Configure SSO

Owned by Javier Celaya (Unlicensed)
Jul 26, 2017

flexVDI provides a Single Sign-On feature that allows the user to log into her desktop (or unlock it) with the same credentials used to log in the flexVDI platform, without having to input them more than once. Both the desktop and the platform must share the credentials; for instance, by using the same Active Directory to authenticate users. In order to use this feature, follow these steps:

Install the flexVDI guest tools

If you have not done it yet, install the guest tools. They include two main components that implement the SSO feature:

  • The flexVDI guest agent. It shares information with other flexVDI components through the hypervisor. In particular, when a user logs in the platform, the guest agent receives her credentials.
  • The flexVDI Credential Provider (for Windows 7 and up) or GINA stub (for Windows XP). They ask the guest agent if it has any stored credentials, and use them to log into (or unlock) the user's desktop.

The credentials are received only once every time the user connects to her desktop. When the Credential Provider or GINA stub consume them, they are securely deleted from memory to avoid leaking them.

The SSO components will be registered as part of the guest tools installation process, nothing else is needed to enable SSO in the guest. Nevertheless, you can select not to install them if you do not need them.

Configure the desktop policy

The desktop policy must be configured to get the SSO working properly. On step 2:

  1. If your clones are in a Windows domain (see the section on how to get them join the domain with Sysprep), write it in the "Windows domain" field so that it is passed along with the username and password as part of the user's credentials.
  2. Check the "Disable Legacy SSO" box, unless you know what you are doing.

Once done, you should be able to log into your desktop automatically. Of course, this feature only works with authenticated terminal policies.