Publishing VDI outside our company network is an activity that has become a necessity for many companies since COVID-19 (employee smart working, workstations dedicated to consultants, etc.). In all the implementations, that I have done in recent years, one of the key points of my installations is the need to implement MFA solutions to increase the level of security.
In this post, I want to explain how to configure the integration of Workspace One Access WS1A, Horizon, and FIDO2 devices (I use a Yubikey 5 Series with NFC and Fingerprint)
What is VMware WorkSpace One Access?
Workspace ONE Access (vmware.com)
What is VMware Horizon?
VMware Horizon | VDI Software Solutions | VMware
What is FIDO2?
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
FIDO2 – FIDO Alliance
What is Yubikey 5 Series?
Multi-protocol security key, eliminate account takeovers with strong two-factor, multi-factor, and passwordless authentication, and seamless touch-to-sign. Multi-protocol support allows for strong security for legacy and modern environments. A full range of form factors allows users to secure online accounts on all of the devices that they love, across desktops and mobile.
- Multi-protocol support; FIDO2, U2F, Smart card, OTP, OpenPGP 3
- USB-A, USB-C, NFC, Lightning
- IP68 rated, crush resistant, no batteries required, no moving parts
USB-A YubiKey 5 NFC Two Factor Security Key | Yubico
Configure Workspace one Access(WS1A) SaaS for use FIDO2 authentication
Enable Authentication methods on WS1A.
Go to integrations -> Authentication Methods -> Click on FIDO2 -> Enable FIDO2 Adapter
Now we need to associate the authentication method to Identity provider (created to integrate WS1A with Active Directory)
Go to integrations -> Identity providers -> Click on correct IdP -> Flag FIDO2
After associating the FIDO2 to IdP we need to create the policy to enable self-services FIDO2 device registration (it is possible to pre-configure the FIDO2 device registration)
Go to resources -> Policies -> Click on default_access_policy_set -> Edit
Create to rule:
Rule 1 -> enable self-service registration FIDO2 Device
Rule 2 -> enable the login with only FIDO2 Device
In the next image, there are the Policy Rule configurations
Self-service registration key
Insert the Yubikey 5 into to USB port and log to the Workspace One Access portal.
Now the web portal requires two choices:
- Sign in with Fido2 Authenticator
- Register your Fido2 Authenticator
To register the device we need to select Register
Login with the correct domain name account
Now we need to select the authenticator
Select another device
Select Security Key where store the passkey
Insert the security pin
Touch the key (there is a fingerprint ….)
Add a name for the Security Key
Now you are ready to log in with the security key
User Experience login
Access to company workspace one access website
Insert PIN number associated with FIDO2
Now touch the key for fingerprint authentication Chiara2013!
You are redirected to Workspace One catalog portal
If you want to show and reset the User FIDO2 device you need to:
Login to Workspace One Access SaaS admin console, go to Accounts, Users and click on the user that you want to reset the device association
Select two-factor authentication
And delete the FIDO2 security key
Otherwise, the administrator can associate the new device with the user.