Home

WVD and SSO with AAD Connect PHS/PTA

%3CLINGO-SUB%20id%3D%22lingo-sub-1075489%22%20slang%3D%22en-US%22%3EWVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075489%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20far%20as%20I%20know%20in%20order%20to%20use%20SSO%20in%20WVD%2C%20we%20must%20have%20AD%20FS.%3C%2FP%3E%0A%3CP%3EBut%20what%20about%20below%20topology%2C%20when%20we%20use%20PHS%2FPTA%20as%20the%20synchronization%20method%20in%20AAD%20connect%2C%20also%20we%20connect%20WVD%20pool%20with%20On-prems%20environment%20using%20VPN%2FER.%20Can%20clients%20in%20On-prems%20AD%20SSO%20to%20WVD%20Pool%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162673iB27FE079ED4AEA1F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%221.png%22%20title%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075869%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075869%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20add%20something%2C%20I%20did%20some%20check%20of%20how%20seamless%20SSO%20works.%3C%2FP%3E%0A%3CP%3EMy%20question%20is%20if%20WVD%20can%20be%20regarded%20as%20an%20App%20that%20use%20seamless%20SSO%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162676i9E52153A52468124%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076576%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076576%22%20slang%3D%22en-US%22%3EYour%20client%20is%20not%20connecting%20to%20WVD%20via%20the%20internal%20addresses%20but%20via%20the%20hosted%20WVD%20gateway%2Fbrokers%20of%20Microsoft.%20This%20means%20your%20schema%20is%20incorrect.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcdn.dribbble.com%2Fusers%2F1135328%2Fscreenshots%2F6393820%2Fwvd_architecture_2x.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcdn.dribbble.com%2Fusers%2F1135328%2Fscreenshots%2F6393820%2Fwvd_architecture_2x.jpg%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078078%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078078%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20reply%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F468579%22%20target%3D%22_blank%22%3E%40knowlite%3C%2FA%3E.%3CBR%20%2F%3EAssume%20the%20WVD%20pool%20in%20my%20diagram%20means%20both%20WVD%20pool%20and%20hosted%20WVD%20gateway%2Fbrokers%2C%20is%20it%20possible%20to%20enable%20seamless%20SSO%3F%3CBR%20%2F%3EMy%20main%20question%20is%20if%20we%20can%20use%20Seamless%20SSO(no%20ADFS)%20for%20WVD%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20found%20a%20blog%20saying%20below%2C%20but%20it's%20not%20from%20official%20MS%20docs%2C%20so%20I%20am%20afraid%20I%20cannot%20present%20this%20to%20customer%20as%20evidence.%3CBR%20%2F%3E%22%228%3A%20No%20Direct%20SSO%20using%20Azure%20AD%20Native%20%E2%80%93%20If%20you%20today%20are%20using%20SAML%20based%20SSO%20with%20for%20instance%20Azure%20AD%20or%20other%20iDP%E2%80%99s%20such%20as%20if%20you%20have%20end-users%20on%20Azure%20AD%20joined%20machines%20and%20want%20to%20provide%20SSO%20directly%20to%20a%20WVD%20desktop%20this%20is%20not%20currently%20possible%20and%20it%20requires%20that%20you%20have%20configured%20an%20ADFS.%22%22%3CBR%20%2F%3EFrom%3A%20%3CA%20href%3D%22https%3A%2F%2Fmsandbu.org%2Fwindows-virtual-desktop-breakdown-of-architecture-and-current-status%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsandbu.org%2Fwindows-virtual-desktop-breakdown-of-architecture-and-current-status%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104233%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104233%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20if%20anyone%20can%20help%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104928%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20and%20SSO%20with%20AAD%20Connect%20PHS%2FPTA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104928%22%20slang%3D%22en-US%22%3EThe%20new%20Remote%20Desktop%20app%20provides%20SSO%20once%20the%20credentials%20have%20been%20cached%2C%20so%20it's%20a%20one%20time%20configuration.%20Going%20through%20RDWEB%20there%20is%20no%20SSO%20functionality%20without%20ADFS%20(unfortunately).%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hi Guys,

 

As far as I know in order to use SSO in WVD, we must have AD FS.

But what about below topology, when we use PHS/PTA as the synchronization method in AAD connect, also we connect WVD pool with On-prems environment using VPN/ER. Can clients in On-prems AD SSO to WVD Pool?

 

1.png

5 Replies
Highlighted

To add something, I did some check of how seamless SSO works.

My question is if WVD can be regarded as an App that use seamless SSO

 

clipboard_image_0.png

Highlighted
Your client is not connecting to WVD via the internal addresses but via the hosted WVD gateway/brokers of Microsoft. This means your schema is incorrect.

https://cdn.dribbble.com/users/1135328/screenshots/6393820/wvd_architecture_2x.jpg
Highlighted
Thanks for your reply @knowlite.
Assume the WVD pool in my diagram means both WVD pool and hosted WVD gateway/brokers, is it possible to enable seamless SSO?
My main question is if we can use Seamless SSO(no ADFS) for WVD?

I found a blog saying below, but it's not from official MS docs, so I am afraid I cannot present this to customer as evidence.
""8: No Direct SSO using Azure AD Native – If you today are using SAML based SSO with for instance Azure AD or other iDP’s such as if you have end-users on Azure AD joined machines and want to provide SSO directly to a WVD desktop this is not currently possible and it requires that you have configured an ADFS.""
From: https://msandbu.org/windows-virtual-desktop-breakdown-of-architecture-and-current-status/
Highlighted

Not sure if anyone can help on this.

Highlighted
The new Remote Desktop app provides SSO once the credentials have been cached, so it's a one time configuration. Going through RDWEB there is no SSO functionality without ADFS (unfortunately).