7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
Generate Access Point SAML Metadata
You must generate SAML metadata on the Access Point appliance and exchange metadata with the Horizon
server to establish the mutual trust required for smart card authentication.
The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and
exchange authentication and authorization information between different security domains. SAML passes
information about users between identity providers and service providers in XML documents called SAML
assertions. In this scenario, Access Point is the identity provider and the Horizon server is the service
provider.
In this procedure, you generate Access Point SAML metadata by using the Access Point REST API. Related
topics will describe how to copy this generated SAML metadata to the applicable Horizon server.
Prerequisites
n
Configure the clock (UTC) on the Access Point appliance so that the appliance has the correct time. For
example, open a console window on the Access Point virtual machine and use arrow buttons to select
the correct time zone. Also verify that the ESXi host's time is synchronized with an NTP server, and
verify that VMware Tools, which is running in the appliance virtual machine, synchronizes the time on
the virtual machine with the time on the ESXi host.
IMPORTANT If the clock on the Access Point appliance does not match the clock on the Horizon server
host, smart card authentication might not work.
n
Obtain a SAML signing certificate that you can use to sign the Access Point metadata.
NOTE VMware recommends that you create and use a specific SAML signing certificate when you have
more than one Access Point appliance in your setup. In this case, all appliances must be configured
with the same signing certificate so that the Horizon server can accept assertions from any of the
Access Point appliances. With a specific SAML signing certificate, the SAML metadata from all of the
appliances is the same.
n
If you have not done so already, convert the SAML signing certificate to PEM-format files and convert
the .pem files to one-line format. See “Convert Certificate Files to One-Line PEM Format,” on page 41.
Procedure
1 Create a JSON request for generating the SAML metadata for the Access Point appliance.
n
If you do not have a SAML signing certificate for the Access Point appliance, the body of the JSON
request is empty brackets:
{}
n
If you do have a SAML signing certificate, use the following syntax:
{
"privateKeyPem": "string",
"certChainPem": "string"
}
In this example, the string values are the JSON one-line PEM values that you created as described
in the prerequisites.
Deploying and Configuring Access Point
50 VMware, Inc.