Integrating Enterprise Application with SAML to

Horizon Workspace

Manrat Chobchuen, VMware

Dean Flaming, VMware

Cindy Kou, VMware

EUC5541

#EUC5541

4 4

New Device Platforms New Apps New User Expectations

Three Trends Are Forcing Massive Change on IT

New Device

Platforms

A new way to work

Not just Windows anymore

New User

Expectations

Collaboration with partners, contractors, and customers

Productivity through better technology

New

Apps

SaaS, mobile apps

Quantity is increasing

New Apps New User Expectations New Device Platforms

5 5

Mobility Is Changing Everything: PCs Are Not Your Only Worry

0

300

600

900

2009 2010 2011 2012

Smartphones and tablets PC shipments

of information workers

u s e t h r e e o r mo r e

devices for work to

increase productivity

EXPLOSIVE GROWTH in shipments of smartphones and tablets

Sources: IDC, BGR, Forrester

FLAT pc shipments

New Device Platforms New Apps New User Expectations New Device Platforms

6 6

Resulting Challenges for Our Customers

New Device Platforms New Apps New User Expectations New Device Platforms

User now expect to do work from home or on mobile devices

We need to support a wide variety of devices, including Macs, iPhones, Android phones, and tablets

Until recently, we have not had a solution for securing corporate data on mobile devices

BYOD is great, but we have needed to separate corporate assets from employee personal assets on employee-owned mobile devices

We need to simplify the end user experience across devices

We need a solution that evolves with our needs and the market

“ Mobility enables officers to run queries on suspects and file incident reports while on patrol. This allows them to spend more time in the community, rather than back at the desk. The productivity increase essentially means more boots on the ground and safer streets.”

Mike Legdon, IT Manager, South Yorkshire Police

7 7

New Apps Are Flooding the Enterprise

Ratio of mobile app

development projects

to native PC projects

i n 2 0 1 5

PACE OF TECHNOLOGY ADOPTION IS ACCELERATING PC

100M USERS

20 YEARS

INTERNET

100M USERS

10 YEARS

MOBILE

100M USERS

5 YEARS

% OS Neutral % Browser Specific % Windows

1996

CROSSOVER

POINT

Apps in the Enterprise

2011 2020

0%

100%

50%

New Device Platforms New Apps New User Expectations New Apps New Device Platforms

Sources: Gartner, Internal VMware Analysis

8 8

Resulting Challenges for Our Customers

New Device Platforms New Apps New User Expectations New Apps

Our application portfolio has evolved from Windows-only to include web, SaaS and increasingly mobile apps

We need an efficient and centralized way of providing all types of applications to our employees

The applications users can access must vary based on the device and location they connect from

We need to readily adapt to support more apps and new app platforms as our needs and the market evolve

“ We have 2100 applications today vs. just 100 when I started in 1997 – and that’s just counting the sanctioned apps. We don’t see consumerization as a threat; it’s an opportunity to get ahead of the business requirements and meet end user demand.”

Chad Erickson, IS Administrator, General Mills

9 9

New User Expectations for Productivity Are Driving IT to Evolve

ENTERPRISE END USER COMPUTING

“88% of executives report employees are using their personal computing technologies for business purposes”

DEMAND ACCESS

FROM ANYWHERE

“9 out of 10 companies report the use of consumer technologies in the workplace”

BETTER CONSUMER

TECHNOLOGIES

“74% of employees use consumer technologies due to lack of compelling alternatives from IT”

LACK OF CHOICES

FROM IT

New Device Platforms New Apps New User Expectations New Apps New User Expectations

Sources: IDC, Avanade

10 10

Resulting Challenges for Our Customers

New Device Platforms New Apps New User Expectations New User Expectations

Corporate technologies should be as easy to use as consumer technologies

Users are introducing consumer apps into our corporate environment. We must provide compelling alternatives or lose control

We need to protect sensitive company data and stay compliant

We see an opportunity to use technology to improve employee productivity and retain talent, but are unsure how to capitalize on it

“ So many of our employees need to access LA County documents and data from their iPads at home. We need a secure way of providing Dropbox-like functionality.”

Tony Cronin, Datacenter Team Lead, County of Los Angeles

11 11

Mobility Brings New Challenges, but Also New Opportunities

THERE ARE TWO REASONS TO INVEST

SOLVE PROBLEMS GAIN COMPETITIVE EDGE

COMPLIANCE Are consumer technologies compliant? Policy Violations = Increased Risk

SECURITY Only 5% of devices use mobile security Low Adoption = Increased Risk

COST Too many apps, too many devices Diversity = Complexity = Cost

SATISFACTION Differentiate and

retain top talent Satisfaction = Retention

COLLABORATION Communicate with at-home workers, contractors, customers and partners Collaboration = Performance

PRODUCTIVITY Mobile users are 20% more productive than non-mobile workers Access = Increased output

Sources: IDC, Forrester

12 12

VMware Horizon Is the Platform for Workforce Mobility

Transform: Simplify

desktops, diverse apps

and data into

centralized services

Deliver: Empower your

workforce with flexible

access across devices,

locations and connectivity

Broker: Manage & Secure

centrally and broker services

to your workforce by policy

13 13

VMware Horizon Workspace at a Glance

IT ADMINS

Single management console for

administration, managing security

and user entitlement policies

END USERS

Single workspace for accessing

data, apps, desktops

Delivered on any device

14 14

File Collaboration with Colleagues, Customers and Partners

Challenge

Users introducing consumer devices and apps into corporate environment

Need a secure way to collaborate on files both internally and with customers, partners and work-at-home employees

Solution

Anytime, anywhere access

Offline & online data access

High-fidelity doc previews

Document versioning, commenting and auditing

Benefit

Personal & team productivity

Share documents in an IT friendly way

Stay up to date effortlessly

IT governs end user usage

v1

INTERNAL EXTERNAL

v2 v3

15 15

Easy Access to Enterprise Applications & Services

Challenge

Different way of getting apps from every platform

Multiple logins increases support costs

Provisioning applications is costly

Solution

Single context-based catalog

Data, Apps, Services, Virtual Desktops

Single Sign On

One-click access to activate / download app

Benefit

Essential apps always at users fingertips

No credentials to forget lowers support costs and improves productivity

Provides users self-serve access

Consistent methodology to deploy apps

16 16

Enterprise Integration

Challenge

Enterprise application are desktop application, and web application.

User need to type in their credential every time they login to each application.

No single source of provisioning, IT Admin need to provision individual application everytime new user join the company.

Solution: VMware Horizon Workspace

Single SSO workspace administration for SaaS (Cloud based) and internal application.

User just need to remember their AD password, single user for all application and single sign on.

IT Admin can provision user easily, and able to disable user from single place if user leave the company or the account has been compromised.

17 17

Single Sign On (SSO) Basic

Security Assertion Markup Language (SAML)

XML-based open standard open exchanging authentication and attributes between identify provider and service provider.

Identify Provider (IdP) is authentication service. This service is fully protected and live inside corporate environment. In this case , Horizon Workspace is IDP.

Service Provider (SP) is actual web application, it can be external cloud based application, or corporate web application.

18 18

Horizon Workspace SAML

Service Virtual Appliance (where it all happens) Implementation

Connects to Web application via SAML 1.1 / 2.0

Supports Web Browser SAML POST profile only

There are 3 components to SAML, the SP, User agent and idP

The Web Browser Post Profile indicates that the User Agent portion is required to initiate the flow.

Support SP-INIT (SP sends SAML authentication request to Horizon)

Support Psuedo-SP-INIT (SP redirects users to Horizon for authentication)

19 19

SAML Interaction Flow

User

IdP (Horizon Workspace) Service Provider (Web App)

Redirection

SAML Request (signed)

SAML Response (signed)

20 20

Enterprise Application Integration

Prerequisites

Deploy VMware Horizon Workspace

Pick Application Framework: What language/framework that application has been developed

Execution plan

Refactor current application to support SAML SSO.

Add new user provisioning module: If new user does not existed.

Map user credential: Application may already used userid. Horizon Workspace can map ID from email, AD user ID, or external id (horizon based id)

Add SSO framework onto existing application.

Obtain idP certificate from Horizon Workspace

Configure certificate into Application

Setup SAML enabled application to Horizon Workspace

21 21

SAML Application Framework

Language / Framework

PHP

PHP-saml (https://github.com/onelogin/php-saml)

SimpleSAMLphp (http://simplesamlphp.org)

JAVA

Shibboleth (http://shibboleth.net)

Java-saml (https://github.com/onelogin/java-saml)

.NET

dotnet-saml (https://github.com/onelogin/dotnet-saml)

22 22

User Mapping

What to choose for identify user

UserId : Active Directory User Id. This one is exactly what has been used to sign in to AD environment

Email : For cloud based application, and always the wise choice for most of web based application

23 23

Obtain IdP SAML Certificate

24 24

Configure idP Certificate to Application

25 25

Setup SAML Enabled Application into Horizon Workspace

26 26

Demo

27 27

Reference

Sample Projects

• PHP: git@github.com:eucmobileproject/horizonphpsamldemo.git

• JAVA: git@github.com:eucmobileproject/horizonjavasamldemo.git

Reference (starting point for SAML information)

• http://en.wikipedia.org/wiki/SAML_2.0

• http://blogs.vmware.com/horizontech/2013/08/vmware-horizon-workspace-

web-application-integration-saml-protocol.html

28 28

Other VMware Activities Related to This Session

HOL:

HOL-MBL-1304

Horizon Workspace - Explore and Deploy

Group Discussions:

EUC1005-GD

Workspace with Rasmus Jensen

THANK YOU

Integrating Enterprise Application with SAML to

Horizon Workspace

Manrat Chobchuen, VMware

Dean Flaming, VMware

Cindy Kou, VMware

EUC5541

#EUC5541