Okta End-to-End Passwordless and true SSO Experience into Microsoft Azure Virtual Desktops (AVD)

OIE 5 Minutes

As we evolve through the new “normal”, most organizations are looking to extend their digital user experience to frictionless in order to increase workforce productivity while working from anywhere.

This is where Identity and Access Management plays a fundamental part to it and one of the key capability to enhance user experience is “PasswordLess”. At Okta we have developed FastPass which is our latest powerful feature that rapidly deliver a seemless PasswordLess experience for your workforce.

In this Article I’m going to provide guidance and references on how to setup True SSO with Azure Virtual Desktop (AVD) as well as how to integrate AVD with Okta as a primary Identity provider.

Configuring True SSO for Microsoft Azure Virtual Desktop:

I must say, the most technical part of setting up an end-to-end True SSO experience with AVD is the Microsoft part. Microsoft has only officially released this capability mid 2021 which has made difficult to find content on the internet to help to get it going. Hence i’m adding my part to support/help our community.

To begin with, below are the 2 main references I would point out in order to successfully deploy True SSO for AVD.

Official Microsoft documentation:

https://docs.microsoft.com/en-us/azure/virtual-desktop/configure-adfs-sso

And below is the best content I found to get it to work. I recommend watching step by step the below video as well as the added details I will provide as you keep reading this article through.

-Please read carefully below requirements before following above video tutorial-

Requirements

Before configuring AD FS single sign-on, you must have the following setup running in your environment:

  • You must deploy the Active Directory Certificate Services (CA) role. All servers running the role must be domain-joined, have the latest Windows updates installed, and be configured as enterprise certificate authorities.
  • You must deploy the Active Directory Federation Services (AD FS) role. All servers running this role must be domain-joined, have the latest Windows updates installed, and be running Windows Server 2016 or later.
  • You must setup the Web Application Proxy role to secure your environment’s connection to the AD FS servers. All servers running this role must have the latest Windows updates installed, and be running Windows Server 2016 or later. Check out this video. You must have a public domain name as well as a Public signed SSL Certificate to expose ADFS through the WAP server.
  • You must deploy Azure AD Connect to sync users to Azure AD. Azure AD Connect must be configured in federation mode.
  • Set up your PowerShell environment for Azure Virtual Desktop on the AD FS server.
  • When using Windows 10 20H1 or 20H2 to connect to Azure Virtual Desktop, you must install the 2021-04 Cumulative Update for Windows 10 (KB5001330) or later for single sign-on to function properly.
  • Azure subscription with AVD configured. I recommend watching some tuto here as well and ensure that your users have the right permissions to access the Virtual Machines. Ensure that your VM has domain join configured too.

If you are going to test this solution as proof of concept I higly recommend to host everyhting in Azure to make it simple. As per below screenshot I have my DC which host CA as well as ADFS and then My WAP server to publicly access ADFS and the other VMs are part of the AVD pool.

As you are ready to start following the video step by step I past below all the Powershell command lines that I used during the setup so you can re use them:


Install-Module -Name Az.DesktopVirtualization

connect-aZAccount

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

Set-AdfsCertificateAuthority -EnrollmentAgentCertificateTemplate "ADFSEnrollmentAgent" -LogonCertificateTemplate "ADFSSSO" -EnrollmentAgent

Install-Script -Name ConfigureWVDSSO

$config = ConfigureWVDSSO.ps1 -ADFSAuthority "https://iamse.blog/adfs"

$hp = Get-AzWvdHostPool -Name "OktaVDI" -ResourceGroupName "OktaVDI"

Install-Module Az.KeyVault

$secret = Set-AzkeyVaultSecret -VaultName "OktaVault" -Name "adfsssosecret" -SecretValue (ConvertTo-SecureString -String $config.SSOClientSecret  -AsPlainText -Force) -Tag @{ 'AllowedWVDSubscriptions' = $hp.Id.Split('/')[2]}


Update-AzWvdHostPool -Name $hp.Name -ResourceGroupName $hp.Id.Split('/')[4] -SsoadfsAuthority "https://iamse.blog/adfs" -SsoClientId "https://www.wvd.microsoft.com" -SsoSecretType SharedKeyInKeyVault -SsoClientSecretKeyVaultPath $secret.Id

At this point you would have the possibility to sign into your AVD Virtual Machines with one User Prompt for login and password.

Microsoft AVD integration with Okta for Passwordless

This section covers the simpliest part, which is the Microsoft Office 365 Okta Integration and the configuration of RDWEB to be added to the end user Okta Dashboard so they can seemlessly access their VDI machine passwordless and from anywhere.

Before we start if you don’t have one request your Okta Trial tenant https://www.okta.com/free-trial/

Configure FastPass:

Please follow below links to get the guide to setup FastPass.

Enable Okta FastPass

Configure an Okta sign-on policy for Okta FastPass

Okta Integration with Active Directory:

I won’t be covering this topic however Please follow this Documentation to get all you AD users into Okta.

Office 365 integration for AVD:

As an admin of your Okta tenant go to Applications –> Applications then Click on Browse App Catalog

Click on Office 365

Click Add

At this point enter the name of you Microsoft Office365/Azure Domain name without the “.onmicrosoft.com”. Select what Office 365 Apps will be display for users. As we are integrating for the purpose of AVD you can deselect all if you wish as we will create the RDWEB app later which will appear in Okta Dashboard. Leave the other option as default and hit next.

At the sign on Methods option please select WS-Federation.

Enter now your Office 365 Admin user and its password then click Fetch and Select to automatically bind Okta as IDP for Office 365 leveraging the APIs in the brackground. Click then save.

If you are successfull you will see this status page.

Assign the Office 365 App to the users which will require to access AVD.

Create the RDWEB Application

In your Okta Admin Dashboard select Create App Inetgration.

Provide a name for the app in our case it will be RDWEB and then the offical Microsoft RDWEB URL which is “https://rdweb.wvd.microsoft.com/arm/webclient/index.html”. You can upload an App logo of your choice for better user experience. On the Who set the Credential please select Admin sets username and user the password. We want the Secure Web Application process to push the username so then the office 365 inetgration takes over so there will be no need for passwords.

Next step is to assign the app the your AVD groups or users.

On the RDWEB App click now on Sign On and then scroll down to find Sign On Policy. As you can see by default the available Authenticator is Password so we will edit this and change this so FastPass is availble through Okta Verify as a possession Factor.

In the Sign On rule select Possession Factor and select device Bound so we are only allowing Okta Verify which also adds Fastpass when required.

At this stage you are all set and the experience should be similar to the video below:

Please contact me if you have any questions I can help with.

Published by Dany Leclerc

With a wealth of experience driving some of the largest Mission Critical End Points deployments across Transportation, Retail, Healthcare and Field services, Dany has spent over a decade focusing on Security and Cloud computing in both Europe and Australia. Dany chose to join Okta, the leader in the Identity Access Management and Customer Identity, after the pandemic accelerated the drive toward digital transformation, demanding an increased focus on securing Identity.

Published

Leave a Reply