Multi Factor Authentication (MFA), Security Assertion Markup Language (SAML), Single Sign-On (SSO), and VMware Horizon
Are you ready to exchange user information securely and authentically?
What is MFA, SAML, and SSO, and how can they benefit you and your organization for security, service, and support? From Users to IdPs/Identity Providers, as well as SPs/Service Providers, how they interact with each other, and how the authentication process works between them – this article highlights all of this, and more!
So, let’s dive in for some preliminary education. Then, watch the full video demonstration to see it all play out with a SAML authenticated SSO from a 10ZiG NOS Zero VMware Client. This will include setting up the 10ZiG “NOS-V” Client to gain access to a Horizon Desktop via a VMware Horizon Unified Access Gateway acting as a SAML Service Provider.
First of all, what is Multi Factor Authentication (MFA)?
Take for example, today you’re probably logging into an Office 365 account with your username and password… what multi-factor authentication (MFA) adds is another method of authenticating or “second factor,” which is where the name multi-factor comes from.
Multi-factor authentication works on the principle of something you know and something you have and, adds an extra layer of security to the sign-in process by using a two-way approach. Something you know would be a username a password and something you have, these days, is usually a mobile phone.
When multi-factor authentication is enabled for your Office 365 account, and you login with the something you know which is your username and password, you'll then be contacted on the something you have, your mobile phone, in this case by Office 365.
The contact can come to you in three ways. It can contact you by voice, in which they can actually call you up and you can then verify who you are. It can send you a text message, so you can use a code to complete the authentication, or you can use a mobile app on your phone. By far, the easiest approach is to use the mobile app and Microsoft has its own mobile app called Authenticator that can be downloaded from your relevant mobile app store.
Next, what is SAML?
SAML authentication streamlines user access to your organization’s applications. SAML, or SECURITY ASSERTION MARKUP LANGUAGE, saw the light of day back in 2001, and version 2.0 came out in 2005. SAML is an open standard and is often used to provide single sign-on to web-based applications and can be used for both authentication as well as authorization.
What are the main benefits of using SAML authentication?
- User Experience: Since SAML offers SSO services, it reduces “password fatigue” from maintaining multiple passwords, offering a better user experience.
- Ease of Use: SAML allows organizations to manage permission levels and application access for their users with ease.
- Security: Since SAML offers SSO using IdP, user credentials are stored in the more secure IdP, rather than on every SP. Since communication between the IdP and SP uses SAML tokens, it is inherently more secure.
- Platform Neutrality: SAML allows integration with standard services like Azure Active Directory and IdP providers like Google Authenticator or Microsoft Authenticator to provide authentication services.
- Reduced Administrative Costs: SAML “reuses” single authentication and reduces the administrative cost of maintaining individual SP account databases by transferring this burden to the IdP.
The SAML protocol has three entities, the user agent which typically is the user's web browser, the service provider or the SP which is the application you try to access, and lastly the identity provider or IDP. When configuring SAML Federation you establish a trust relationship between the service provider and the identity provider.
A user who wants to access a service provider must first authenticate into the IDP. If the user manages to successfully authenticate and is authorized, the IDP generates a SAML assertion and the assertion is sent to the application. And, since the application trusts the IDP, the user is allowed access, and since the user is already authenticated into the IDP, the user can single sign-on to other applications.
Here's a brief “high-level” overview as to how the SAML authentication flow works:
When we talk about the SAML authentication flow, there are two possibilities with regards to where the flow begins and who initiates it. It can either be initiated by the Service Provider or the Identity Provider.
- SP initiated flow sees direct interaction from the user by requesting access to an SP’s application.
- On the other hand, IdP initiated flow sees the user first logging into an IdP portal for example, then selects from a list of trusted pre-configured Service Provider applications available.
Finally, what is SSO and would you like to see one from a 10ZiG VMware Endpoint gain access to a Horizon Desktop?
The Single Sign-On (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. In this 10ZIG How-To Video Educational, we demonstrate a SAML-authenticated Single Sign-On from a 10ZiG NOS-V Zero Client (endpoint for VMware). We show you how to set up the NOS-V Client to gain access to a Horizon Desktop via a VMware Horizon Unified Access Gateway acting as a SAML Service Provider. All this is then redirected through a Microsoft Azure SAML Identity Platform Service in the AAD, and will also show additional security features by utilizing Multi-Factor Authentication as part of the sign-in process.
SAML, SSO & MFA – Set-up and Demo of Azure SAML, VMware Horizon, and 10ZiG NOS-V Zero Client
If you like, you can also see a video educational of the content of this written article with this link:
SAML, Single Sign On and Multi Factor Authentication – Part 1, An Introduction
For more How-To Educational Videos from 10ZiG, go to:
10ZiG is a virtual desktop endpoint provider that offers top-quality Thin & Zero Clients for VDI and Cloud, centralized management software, exceptional tech support service, and an advance warranty. We provide leading Intel and AMD based, Dual and Quad Core Thin & Zero Clients for VMware, Citrix, Microsoft, and other environments.
10ZiG offers free, no-obligation demo devices, best-in-industry Technical Support teams based in the U.S. and Europe, and provides at no cost, the Cloud-enabled The 10ZiG Manager™ with unlimited user licenses.