA Type page, if you already have a Root CA, then you can select Subordinate CA. Otherwise, you need at least one Root CA in your environment.

After Microsoft CA is installed, run the following commands:

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
sc stop certsvc
sc start certsvc

If you just built a new Certificate Authority server then True SSO won’t work until you run gpupdate /force on all of your Domain Controllers and Horizon Agent machines. Or wait several hours for group policy to update.

Certificate Template

  1. On the Certificate Authority machine, from Start Menu, run Certification Authority.
  2. Right-click the Certificate Templates node and click Manage.
  3. Right-click the Smartcard Logon template and click Duplicate Template.
  4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2.
  5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2.
  6. On the General tab, name it True SSO or similar.
  7. Change the Validity Period to 1 day or similar.
  8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon.
  9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider.
  11. On the Server tab, check the top box for Do not store certificates and requests in the CA database.
  12. Uncheck the bottom box for Do not include revocation information in issued certificates.
  13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1 as the value.
  14. Change the drop-down for Policy type required in signature to Application policy.
  15. Change the drop-down for Application policy to Certificate Request Agent.
  16. At the bottom, change the selection to Valid existing certificate.
  17. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  18. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  19. Back in the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties.
  20. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  21. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  22. Close the Certificate Templates Console.
  23. Back in the Certification Authority Console, with Certificate Templates highlighted on the left, if your environment has multiple CAs but this CA is dedicated to True SSO, then delete all templates from the right. Note: Domain Controllers must have certificates installed so make sure you have at least one other CA that is issuing Domain Controller certificates.
  24. Right-click Certificate Templates and click New > Certificate Template to Issue.
  25. Select Enrollment Agent (Computer) and click OK.
  26. Issue another certificate template but this time select the True SSO template.
  27. Your CA should now show the two templates.
  28. If you have a second CA, and if it is dedicated to True SSO, then delete all templates from that CA. Then configure it to issue the same two templates.

Enrollment Server

Horizon Enrollment Server must be installed on dedicated machine(s) that don’t have any other Horizon components installed.

  1. Login to the new Horizon Enrollment Server that has at least 4 GB of RAM.
  2. Run certlm.msc.
  3. Expand Personal, then right-click Certificates, expand All Tasks, and click Request New Certificate.

    1. In the Before You Begin page, click Next.
    2. In the Select Certificate Enrollment Policy page, click Next.
    3. In the Request Certificates page, check the box next to Enrollment Agent (Computer) and then click Enroll.
    4. In the Certificate Installation Results page, click Finish.
    5. Notice the expiration date on the Enrollment Agent certificate. Make sure you renew it before it expires.
  4. Go to the downloaded Horizon software and run VMware-Horizon-Connection-Server-x86_x64.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms in the license agreement and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, change the selection to Horizon Enrollment Server and click Next.
  9. In the Firewall Configuration page, click Next.
  10. In the Ready to Install the Program page, click Install.
  11. In the Installer Completed page, click Finish.
  12. If Microsoft CA is installed on the Enrollment Server, then run regedit.
    1. Go to HKLM\Software\VMware, Inc.\VMware VDM.
    2. Create a new Key named Enrollment Service.
    3. Under Enrollment Service, create a new String (REG_SZ) value named PreferLocalCa and set it to 1.
  13. If you have two Enrollment Servers, then repeat this entire section on the other server. This includes requesting the Enrollment Agent certificate, installing the Enrollment Server software, and setting the PreferLocalCa registry value.

Trust

  1. Log in to a Connection Server and run certlm.msc.
  2. On the left, expand VMware Horizon View Certificates and then click Certificates.
  3. On the right, find the certificate with the Friendly Name vdm.ec, right-click it, expand All Tasks, and then click Export. All Connection Servers have the same certificate so you only need to export from one of the Connection Servers.
  4. In the Export Private Key page, select No, do not export the private key, and then click Next.
  5. In the Export File Format page, leave it set to DER, and then click Next.
  6. Save the certificate to a file that you can access from your Enrollment Server(s).
  7. Log in to an Enrollment Server and run certlm.msc.
  8. On the left, right-click VMware Horizon View Enrollment Server Trusted Roots, expand All Tasks, and click Import.
  9. In the Welcome to the Certificate Import Wizard page, click Next.
  10. In the File to Import page, browse to the certificate that you exported from the Connection Server and then click Next.
  11. In the Certificate Store page, VMware Horizon View Enrollment Server Trusted Roots should already be selected so just click Next.
  12. In the Completing the Certificate Import Wizard page, click Finish.
  13. Repeat the certificate import process on the other Horizon Enrollment Server.

SAML to UAG

  1. Login to your SAML Identity Provider (IdP) and create an application for Unified Access Gateway.
  2. For Okta, see VMware Tech Zone.
  3. Azure AD has a gallery application to make configuration easier. Or use the following values:
    • Identifier = https://*.HORIZON_UAG_FQDN.com/portal
    • Reply URL (Assertion Consume Service URL = https://<HORIZON_UAG_FQDN>/portal/samlsso
  4. When done, it should look something like this:
  5. Download the Federation Metadata XML from your Identity Provider. The Metadata Url doesn’t seem to work.
  6. Login to your UAG admin page (https://<HORIZON_UAG_FQDN>:9443/admin).
  7. Select Configure Manually.
  8. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.
  9. Click Select in the IDP Metadata row.
  10. Browse to the .xml file and then click Save.
  11. At the top of the page, next to Edge Service Settings click SHOW.
  12. Next to Horizon Settings click the gear icon.
  13. At the bottom of the page, click More.
  14. At the top of the page, change the drop-down for Auth Methods to SAML.
  15. Change the drop-down for Identity Provider to the SAML Identifier in the Metadata that you just imported.
  16. At the bottom of the page click Save.
  17. Login to Horizon Console.
  18. In the left menu, go to Settings > Servers.
  19. On the right, click the tab named Connection Servers.
  20. Highlight a Connection Server that UAG talks to and click Edit.
  21. Switch to the tab named Authentication.
  22. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
  23. Click the button named Manage SAML Authenticators.
  24. Click Add.
  25. Change the selection for Type to Static. Dynamic seems to only be valid for VMware Access (aka Identity Manager).
  26. Go to your Metadata .xml file and edit it with a text editor. Then copy its contents to your clipboard.
  27. Back in Horizon Console, in the SAML Metadata field, paste in the contents.
  28. Give your SAML 2.0 Authenticator a name and click OK.
  29. Click OK to close the Manage SAML Authenticators window.
  30. Edit other Connection Servers that UAG talks to and go to the Authentication tab.
  31. Set SAML 2.0 Authenticator to Allowed and then click the Manage SAML Authenticators button.
  32. The previously created SAML Authenticator should already be there so just click Edit.
  33. At the bottom, check the box next to Enabled for Connection Server and then click OK. Repeat on any other Connection Server that UAG talks to.
  34. In Horizon Console, if you go to Monitor > Dashboard and then click VIEW in the System Health section.
  35. On the left go to Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator.

Enable True SSO

Login to one of the Connection Servers and open a Command Prompt as administrator. The commands in this section have case sensitive parameter names. These commands are vdmutil, not vdmadmin.

Run the following command to add each Enrollment Server. Notes:

  • For the --authPassword fields, you enter "*" (with quotes) to be prompted to enter the password instead of specifying it at the command line.
  • --authAs fields do not include the domain name since domain is a different field.
vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn,enroll-server2-fqdn

Run the following command to see the available certificate authorities and certificate templates for a particular domain.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

Run the following command to enable the Enrollment Servers for a particular domain. This syntax configures the Enrollment Servers as active/passive (failover).

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --secondaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1,ca2-common-name --mode enabled

Run the following command to see the SAML Authenticators configured in Horizon Console.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

Run the following command to enable True SSO for a particular SAML Authenticator. Enter either ENALBED or ALWAYS.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}

If you prefer to load balance your Enrollment Servers instead of active/passive, do the following:

  1. On a Connection Server, run adsiedit.msc.
  2. Change the Connection Point to dc=vdi,dc=vmware,dc=int.
  3. Change the Computer to localhost and then click OK.
  4. On the left, expand Properties, and then click Global.
  5. On the right, double-click Common.
  6. Find pae-NameValuePair in the list and Edit it.
  7. Enter cs-view-certsso-enable-es-loadbalance=true and then click Add.
  8. Click OK a couple times to close everything.

You can view the status of True SSO in Horizon Console.

  1. In Horizon Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW.
  2. With Components selected on the left, on the right is a tab named TrueSSO.

60 thoughts on “VMware Horizon True SSO with UAG SAML”

    1. Are you asking about SAML? If so, then all communication is performed by the user’s browser.

      The only exception is SAML metadata. The UAG would need to be able to access the SAML metadata URL.

  1. Hi Carl

    We are using SAML & TrueSSO and its working for initial login to VDI desktop. Horizon client connects to UAG and then redirects to idp website. auth is working and Horizon client is connecting to pool and TrueSSO enables login to vdi session without any additional input needed.

    but if the user locks the vdi session (closes the lid of notebook, windows+L, Screensaver, what ever) and the user unlocks the physical device, the vdi sessions stays locked on the login screen. the horizon client performs not an unlock of the vdi session…

    can you tell me, if this behavior is as expected or if this should work or could work with some tweaks?

    regards tohil

  2. Hi Carl,

    I have used the latest Horizon 8 components and was able to get this to work perfectly! So thanks for that.

    I do have a strange issue, since implementing TrueSSO with AzureAD Enterprise Apps and the enrollment server my user sessions no longer show up in the connectionbroker console. I do see active sessions listed on the UAG but no longer in the CB console. I do see events in the CB showing people logging on etc but i dont see them actionally logged in on the VDI in the console. It also always says that all VDIs are available but they are all used by users.

    Is this a known issue with SAML? Or is the connection broken between CB and UAG? I did re-establish the connection just to be sure.

  3. Hi all,
    How can I use Horizon 7.13.0 + Azure SSO with multiple domains?
    I have 2 UAG and 1 CNS.
    When I configure the SAML on CNS, with Azure SSO Metadata, I can use only with one specific domain. When I try to add another SAML configuration, CNS complain with duplicate entityID, because it’s our tenant ID.
    I can’t configure dynamic SAML because CNS don’t accept “?”.
    Thanks!

    1. Hi Alexandre,
      I don’t know if this will help, but I had a similar issue where I have 2 UAG and each going to their own Connection Server. I could only create one static entry within Horizon, due to the duplicate entityID, so my UAG that matched the metadata worked. The other would authenticate against Azure, but then I would get an error trying to get to the connection server. After some trial and error, I tried the FederationMetadata.xml from my tenant and both now work.

      You get get the FederationMetadata.xml by going to https://login.microsoftonline.com//FederationMetadata/2007-06/FederationMetadata.xml

      If you already created your static entry within Horizon, replace the metadata with the FederationMetadata.xml and it should solve your issue since you’ll only need the one static entry. After this hopefully both your UAG should start working.

      Carl, thank you for these wonderful guides!

  4. We have a Horizon environment where we are trying to enable SAML SSO authentication. Currently, the SSO configuration is working when users access our Horizon environment from the outside but internally we are receiving the following message:

    “This Horizon server expects to get your logon credentials from another application or server, not directly through the client login screen. If you usually access Horizon from another application, please launch that application.”

    1. Are users connecting through UAG? If not, on the Connection Server, did you set the SAML Authenticator to Required instead of Allowed?

      1. users are notconnecting through UAG?on the Connection Server, SAML Authenticator set to Required instead of allowed

          1. If i change it to allowed, it is loading the Ad login credentials page and not getting redirected to the Saml authenticator page.like the Microsoft sign in page

          2. Correct. If you want an actual SAML authentication flow, then users need to connect through UAG or VMware Workspace ONE Access.

    2. Hello, I was facing the same issue and for some older users the UPN in AD was not updated to match the SSO. When I switched from .local to .com everything worked out

  5. Thank you! Worked like a charm. One note, becareful when adding CAs, DO NOT include your root CA. Your root CA will be listed when you run:
    vdmUtil –authAs admin-role-username –authDomain domain-name –authPassword admin-user-password –truesso –environment –list –enrollmentServer enroll-server-fqdn –domain domain-fqdn

    But do not include it, only Sub CAs should be used in this command:

    vdmUtil –authAs admin-role-username –authDomain domain-name –authPassword admin-user-password –truesso –create –connector –domain domain-fqdn –template TrueSSO-template-name –primaryEnrollmentServer enroll-server-fqdn –secondaryEnrollmentServer enroll-server-fqdn –certificateServer ca1-common-name1,ca2-common-name –mode enabled

  6. Hi Carl. I have used your documentation on several occasions and have always been very happy with the results. I appreciate all the work it takes to keep up with all of “this tech”.

    I have a question in regards to TRUE SSO not running through a UAG. The scenario I have is: internally a clients Horizon implementation follows this path VMware Client –> to Load balanced Connection server VIP (on ADC)–> VDI Machine.

    I am currently setting up TRUE SSO and before I get to far my question is with the process flow described will TRUE SSO work with just the Connection Servers configured and no UAG?

    1. Hi Eric, I’d like to know if you ever figure this out? We are implementing SAML through UAG but our internal clients do not go through UAG and we’d like SAML as well with TRUE SSO.

      1. We never implemented because a majority of the internal users use zero client WYSE devices. We will be setting the UAG to SAML and Pass through only, while leaving the Connection Server Authentication as is.

        After having set-up the Enrollment Servers, my understanding is that you would set your Connection Servers authentication method to SAML. This would need to be done on each Connection Server. Then there is configuration to be done on the Connection Servers to work with the Enrollment Servers. In case you have not looked at the url https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-administration/GUID-88491AB1-46EF-482C-878F-DD35E03E6AD7.html

        1. Hi Eric, thank you for your answer. We are in the process of migrating from Wyse zero clients to Wyse thin clients and they support SAML. Got some issues with SAML auth page not coming up internally but hopefully support will help with this. Thanks again!

          1. Dominic,
            Good luck with your project. Hope answer helped or at least informed you.

  7. Hi Carl, thank you for your fantastic work.
    After updating Enrollment Server and Connection server from 18964782 to 19067837 I get an error on TrueSSO.

    ** The primary enrollment server is not connected to the certificate server

    Already tried to remove and re-create the environment and connection, and reinstall the enrollment server, with no luck. Of course the CA is online on the same server as the Enrollment server.

    Thank you.

  8. Hi Carl,
    I have deployed TRUE SSO with DUO as an IDP. after configuring TRUE SSO showing Green in horizon administrator, but while login its prompting again for the 2nd login which has to be eliminated (the purpose of SSO)

  9. Hi Carl,

    Can we just use Workspace One Access (with TrueSSO) as a landing portal and accessing horizon vdi without UAG?

  10. Hi Carl,

    We have had an issue since deployment of TrueSSO and UAG. Users successfully authenticate but when selecting a desktop, they have to log on to the Win10 VDI too. This does not affect all users all of the time, but it is a daily occurrence randomly with some of the user base. I have logged a SR with VMware and MS as VMware TS saw a timeout when requesting the cert, on the 2 dedicated VDI Sub CA’s (Sub CA are also Enrollment servers), we see event 77 which MS said we can ignore. Event 77 does not log each time a user has to manually log in to the desktop so I believe this is a red herring. I also see no network issues between VDI Sub CA and DC’s, however VMware are pinning this on event 77? es_diag shows successful connection, and I have been over the config multiple times to ensure it is correct. True SSO is working, but it is not 100% consistent..
    Have you seen anything like this in the past?

    Thank you. .

  11. hi Carl,
    I am getting this error of “Failed to create connector, Connector certificate servvers [NameHere] are not present on the primary enrollment server”

    I have running only 1 enrollment server in my lab
    Thanks

  12. Hi all,

    i run into a problem with truesso. The afds part is working wel. but de truesso to the vm is not working. i get an error about the certificate wich is not trusted.

    so i run:

    C:\Users\admmlan\Desktop>es_diag.exe /ListEnvironment /esname:mdb-vw-enroll01 /certauth /logtoscreen
    Execute EnrollmentDiags::ListEnvironment:
    Connect to the Enrollment Service: mdb-vw-enroll01
    2021-11-08T11:27:59.251+01:00 WARN (1418-1B48) [es_diag] CERTSSL: Unable to find certificate in store VMware Horizon View Certificates
    2021-11-08T11:27:59.251+01:00 WARN (1418-1B48) [es_diag] ConnectChannelByCertSsl cert not found
    Failed to connect channel: certificaste auth failed
    Failed to connect a channel to the Enrollment Service.
    The Certificate used to Authenticate to the ES may not be trusted.
    For more information please see the Horizon View log-file on this system and on the Horizon View Enrollment Server.

    i followed te artical more than once and i have no installation errors. what is my problem?

    note i use an existing MS CA.

      1. Hi Carl,

        Yes al certificates are there. Also i see in de horizon dashboard bij other components that saml 2.0 the adfs connection is gray with no status. all the lines in your howto with the vdmutil i did without any error.

  13. I am Enabling the True SSO, but getting error when entering this command “Run the following command to see the available certificate authorities and certificate templates for a particular domain”
    -enrollment server is not Online-

    1. I am getting the same issue. Thought it was a firewall issue but after turning the firewall to allow and able to ping, I still get “not online”. The service on the enrollment server is running. Anyone experience and/or fix this?

      1. My issue was with the cert exported from that pod. I reimported to the enrollment server then had to run the add command with remove. Then add back to get it to work. I was trying with two enrollment servers I had setup in another pod so figured it had to be something to do with this connection server.

  14. Hey Carl,

    At the step to create the connector for True SSO I get this error and can’t figure out:

    Connector certificate servers {my dedicated ca and enrollment server} are not present on the primary enrolment server.

    Many thanks for your support.

    1. Hi Carl, Got it fixed now I’m stuck to the client dekstop auth page saying: The attempted logon is invalid. this is either due to a bad username or authentication information… etc

      1. This could be an issue with domain controllers not trusting the smart card certificate or some other crypto problem. There are event logs (e.g. CAPI2, Kerberos) that might provide more details.

  15. Carl,

    How do you setup the Azure enterprise app for multiple UAG? If you have uag01.domain.com uag02.domain.com, and they are behind vdi.domain.com? How can I configure the enterprise app for the two UAG names and the LB name? The UAG are both set to re-erite their host names and not hide behind the lb vdi.domain.com

    1. When UAG does the redirect to Azure AD for the authentication request is each UAG is sending a different Reply URL? I think Azure AD lets you add multiple Reply URLs to a single Enterprise App.

      Otherwise, send the Reply URL to the load balancer FQDN and either UAG can process the SAML Assertion. After that, SAML is no longer involved and the rest is Connection Server with True SSO.

  16. Great article. One thing to add is that if you do this over multiple pods the same enrolment servers can be used. We have two pods and to add the second pod it was as simple as importing the connection cert into the enrolment servers to setup trust then running the vdmutil commands on the pod.

  17. Hello Carl,

    We are currently on Horizon 7.12. and Im working on bringing a passwordless login to my users using a FIDO2 Biometric key. However once I started to check on the TrueSSO Feature VMWare states its not working when you use the Direct Connect Plugin which we do due to our Nvidia vGPUs. Do you know of a way to use TrueSSO in our scenario or is this limitation might be lifted in a later Horizon Version?

    1. I suspect that True SSO requires Connection Servers.

      Are you able to RDP to the machines intead of Direct Connect Plugin?

  18. We are implementing as below:

    Client –> UAG [Integrated with ADFS SAML (UserId/Passwd+2nd Factor )] –> VCS server TRUESSO enabled +SAML authenticator created

    This one not working as expected:
    1. When authentication happens 1st time — userID + Passwd AND 2nd Factor from ADFS
    2. It asks again UserID+Passwd and then user can see desktop pool
    3. Launch machine it login automaticall.

    Want to understand if above design is supported or not.
    If Yes then where could be an issue as we suspect NUs VCS server is not understanding the SAML reqst coming from UAG

    1. On the UAG, at Horizon Settings > More, is Authentication set to just SAML? Or is it set to SAML + Passthrough. It should be just SAML.

      1. Also now behavior has been changed some what.

        As per vmware feedback we provided UPN in SAML response instead SAMaccount name.

        Its gives error like serve expecting credential from different application.

        UAG — SAML only
        VCS SAML authenticator — Allowed
        SAML response — UPN format

        Log lines as below:

        User Principle Name in Ad : XXX@nus.edu.sg
        We have already tried with this and we end up in same error. I am attaching the older debug log file where we set passing parameter to XXX@nus.edu.sg

        2021-06-11T15:10:39.877+08:00 DEBUG (1224-1F24) [SamlUtil] (SESSION:1476_***_4886) Using SAML Authenticator: http://vafs-c.nus.edu.sg/adfs/services/trust
        2021-06-11T15:10:39.880+08:00 DEBUG (1224-1F24) [SamlAuthFilter] (SESSION:1476_***_4886) Processing Saml Type-A Assertion

        2021-06-11T15:10:39.882+08:00 DEBUG (1224-1F24) [SamlAuthFilter] (SESSION:1476_***_4886) SAML auth received a valid UPN: XXX@nus.edu.sg
        2021-06-11T15:10:39.882+08:00 DEBUG (1224-1F24) [WinAuthUtils] (SESSION:1476_***_4886) Sending UPN to winauth service: XXX@nus.edu.sg

        2021-06-11T15:10:39.905+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://ext.nus.edu.sg (The user name or password is incorrect.)
        2021-06-11T15:10:39.910+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://stf.nus.edu.sg (The user name or password is incorrect.)
        2021-06-11T15:10:39.917+08:00 ERROR (0EF4-21D0) [ws_winauth] Failed to bind to LDAP://stu.nus.edu.sg (The user name or password is incorrect.)

        2021-06-11T15:10:39.917+08:00 ERROR (1224-1F24) [ProperoAuthFilter] (SESSION:1476_***_4886) Error performing authentication: Error instantiating PAEContext for mohirech@nus.edu.sg: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user – sid not available – ErrorCode = 1

        2021-06-11T15:10:39.918+08:00 DEBUG (1224-1F24) [ProperoAuthFilter] (SESSION:1476_***_4886) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44)com.vmware.vdi.broker.filters.FatalAuthException: Error instantiating PAEContext for XXX@nus.edu.sg: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user – sid not available –

        We tried providing nameID in SAML as below format as well:
        XXX@stf.nus.edu.sg
        XXX@nus.edu.sg
        nusstf\XXX
        XXX

        all having similar issue.

  19. Hello
    I have used alot of your really great documentation/tutorials.

    For the POC that we are doing at the moment is UAG saml SSO. I dont know if it is missing in the documentation or if there is something with our setup. I found out that I needed “/view-client/(.*)” in proxy pattern settings in the UAG to be able reach the html client.

    / Henrik

  20. Hi Carl, did we absolutely need Horizon Entreprises licence for trueSSO? Can TrueSSO work with Horizon Standard licence ?

Leave a Reply