Trustbuilder MFA by inWebo
Trustbuilder MFA by inWebo
Breadcrumbs

VMWare Unified Access Gateway (UAG) SAML integration

inWebo MFA can be enabled as a SAML IdP combined with VMware Unified Access Gateway (UAG) to verify users’ identities before they access the application server.

VMware UAG online documentation cis available here:
https://docs.vmware.com/en/Unified-Access-Gateway/2009/uag-deploy-config/GUID-E4C8B88F-C771-4829-ABBE-12F7FBF517C3.html

The purpose of this guide is to explain how to use InWebo as a SAML 2.0 Identity Provider for your UAG.

1. Prerequisites

  • You need a VMware UAG version >= 3.8 (version beginning 2020)

  • You need an access as an administrator to an inWebo environment

2. inWebo SAML connector initial configuration

You need to connect to the inWebo administration console (myinwebo.com) to create a new SAML 2.0 connectors:

Into the inWebo administration console:

  • go to the "Secures Sites" tab

  • select "Add a connector of type... and chose "SAML 2.0”

  • Change the connector name if you wish and click on “Add”

  • Then download your inWebo metadata by using the link “Download inWebo IdP SAML 2.0 metadata in XML format”.

image-20201222-103910.png

  • Save the XML file and edit it, you will need to replace “HTTP-Redirect” by “HTTP-POST” into the tag <md:SingleSignOnService…> and <md:SingleLogoutService…>.

As a result, your XML file will have:

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.myinwebo.com/console/c/xxxx /saml2/yyyyyy"/>

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.myinwebo.com/console/c/xxxx/saml2/yyyyyy /logout"/>

Your XML file is now compliant with VMware UAG requirement. Save these modifications.

3. VMware UAG initial configuration

You need to connect to the VMware UAG administration console to import the inWebo IdP metadatas (your XML files created and updated previously in section 2.) and download the XML metadatas generated by VMware UAG.

3.1 Import inWebo IdP metadatas in UAG

  • In the “Advanced Settings” menu, in the section “Identity Bridging Settings”, select “Upload Identity Provider Metadata

image-20201222-104050.png

  • Click on the “Select” button to import your inWebo XML metadatas files (modified in section 2) and “Save”

image-20201222-104100.png

VMware UAG is now configured with inWebo as an IdP.

3.2 Download UAG metadatas

We are now going to generate the SAML metadatas from VMware UAG.

  • In the “General Settings” menu, in the section “Edge Service Settings”, click on “SHOW”

image-20201222-104135.png

  • Then enter the “Horizon Settings” menu

image-20201222-104150.png

  • At the bottom of the page, click on “More”, to display extra settings fields

  • Select “SAML and Passthrough” as the “Auth methods”,

image-20201222-104203.png

  • Then select inWebo as the “Identity Provider”

image-20201222-104215.png

  • You must now download VMware UAG metadata by clicking on the “Download SAML service provider metadata” button

image-20201222-104231.png

You will be prompted to enter the external hostname to reach your VMware UAG such as “myuag.domain.com” (without https and port)

image-20201222-104239.png

  • Save the file, you will need it to finalize the inWebo connector into the inWebo administration console (section 4)

  • Then check the “Proxy Pattern” settings to allow redirection between VMware UAG and inWebo.

It must be similar to (/|/view-client(.*)|/portal(.*)|/appblast(.*))

image-20201222-104315.png

Then you can “Save” the configuration at the bottom of the page.

image-20201222-104322.png

Warning: that will apply inWebo Strong authentication based on SAML, be sure to have at least an enrolled and valid inWebo token and still have local access to your UAG in case of issue.

3.3 Extra configuration

You can activate the setting “Match Windows Username” so the username will be passed from SAML authentication to the second step authentication and the user will not have to type his login.

image-20201222-104417.png

The SAML attribute returned by inWebo platform will fill the login field automatically if you activate this option.

To define the SAML attribute, into the inWebo administration console:

  • go to the "Secures Sites" tab

  • Edit the SAML 2.0 connector you have created in section 2

Update “Connector Options”  and choose “Unspecified” as the NameIDFormat, then “user login” or “email” depending of the format of login you are using to authenticate

image-20201222-104429.png

4. Finalize inWebo SAML connector configuration

Go back into the inWebo administration console to finalize the SAML connector you have created in section 2.

Into the inWebo administration console:

  • go to the "Secures Sites" tab

  • Edit the SAML 2.0 connector you have created in section 2

  • Open the XML files generated by VMware UAG (in section 3.2) and copy / past it into the “Service Provider (SP) Metadata” field

image-20201222-104509.png

  • Then click on “Update” to confirm the modification.

  • Before updating you can do the extra configuration to choose the attribute you want to forward to UAG to fill the login field prompt (section 3.3).

image-20201222-104516.png

Your inWebo connector is now complete, inWebo can receive redirection from your UAG VMware to perform a strong authentication and reply with the result.

5. Test authentication with a desktop token

To perform a test, you will need to have an active user with at least a valid token (mobile, pc or browser token). We will perform the test with the VMware Horizon HTML Access (you can do it on the Horizon Client as well)

  • Launch a browser and open your UAG portal url

image-20201222-104637.png

  • You will be automatically redirected on inWebo SAML authentication page where you can use your token (desktop token in this example) to perform the inWebo Strong authentication

image-20201222-104646.png
image-20201222-104651.png

  • Then, as a second step, you will have to enter your login (if you don’t perfom the extra configuration section above) and your password then click on Login

image-20201222-104700.png

  • You are connected

image-20201222-104708.png

6. Test authentication with a browser token and the extra configuration

  • Launch a browser (choose your browser token if you want to use this token to connect) and open your UAG portal url

image-20201222-104753.png

  • You will be automatically redirected on inWebo SAML authentication page where you can use your browser token to perform the inWebo Strong authentication as a first step

image-20201222-104805.png

  • Then, as a second step, you will have to enter your password only (the login is automatically filled from the SAML assertion provided by inWebo) to be connected

image-20201222-104813.png

  • Then, you are connected

image-20201222-104829.png

7. Implementating a “1 step” user journey

If you want to avoid asking for a login/password as a second step, you can configure your UAG and Horizon with the TrueSSO configuration.

You will have to:

  • Configure True SSO on Horizon Connection Server

  • on UAG configure the authMethods on the Horizon Edge Service to be just SAML (not SAML and passthrough).

image-20210104-111733.png

UAG will then provide the inWebo SAML assertion (after a successfull authentication) to Horizon Connection Server which will validate the assertion.

Horizon Connection Server, by using True SSO technology, will exchange a certificate on behalf of the user with UAG. This way the user will not get the AD password prompt.

The setup up of True SSO is entirely on the Horizon side.

Refer to Horizon True SSO docs for these details:

https://docs.vmware.com/en/VMware-Horizon-7/7.5/horizon-administration/GUID-7314E2AF-2DA0-4BD0-939D-F5F352B3EEE0.html