Announcing: VMware Unified Access Gateway 3.8 Deep Dive
The latest features and enhancements to VMware Unified Access Gateway 3.8 are now available! This includes third-party SAML 2.0 Identity Provider Support for Horizon, HTTP Redirect Mapping, SEG Admin pages and API integration to the Unified Access Gateway platform, Network updates for SEG, SAML and JWT Audiences support, as well as numerous general enhancements.
You can watch the following deep-dive video to see them described and demonstrated:
Horizon Edge Service
You can now authenticate against third-party identity providers (IdPs) based on SAML 2.0 standard. This allows organizations to leverage their current identity solutions to maximize TCO and improve your end-user experience. A variety of multi-factor security options with third-party IdPs are supported, including Okta, Ping Identity, Azure Active Directory, and other identity providers that provide SAML 2.0 support. Both service provider- and IdP-initiated flows are supported, and can be used either with or without True SSO authentication.
As part of the SAML 2.0 feature, you can launch desktops and applications in a variety of ways:
- From Horizon native clients connected to Unified Access Gateway
- From Horizon clients, both native and web, by using bookmarks
- From identity provider ports, using bookmarks
- From your custom company portals, using bookmarks through both native and web clients
Three basic requirements
To support SAML authentication for Horizon, you need Unified Access Gateway 3.8 and your third-party identity provider. If you want to include True SSO, you'll also have to perform a few additional configurations on the Connection Server of Horizon 7.11. These options are described and demonstrated in the video, as well as the straightforward and easy-to-use end-user process.
Update RADIUS Authentication labels
This release provides you with the capability to update the username and passcode labels for RADIUS authentication. These labels are presented on Horizon clients, both native and web, which reduces confusion. The ability to update the labels makes it easier to provide the appropriate label so your end users have a better experience when connecting to their desktops via RADIUS.
HTTP host redirect mappings
Another new feature in this release is HTTP host redirect mappings, which play a key role in load balancing. A common issue with load balancing systems occurs if the affinity is not reliable, and fails to correctly route subsequent connections from browsers and clients to the Unified Access Gateway appliance. The new HTTP host redirect capability helps avoid this issue.
If you configure the Host Redirect Mappings as described in the video, an HTTP redirect is returned after a load balancer selects a Unified Access Gateway appliance. That enables the Horizon Client to connect directly to the selected appliance with no problem.
Enhancements to device policy compliance with OPSWAT
A number of new security features and enhancements are included in this release, including extended platform support and enhanced flexiblity for device policy compliance with the Omni-Platform Security with Access Technologies (OPSWAT), a security solution that detects and remediates security threats to your critical infrastructure.
You now have the ability to allow or reject requests for access from devices, based on the OPSWAT compliance response. And for devices without OPSWAT clients, an alternative process is also supported.
Support for SAML Audiences
Another security improvement in this release is the ability to check the SAML Audience. The SAML Audience identifies the service providers for which the assertion is intended.
This release provides enhancements to the SAML audience setting added to Horizon and Web Reverse Proxy with Identity Bridging edge services. These enhancements include support for Horizon edge service when using SAML, or SAML and Passthrough authentication methods. The enhancements also include support for Web Reverse Proxy Edge service, but only when using Identity Bridging (SAML to Kerberos).
When you configure SAML Audiences, Unified Access Gateway validates the list of values against the audiences received in the SAML assertion. If one or more value matches, the assertion is accepted. If no values match, the assertion is rejected. If you do not configure the SAML Audiences option, Unified Access Gateway does not validate the audiences in the assertion.
Support for JWT Audiences restriction
Another security enhancement is the support for restritions to JSON Web Token (JWT) audiences. This enahncement enables you to restrict JWT audiences from accessing Horizon and the backend applications. This is done by containing a list of intended recipients of the JWT used for Horizon SAML Artifact validation. To succeed, at least one recipient of the list must match with an audience specified in the Workspace ONE Access Horzon pod configuration. If no JWT audiences are specified, the JWT validation does not consider the audiences.
These are just a few of the new features and enhancements included in this release. To see them all in greater detail, watch the video linked above.
You can also read more about them at Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta: VMware Horizon Operational Tutorial.