VMworld 2013: Integrating Enterprise Application with SAML to VMware Horizon Workspace
-
Upload
vmworld -
Category
Technology
-
view
729 -
download
6
Transcript of VMworld 2013: Integrating Enterprise Application with SAML to VMware Horizon Workspace
Integrating Enterprise Application with SAML to
Horizon Workspace
Manrat Chobchuen, VMware
Dean Flaming, VMware
Cindy Kou, VMware
EUC5541
#EUC5541
4 4
New Device Platforms New Apps New User Expectations
Three Trends Are Forcing Massive Change on IT
New Device
Platforms
A new way to work
Not just Windows anymore
New User
Expectations
Collaboration with partners, contractors, and customers
Productivity through better technology
New
Apps
SaaS, mobile apps
Quantity is increasing
New Apps New User Expectations New Device Platforms
5 5
Mobility Is Changing Everything: PCs Are Not Your Only Worry
0
300
600
900
2009 2010 2011 2012
Smartphones and tablets PC shipments
of information workers
u s e t h r e e o r mo r e
devices for work to
increase productivity
EXPLOSIVE GROWTH in shipments of smartphones and tablets
Sources: IDC, BGR, Forrester
FLAT pc shipments
New Device Platforms New Apps New User Expectations New Device Platforms
6 6
Resulting Challenges for Our Customers
New Device Platforms New Apps New User Expectations New Device Platforms
User now expect to do work from home or on mobile devices
We need to support a wide variety of devices, including Macs, iPhones, Android phones, and tablets
Until recently, we have not had a solution for securing corporate data on mobile devices
BYOD is great, but we have needed to separate corporate assets from employee personal assets on employee-owned mobile devices
We need to simplify the end user experience across devices
We need a solution that evolves with our needs and the market
“ Mobility enables officers to run queries on suspects and file incident reports while on patrol. This allows them to spend more time in the community, rather than back at the desk. The productivity increase essentially means more boots on the ground and safer streets.”
Mike Legdon, IT Manager, South Yorkshire Police
7 7
New Apps Are Flooding the Enterprise
Ratio of mobile app
development projects
to native PC projects
i n 2 0 1 5
PACE OF TECHNOLOGY ADOPTION IS ACCELERATING PC
100M USERS
20 YEARS
INTERNET
100M USERS
10 YEARS
MOBILE
100M USERS
5 YEARS
% OS Neutral % Browser Specific % Windows
1996
CROSSOVER
POINT
Apps in the Enterprise
2011 2020
0%
100%
50%
New Device Platforms New Apps New User Expectations New Apps New Device Platforms
Sources: Gartner, Internal VMware Analysis
8 8
Resulting Challenges for Our Customers
New Device Platforms New Apps New User Expectations New Apps
Our application portfolio has evolved from Windows-only to include web, SaaS and increasingly mobile apps
We need an efficient and centralized way of providing all types of applications to our employees
The applications users can access must vary based on the device and location they connect from
We need to readily adapt to support more apps and new app platforms as our needs and the market evolve
“ We have 2100 applications today vs. just 100 when I started in 1997 – and that’s just counting the sanctioned apps. We don’t see consumerization as a threat; it’s an opportunity to get ahead of the business requirements and meet end user demand.”
Chad Erickson, IS Administrator, General Mills
9 9
New User Expectations for Productivity Are Driving IT to Evolve
ENTERPRISE END USER COMPUTING
“88% of executives report employees are using their personal computing technologies for business purposes”
DEMAND ACCESS
FROM ANYWHERE
“9 out of 10 companies report the use of consumer technologies in the workplace”
BETTER CONSUMER
TECHNOLOGIES
“74% of employees use consumer technologies due to lack of compelling alternatives from IT”
LACK OF CHOICES
FROM IT
New Device Platforms New Apps New User Expectations New Apps New User Expectations
Sources: IDC, Avanade
10 10
Resulting Challenges for Our Customers
New Device Platforms New Apps New User Expectations New User Expectations
Corporate technologies should be as easy to use as consumer technologies
Users are introducing consumer apps into our corporate environment. We must provide compelling alternatives or lose control
We need to protect sensitive company data and stay compliant
We see an opportunity to use technology to improve employee productivity and retain talent, but are unsure how to capitalize on it
“ So many of our employees need to access LA County documents and data from their iPads at home. We need a secure way of providing Dropbox-like functionality.”
Tony Cronin, Datacenter Team Lead, County of Los Angeles
11 11
Mobility Brings New Challenges, but Also New Opportunities
THERE ARE TWO REASONS TO INVEST
SOLVE PROBLEMS GAIN COMPETITIVE EDGE
COMPLIANCE Are consumer technologies compliant? Policy Violations = Increased Risk
SECURITY Only 5% of devices use mobile security Low Adoption = Increased Risk
COST Too many apps, too many devices Diversity = Complexity = Cost
SATISFACTION Differentiate and
retain top talent Satisfaction = Retention
COLLABORATION Communicate with at-home workers, contractors, customers and partners Collaboration = Performance
PRODUCTIVITY Mobile users are 20% more productive than non-mobile workers Access = Increased output
Sources: IDC, Forrester
12 12
VMware Horizon Is the Platform for Workforce Mobility
Transform: Simplify
desktops, diverse apps
and data into
centralized services
Deliver: Empower your
workforce with flexible
access across devices,
locations and connectivity
Broker: Manage & Secure
centrally and broker services
to your workforce by policy
13 13
VMware Horizon Workspace at a Glance
IT ADMINS
Single management console for
administration, managing security
and user entitlement policies
END USERS
Single workspace for accessing
data, apps, desktops
Delivered on any device
14 14
File Collaboration with Colleagues, Customers and Partners
Challenge
Users introducing consumer devices and apps into corporate environment
Need a secure way to collaborate on files both internally and with customers, partners and work-at-home employees
Solution
Anytime, anywhere access
Offline & online data access
High-fidelity doc previews
Document versioning, commenting and auditing
Benefit
Personal & team productivity
Share documents in an IT friendly way
Stay up to date effortlessly
IT governs end user usage
v1
INTERNAL EXTERNAL
v2 v3
15 15
Easy Access to Enterprise Applications & Services
Challenge
Different way of getting apps from every platform
Multiple logins increases support costs
Provisioning applications is costly
Solution
Single context-based catalog
Data, Apps, Services, Virtual Desktops
Single Sign On
One-click access to activate / download app
Benefit
Essential apps always at users fingertips
No credentials to forget lowers support costs and improves productivity
Provides users self-serve access
Consistent methodology to deploy apps
16 16
Enterprise Integration
Challenge
Enterprise application are desktop application, and web application.
User need to type in their credential every time they login to each application.
No single source of provisioning, IT Admin need to provision individual application everytime new user join the company.
Solution: VMware Horizon Workspace
Single SSO workspace administration for SaaS (Cloud based) and internal application.
User just need to remember their AD password, single user for all application and single sign on.
IT Admin can provision user easily, and able to disable user from single place if user leave the company or the account has been compromised.
17 17
Single Sign On (SSO) Basic
Security Assertion Markup Language (SAML)
XML-based open standard open exchanging authentication and attributes between identify provider and service provider.
Identify Provider (IdP) is authentication service. This service is fully protected and live inside corporate environment. In this case , Horizon Workspace is IDP.
Service Provider (SP) is actual web application, it can be external cloud based application, or corporate web application.
18 18
Horizon Workspace SAML
Service Virtual Appliance (where it all happens) Implementation
Connects to Web application via SAML 1.1 / 2.0
Supports Web Browser SAML POST profile only
There are 3 components to SAML, the SP, User agent and idP
The Web Browser Post Profile indicates that the User Agent portion is required to initiate the flow.
Support SP-INIT (SP sends SAML authentication request to Horizon)
Support Psuedo-SP-INIT (SP redirects users to Horizon for authentication)
19 19
SAML Interaction Flow
User
IdP (Horizon Workspace) Service Provider (Web App)
Redirection
SAML Request (signed)
SAML Response (signed)
20 20
Enterprise Application Integration
Prerequisites
Deploy VMware Horizon Workspace
Pick Application Framework: What language/framework that application has been developed
Execution plan
Refactor current application to support SAML SSO.
Add new user provisioning module: If new user does not existed.
Map user credential: Application may already used userid. Horizon Workspace can map ID from email, AD user ID, or external id (horizon based id)
Add SSO framework onto existing application.
Obtain idP certificate from Horizon Workspace
Configure certificate into Application
Setup SAML enabled application to Horizon Workspace
21 21
SAML Application Framework
Language / Framework
PHP
PHP-saml (https://github.com/onelogin/php-saml)
SimpleSAMLphp (http://simplesamlphp.org)
JAVA
Shibboleth (http://shibboleth.net)
Java-saml (https://github.com/onelogin/java-saml)
.NET
dotnet-saml (https://github.com/onelogin/dotnet-saml)
22 22
User Mapping
What to choose for identify user
UserId : Active Directory User Id. This one is exactly what has been used to sign in to AD environment
Email : For cloud based application, and always the wise choice for most of web based application
23 23
Obtain IdP SAML Certificate
24 24
Configure idP Certificate to Application
25 25
Setup SAML Enabled Application into Horizon Workspace
26 26
Demo
27 27
Reference
Sample Projects
• PHP: [email protected]:eucmobileproject/horizonphpsamldemo.git
• JAVA: [email protected]:eucmobileproject/horizonjavasamldemo.git
Reference (starting point for SAML information)
• http://en.wikipedia.org/wiki/SAML_2.0
• http://blogs.vmware.com/horizontech/2013/08/vmware-horizon-workspace-
web-application-integration-saml-protocol.html
28 28
Other VMware Activities Related to This Session
HOL:
HOL-MBL-1304
Horizon Workspace - Explore and Deploy
Group Discussions:
EUC1005-GD
Workspace with Rasmus Jensen
THANK YOU
Integrating Enterprise Application with SAML to
Horizon Workspace
Manrat Chobchuen, VMware
Dean Flaming, VMware
Cindy Kou, VMware
EUC5541
#EUC5541