Skip to content

Passwordless SSO Login to Omnissa Horizon VDI

Enable secure and frictionless access to VMware Horizon VDI desktops by leveraging Excalibur Streamed Access Management (SAM). This architecture enforces robust authentication and secure credential handling while providing a seamless end-user experience with minimal prompts.

The target architecture ensures:

  • All access is governed by Excalibur SAM's privileged access policies and built-in MFA.
  • Excalibur SAM launches the Horizon Client as a RemoteApp from a Windows Terminal Server, without direct desktop access.
  • The Horizon Client automatically connects to the Connection Server and logs into the VDI desktop using Excalibur-governed credentials.
  • Users do not need to re-authenticate or manually enter credentials for Horizon or Windows VDI.

Architecture Diagram

[User] -> [Excalibur SAM Portal — Strong MFA Authentication] -> [Windows Terminal Server — Horizon Client as RemoteApp] -> [Horizon Connection Server (SSO)] -> [Horizon VDI Desktop]

Implementation Steps

1. Excalibur SAM Authentication & Access Control

Excalibur SAM acts as the access gateway, providing policy-based privileged access management (PAM) and enforcing MFA. Users authenticate via Excalibur with strong factors (mobile app token or passkey). Upon successful authentication, Excalibur establishes a secure session to the Windows Terminal Server and manages all credential delegation.

  • Users log in at the Excalibur SAM portal, where security policies are applied.
  • Excalibur privileges and audits all access, enforcing least-privilege and strong authentication.
  • Upon access approval, Excalibur initiates a RemoteApp session to the Windows Terminal Server using managed AD credentials.

2. Publish Horizon Client as a RemoteApp

On the Windows Terminal Server:

  • Install the Horizon Client and publish it as a RemoteApp.
  • Excalibur provisions user sessions with AD credentials, ensuring credential security and auditing.

Key configuration:

  • Publish the Horizon Client executable as a RemoteApp.
  • Ensure the session runs under the user's AD context, as provisioned by Excalibur.

3. Secure Credential Delegation to Horizon Client

Excalibur SAM manages and securely delegates credentials to the Windows session. This allows the Horizon Client to leverage Windows authentication for Horizon SSO without exposing credentials to the user or client device.

  • PAM module controls ensure credentials are not reused or exposed outside this session.
  • All user activity is monitored and audited per Excalibur policies.

4. Horizon Client Autoconnect and SSO

Configure the Horizon Client to:

  • Automatically connect to the specified Horizon Connection Server.
  • Authenticate using the Windows user's (Excalibur-provisioned) credentials via "Log in as current user".
  • Automatically launch the designated VDI desktop from a specific pool.

Command-line example:

Horizon_client.exe -desktopProtocol BLAST -serverURL https://<Horizon Connection Server> -logInAsCurrentUser -desktopName <VDI pool name>

5. Enable/Enforce SSO in Horizon

  • Ensure appropriate GPOs and trust relationships for credential delegation.
  • VDI Pool configuration must allow direct assignment and auto-launch of desktops.

6. Audit & Security Controls

Excalibur SAM audits all access, logs session activity, and can provide real-time session monitoring if required. All authentication, credential delegation, and session launches are tracked under privileged access policies.

Benefits

  • Security — access is PAM-governed, with MFA, credential vaulting, and session audit.
  • User experience — a true SSO experience. Users perform strong authentication once via Excalibur, then transition seamlessly to Horizon VDI without additional prompts.
  • Compliance — all access is logged, privileged, and monitored per regulatory and enterprise requirements.
  • Reduced risk — credentials managed by Excalibur SAM never leave the trusted environment.