Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

VMware UAG: configure Azure MFA (SAML)

  • August 19, 2021
  • 6 min read
Paolo Valsecchi
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com

Unified Access Gateway

To secure external accesses, you can configure the UAG with Azure MFA leveraging the SAML-based authentication feature.

Latest Unified Access Gateway (UAG) versions provide the SAML-based multifactor authentication feature that make the authentication process stronger utilizing MFA solutions such as Azure MFA.

Prerequisites

To configure Azure MFA for the Unified Access Gateway, you need to meet some prerequisites:

  • An Azure license that includes MFA feature.
  • A working Azure AD Connect to synchronize the on-premises Active Directory users into Azure Active Directory.
  • Azure MFA must be enabled for users or groups.

Configure the Azure environment

Login to your Azure portal using the global administrative account. Click on Azure Active Directory icon.

Azure Active Directory

Make sure you have the correct Azure license to leverage MFA capabilities. Select Enterprise application.

Enterprise application

Click New Application.

New Application

Select Non-gallery application.

Non-gallery application

Enter the Name for the new application and click Add.

Enter the Name

The application needs to be assigned to users or groups. Select 1. Assign users and groups.

Assign users and groups

Click Add user/group.

Add user/group

Click the None Selected link to add users or groups.

None Selected

Select the desired users or groups then click Select.

Select the desired users or groups

Click Assign.

Assign

The user assigned to the application.

The user assigned to the application

From the homepage select Overview and click 2. Set up single sign on.

Set up single sign on

Select SAML.

SAML

Click Edit in the Basic SAML Configuration section.

Basic SAML Configuration

Enter the following parameters:

  • Identifier (Entity ID) = your Horizon portal URL
  • Reply URL (Assertion Consumer Service URL) = your UAG SAML SSO URL
  • Sign on URL = your UAG SAML SSO URL

Click Save when done.

Save when done

Go to SAML Signing Certificate section and click the Download link for the Federation XML Metadata file.

SAML Signing Certificate

Click OK to save the file.

OK to save the file

Configure the UAG

When the Azure environment has been prepared, access the UAG to configure the SAML authentication. Enter the admin credentials and click Login.

Enter the admin credentials

Click Select in the Configure Manually settings.

Configure Manually settings

Under Advanced Setting, access the Upload Identity Provider Metadata section by clicking the Settings icon.

Upload Identity Provider Metadata

Click the Select link for IDP Metadata.

IDP Metadata

Select the file previously downloaded from Azure and click Open.

Select the file previously downloaded

Click Save to apply the configuration.

Apply the configuration

Now go to Edge Service Settings and access the Horizon Settings section.

Edge Service Settings

At the bottom of the window, click the More link to display additional options. Select SAML with Passthrough from the Auth Methods drop-down menu if you are not using TrueSSO (select SAML if you have TrueSSo in place).

SAML with Passthrough

Enter the name of the Identity Provider for Azure MFA https://sts.windows.net. Click Save at the bottom to save the configuration.

Enter the name of the Identity Provider

Access the Horizon Portal and select the preferred client to access the infrastructure.

Access the Horizon infrastructure

Horizon Portal

Enter the user previously configured and click Next. The user is authenticated in Azure

Enter the user previously configured

Enter the password and click Sign in.

Enter the password

You are now prompted to enter the password for the Active Directory authentication. Click Login. Because TrueSSO is not configured in this example, you need to insert the password twice even if the same user for Horizon and Azure AD has been used.

Horizon and Azure AD

The user is authenticated and granted the access to the Desktop Pool for which it has been entitled.

Desktop Pool

Integrating Microsoft Azure MFA with VMware UAG allows the administrators to add an extra layer of security to access the Horizon infrastructure and new deployments should include MFA for external accesses.

 

Related articles
Start Azure Virtual Desktop VM on connect
VMware Horizon: grant permissions in Active Directory
Tags
Hey! Found Paolo’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!