Configure VMware Horizon View to Interoperate with Okta via RADIUS
This guide details how to configure your Connection Servers to perform two-factor authentication against an Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..
There are four parts to the configuration, including testing. A list of additional resources is also provided.
Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.
ConfiguringVMware Horizon View to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.
- Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity
| Source | Destination | Port/Protocol | Description |
|---|---|---|---|
| Okta RADIUS Agent | Okta Identity Cloud | tcp/443 http |
Configuration and authentication traffic |
| View Connection Servers | Okta RADIUS Agent | udp/1812 RADIUS (actual port number defined in next step) | RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server) |
Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent
In this step, add the VMware Horizon View (RADIUS) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:
- AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. configuration
-
UDP Port
-
Secret Key
-
Application Username Format
Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
- In Okta, navigate to Applications > Applications> Add Application, search for VMware Horizon View (RADIUS), and then click Add Application:
- Enter a unique name.
-
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
-
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
-
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the VMware Horizon View (RADIUS) app.
-
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
Part 3 – Configure the View Connection Server to use the VMware Horizon View (RADIUS) OIN App.
In Part 3 you add your Okta RADIUS Server Agent as a RADIUS Authenticator in your VMware Horizon View Connection Server.
Step 1 – Define a RADIUS Authenticator
- Sign in to the VMware Horizon Administrator console with sufficient privileges.
- Navigate to View Configuration > Servers > Connection Servers, and highlight the connection server to work with.
- Click Edit in the submenu at the top.
- In the dialog that opens, select the Authentication tab.
- Scroll down to the Advanced Authentication section.
- Set the 2-factor authentication value to RADIUS.
- Click the Manage Authenticators button. In the dialog that opens, click Add. The screen shown below opens.
-
Enter a label and description that are unique and appropriate, and enter the following values, as shown above.
-
Hostname/Address: IP or Name of Okta RADIUS Server Agent
-
Authentication port: Port configured in step x (1812)
-
Accounting port: 0
-
Authentication type: PAP
-
Server timeout: 60
-
Max attempts: 1
-
Realm prefix: Optional see username assignment value
-
Realm suffix: Optional see username assignment value
-
- Click Next.
- Optionally, you can configure a Secondary Authentication Server, using the same settings in step 8 above with a different label and description.
- Click Finish to save all settings.
Step 2 – Configure Advanced Authentication Settings
The advanced authentication settings are used to control the behavior that the View Connection Server uses and enforces. Once enabled, the View Connection server performs authentication against the two-factor authentication first. User experiences can differ.
-
Enforce two-factor and Windows user name matching
If you force two-factor and Windows user name matching, the VMware Horizon View (RADIUS) application username value (set in Part 2, above) must match your Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. username, including any Realm prefix and Realm suffix values.
This feature is usually enabled. One situation in which you may choose to disable this feature is to allow these usernames to differ so users can perform their initial authentications using their own Okta credentials and then sign in to Windows/AD using a shared or common account.
The screen shown below uses this configuration. In this flow the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is unchecked.
Tests 1 and 3, below use this configuration.
- Use the same user name and password for RADIUS and Windows authentication
If you force two-factor and Windows user name matching, the VMware Horizon View (RADIUS) application username value (set in Part 2, above) must match your Active Directory username, including any Realm prefix and Realm suffix values.
If you enable this setting, the Okta password and Windows/AD Password for the user must match, and the VMware Horizon View (RADIUS) application must be configured to perform primary authentication. You can use this setting when Okta is performing delegated authentication for users.
If you disable this setting, the Okta username can be different than the Windows/AD username and the VMware Horizon View (RADIUS) application can be configured to NOT perform primary authentication making the Okta password irrelevant.
The screen shown below uses this configuration. In this flow the the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is checked.
Tests 2 and 4, below use this configuration.
Important: The values you select for these two options change the sign in experience and dictate what settings you can configure in Okta.
Part 4 – Test your Configuration
There are four configuration tests to verify the VMware Horizon Client app and the VMware Horizon HTML access. Each configuration is tested with both Okta Primary and MFA and Okta MFA only.
Test 1 – Test with the VMware Horizon Client app with Okta Primary and MFA
-
Launch VMware Horizon Client and initiate connection to Server.
-
Enter the Username and Okta/AD Password.
-
Select an Okta factor from the list.
-
Enter the response that corresponds to the selected factor.
- For Push verification, accept the incoming push notification on the enrolled device.
- For SMS, receive and enter the six-digit one-time password (OTP).
- For a question, provide the answer to the enrolled security question.
- For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
- Upon successful completion, access is granted.
Test 2 – Test with the VMware Horizon Client app with Okta MFA only
-
Launch VMware Horizon Client and initiate connection to Server.
-
Enter the Username and Okta OTP value or keyword such as Push or SMS.
-
Enter the AD password.
- Upon successful completion, access is granted.
Test 3 – Test with the VMware Horizon HTML Access with Okta Primary and MFA
-
Navigate to Horizon HTML Access.
-
Enter the Username and Okta/AD Password.
-
Select an Okta factor from the list.
-
Enter the response that corresponds to the selected factor.
- For Push verification, accept the incoming push notification on the enrolled device.
- For SMS, receive and enter the six-digit one-time password (OTP).
- For a question, provide the answer to the enrolled security question.
- For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
- Upon successful completion, access is granted.
Test 4 – Test with the VMware Horizon HTML Access with Okta MFA only
-
Navigate to Horizon HTML Access.
-
Enter Username and Okta OTP value or keyword such as Push or SMS.
-
Enter the AD password.
-
Enter the response that corresponds to the selected factor.
- Upon successful completion, access is granted.
Additional Resources
- Okta Documentation - Configuring Sign On Policies
-
VMware docs – Enable Two-Factor Authentication in View Administrator : https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.administration.doc/GUID-71458AA2-E2A2-43AC-85D1-35404AF09B79.html
-
VMware docs – Using Two-Factor Authentication: https://docs.vmware.com/en/VMware-Horizon-7/7.3/horizon-administration/GUID-70879B1F-1DB3-45EA-8D12-C93906F11959.html