Configure VMware Horizon View to Interoperate with Okta via RADIUS
This guide details how to configure your Connection Servers to perform two-factor authentication against an Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..
What’s covered in this guide
There are four parts to the configuration, including testing. A list of additional resources is also provided.
Part 1 – Preconfiguration: Installing, and configuring the Okta RADIUS Agent.
Configuring VMware Horizon View to use the Okta RADIUS Agent requires installation and pre-configuration of the RADIUS agent.
- Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
- Install the agent as described in Installing and Configuring the Okta RADIUS Server Agent.
Note
For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity
| Source | Destination | Port/Protocol | Description |
|---|---|---|---|
| Okta RADIUS Agent | Okta Identity Cloud | tcp/443 http |
Configuration and authentication traffic |
| View Connection Servers | Okta RADIUS Agent | udp/1812 RADIUS (actual port number defined in next step) | RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server) |
Part 2 – Configure the Okta RADIUS Agent Using the Okta Admin Console
In this section we add the VMware Horizon View (RADIUS) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment.
And configure:
- Authentication
- UDP Port
- Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.
- Application Username Format
Note
The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
Optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
- Sign in to your Okta Tenant as administrator.
- Navigate to Applications > Applications> Add Application, search for VMware Horizon View (RADIUS), and then click Add Application:
- Enter a unique name.
-
Provide the following Sign On values:
- AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect.: Retaining this default button allows Okta to perform primary authentication.
- UDP Port: Enter the required RADIUS app port.
- Secret Key: Enter the required secret key.
Note: This key must be identical to what is configured on the VMware Horizon View (RADIUS) app. - Application username format:Determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- After completing the setup, assign the app to the users/groups that require access.
Tip
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
Part 3 – Configure the View Connection Server to use the VMware Horizon View (RADIUS) OIN App.
In this section we specify the Okta RADIUS Server Agent as a RADIUS Authenticator in your VMware Horizon View Connection Server.
Step 1 – Define a RADIUS Authenticator
- Sign in to the VMware Horizon Administrator console with sufficient privileges.
- Navigate to View Configuration > Servers > Connection Servers, and highlight the connection server to work with.
- Click Edit in the top submenu.
- In the dialog that opens, select the Authentication tab.
- Scroll down to the Advanced Authentication section.
- Set the 2-factor authentication value to RADIUS.
- Click the Manage Authenticators button.
- In the dialog that opens, click Add. The screen below displays.
-
Enter values, as shown:
- Label: Enter a unique label.
- Description: Enter an option description.
- Hostname/Address: IP or Name of Okta RADIUS Server Agent
- Authentication port: Port configured in step x (1812)
- Accounting port: 0
- Authentication type: PAP
- Server timeout: 60
- Max attempts: 1
- Realm prefix: Optional see username assignment value
- Realm suffix: Optional see username assignment value
- Click Next.
- Optionally, you can configure a Secondary Authentication Server, using the same settings in step 9 above with a different label and description.
- Click Finish to save all settings.
Step 2 – Configure Advanced Authentication Settings
Advanced authentication settings are used to control the behavior that the View Connection Server uses and enforces. Once enabled, the View Connection server performs authentication against the two-factor authentication first. User experiences can differ.
If you force two-factor and Windows user name matching, the VMware Horizon View (RADIUS) application username value (set in Part 2, above) must match your Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. username, including any Realm prefix and Realm suffix values.
-
Enforce two-factor and Windows user name matching
This feature is usually enabled. One situation in which you may choose to disable this feature is to allow these usernames to differ so users can perform their initial authentications using their own Okta credentials and then sign in to Windows/AD using a shared or common account.
The screen shot below uses this configuration.
Note
In this flow the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is unchecked.
Tests 2 and 4 in the testing section.
- Use the same user name and password for RADIUS and Windows authentication
If you enable this setting, the Okta password and Windows/AD Password for the user must match, and the VMware Horizon View (RADIUS) application must be configured to perform primary authentication. You can use this setting when Okta is performing delegated authentication for users.
If you disable this setting, the Okta username can be different than the Windows/AD username and the VMware Horizon View (RADIUS) application can be configured to NOT perform primary authentication making the Okta password irrelevant.
The screen shown below uses this configuration. I
Note
In this flow the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is checked.
Tests 1 and 3, in the testing section.
Important
The values you select for these two options change the sign in experience and dictate what settings you can configure in Okta.
Part 4 – Test your Configuration
There are four configuration tests to verify the VMware Horizon Client app and the VMware Horizon HTML access.
Each configuration is tested with both Okta Primary and MFA and Okta MFA only.
Test 1 – Test with the VMware Horizon Client app with Okta Primary and MFA
-
Launch VMware Horizon Client and initiate connection to Server.
-
Enter the Username and Okta/AD Password.
-
Select an Okta factor from the list.
-
Enter the response that corresponds to the selected factor.
- For Push verification, accept the incoming push notification on the enrolled device.
- For SMS, receive and enter the six-digit one-time password (OTP).
- For a question, provide the answer to the enrolled security question.
- For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
- Upon successful completion, access is granted.
Test 2 – Test with the VMware Horizon Client app with Okta MFA only
-
Launch VMware Horizon Client and initiate connection to Server.
-
Enter the Username and Okta OTP value or keyword such as Push or SMS.
-
Enter the AD password.
- Upon successful completion, access is granted.
Test 3 – Test with the VMware Horizon HTML Access with Okta Primary and MFA
-
Navigate to Horizon HTML Access.
-
Enter the Username and Okta/AD Password.
-
Select an Okta factor from the list.
-
Enter the response that corresponds to the selected factor.
- For Push verification, accept the incoming push notification on the enrolled device.
- For SMS, receive and enter the six-digit one-time password (OTP).
- For a question, provide the answer to the enrolled security question.
- For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
- Upon successful completion, access is granted.
Test 4 – Test with the VMware Horizon HTML Access with Okta MFA only
-
Navigate to Horizon HTML Access.
-
Enter Username and Okta OTP value or keyword such as Push or SMS.
-
Enter the AD password.
-
Enter the response that corresponds to the selected factor.
- Upon successful completion, access is granted.
Additional Resources
- Okta Documentation - Configuring Sign On Policies
-
VMware documentation – Enable Two-Factor Authentication in View Administrator : https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.administration.doc/GUID-71458AA2-E2A2-43AC-85D1-35404AF09B79.html
-
VMware documentation – Using Two-Factor Authentication: https://docs.vmware.com/en/VMware-Horizon-7/7.3/horizon-administration/GUID-70879B1F-1DB3-45EA-8D12-C93906F11959.html