Your own ID-Server
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreSecure your VMWare Horizon setup with two-factor authentication without an additional Radius Server. Integrates with the SecSignIDRadiusProxy and the RADIUS interface.
The following components will be added and installed:
For this setup you will need the SecSign ID on-premise server setup. Please contact us for more information.
This server may be installed on any Java enabled environment. It can be the same server running the Horizon connection server or run on its own VM.
If the end users are accessing the Horizon environment via the internet, the SecSign ID server will need to be accessed
If the end users are accessing the Horizon environment over a local network, there is no need for any access through the Firewall. In this case the SecSign ID on-premise server will still need to be accessed:
Perform the usual SecSignID on-premise installation using setup wizard and create at least one administrator using user-password, allowed to log in from local network only.
We will be setting up the general requirement to use the username and password that users already have in your AD. Before the LDAP connection is set up we need to have at least one administrator to access the dashboard.
This administrator with password created locally on the SecSign ID on-premise server may be used later also for debugging LDAP connection to AD if need should arise.
The location from where this local password login is allowed can be redefined in SecSign-ID-server.properties:
secsignidserver.client.pwdlogin.allowed.0=127.0.0.1 secsignidserver.client.pwdlogin.allowed.1=::1 secsignidserver.client.pwdlogin.allowed.2=10.3.0.0/16 secsignidserver.client.pwdlogin.allowed.3=2a02:8108:44c0:4d58::/59
Comment out or extend this list as required for your local network. Users logging in from any other locations will be required to type in their username and password as defined in AD.
Open Dashboard, login as Administrator and navigate to LDAP configuration.
Set up LDAP connection to the AD running on the same domain controller as used by the Horizon environment.
Choose the use case “Check username/password on dashboard login” and fill out the parameters required for the LDAP connection.
This server application may be installed on any Java enabled environment. It may be the same server running the Horizon connection server or run on its own VM. It will need to be accessed
1 Copy the directory SecSignIDRadiusProxy to the location where you want it to run.
2 Use one of the delivered start scripts found in this directory to start it, depending on the Operation System. Under Windows use SecSignIDRadiusProxy.bat.
3 To make the start automatic with reboot under Linux use the start scripts found under SecSignIDRadiusProxy/etc.
Under Windows use Task Scheduler to automatically start SecSignIDRadiusProxy.bat at startup.
4 Adjust configuration in SecSignIDRadiusProxy.properties:
Note: for the SecSignIDRadiusProxy the Horizon connection server is the radiusclient
secradiusproxy.radiusclient.0.host=10.4.0.32
# Shared secret with the first RADIUS client
secradiusproxy.radiusclient.0.sharedsecret=123456
# the text of the ReplyMessage to be sent back to the first RADIUS client answering his AccessRequest.
secradiusproxy.radiusclient.0.challengereplymsg=To confirm login please start the SecSignapp\n\n1. Select the ID equal to your AD username \n2. Click "Accept" \n3. Type any number as Tokencode below\n4. Click login button.
secradiusproxy.noldapserver.idpattern=%username%
# Base URL of the first SecSign ID server for REST requests
secradiusproxy.secsignidserver.0.url=https://horizonid.seccommerce.biz:28787/
# first SecSign ID server host
seccommerce.secappserver.0=192.168.1.93
# first SecSign ID server port
seccommerce.secappserverport.0=25100
1 In Horizon Admin select the desired “connection server” and click edit
2Select the Tab “Authentication” and scroll down until you find 2FA
3Activate 2FA selecting RADIUS and click on “Create New Authenticator”
4Type in the name of the Authenticator and then select Tab “Primary Authentication server”
5Input name or IP Address of SecSignIdRadiusProxy hostname
6Input port (default 1812) of SecSignIdRadiusProxy
7Input shared secret as defined before in SecSignIdRadiusProxy.properties (secradiusproxy.radiusclient.0.sharedsecret=…)
Press OK and check that the newly created Authenticator is being used for 2FA RADIUS Authentication.
You can choose between the default SecSign ID app for mobile or desktop use, or have our developers create a custom ID app for you in your corporate design. Install customized SecSign ID Desktop app on the same workstation where the Horizon Desktop Client is installed.
Note: The SecSign ID app can be used on a mobile device or desktop. The following example will focus on the Desktop App.
Use SecSign ID Desktop app to create an user with the same name and password as the user has on AD.
An alternative enrollment procedure is described here.
Login to Horizon using Desktop Client and 2FA confirmation using SecSign ID Desktop app (using Horizon HTML Client the procedure would be the same, here shown with Horizon Client).
Please follow these steps to set up the Desktop App:
1Start the Horizon Client.
2Choose the URL of the Horizon connection server.
3Type in AD username and password.
4Receive Dialog with text defined in SecSignIDRadiusProxy config (Parameter “challengereplymsg”)
6Click on username and type in AD password.
(as an example here the user name is “tara”)
7Confirm login on the SecSign ID app.
When the user (here “tara”) was registered using this instance of SecSign ID app, a private certificate was created which ensures only this instance of the SeSign ID app could receive the request to confirm the login of user “tara” so there is no need to send a code to be entered into the Horizon login Dialog. After confirming the login with this SecSign ID app, any character can be entered in the next dialog.
8Type in any number into the Horizon login Dialog and click on “Login”
9You are logged in and have access to all applications configured by the Horizon administrator for the user
1 User logs in with VMWare Connection Server
2Horizon Connection Server uses the 2FA Radius Authenticator configured to send the 2FA request through the SecSignID Radius Proxy
3 The SecSignID RADIUS Proxy contacts the SecSignID Server. The proxy asks the SecSignID Server, if the ID is authenticated
4 The SecSignID Server validates the AD user and password against the Active Directory.
5The SecSignID Server starts an authentication session (and notifies the user’s mobile device if used) and waits for the user to proceed with the second factor authentication
6 The user authenticates with his key saved locally on the desktop or mobile device SecSign ID App and accepts the login request
7 The SecSignID RADIUS Proxy gets a response from the ID Server, that the second factor authentication was successful
8 The SecSignID RADIUS Proxy sends a RADIUS confirmation to the Horizon Connection Server, which activates the login button (user needs to enter any number and click login)
9 The authentication was successful. VMWare Horizon grants access to the client.
Assuming the users connecting to Horizon VDI externally access the System through the Internet:
The External Firewall needs to allow access to both VMware Horizon connection server and SecSign ID server, in both cases through Port 443.
All the other connections should take place within the internal network.
SecSignID Server main default HTTPS Port is 28787 and if running on Windows and no external firewall is used, change it to 443, in SecSign-ID-server.properties:
secsignidserver.port=443
SecSignID Server will be accessed on this port from SecSign ID App and also over the internal Network from SecSignID RADIUS Proxy.
SecSignID Server will be accessed additionally over port 25100 from SecSignID RADIUS Proxy.
The SecSignID RADIUS Proxy will be accessed over default RADIUS port 1812
This port can be changed also in SecSignIDRadiusProxy.properties:
# server port for requests from RADIUS clients. Default: 1812.
secradiusproxy.radius.port=1812
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreWe are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...
Mehr LesenThe FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...
Mehr LesenIn the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...
Mehr LesenWant to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in