True SSO was introduced by Omnissa Horizon back in 2016. It allows users to authenticate with Workspace ONE Access using non-AD credentials (such as authenticating with Azure AD) and then single sign-on to the desktop or remoted application without providing any further credentials. True SSO delivers a fast, secure, streamlined experience for the end user.
The following diagram by my colleague Shrestha Upendra (Sr. Staff EUC Architect, Omnissa) outlines how True SSO removes the requirement for AD password:
True SSO Resources
There are numerous articles on True SSO that I have listed here for your reference:
- Introducing True SSO (Single Sign-On) in Omnissa Horizon 7 – link
- Omnissa True SSO overview video by Upendra Shrestha – link
- Determining an Architecture for True SSO – link
- Horizon View True SSO – link
- Horizon in the Field: Unraveling the Truth about TrueSSO (video) – link
- Omnissa Horizon 7 True SSO: Setting Up In a Lab – link
- Common Configuration Issues and Guidelines with True SSO (90037) – link
Installing True SSO
You will need to create a new Windows Server to install the Horizon enrollment server. As I’ve outlined in previous articles, to setup True SSO, follow Carl Stalhood’s excellent step by step instructions in Omnissa Horizon True SSO with UAG SAML
Once True SSO setup, check that it’s all showing up as health in the Horizon console.
True SSO Diagnostics Utility Fling
I’d recommending downloaded the True SSO Diagnostic Utility (Previously hosted on VMware Flings website / now an Omnissa version)
You can run this command from your enrollment server.
Start by using the following:
es_daig /?
Next list that True SSO is running correctly by issuing this command:
es_diag /ListEnvironment
I’d recommend you perform an enrollment test using this command (change to the settings for your environment):
es_diag.exe /enrollmenttest /domain:lab.int /requester:lab\testuser1 /template:HorizonTrueSSO /caserver:lab-dc1-ca
Not that a certificate is issued from your CA if things are working correctly:
Enabling TrueSSO in Access and Horizon
With all of the above working correctly, you should be able to login to your Windows desktops or applications without being prompted with a password. However, it’s important to check a couple of other settings within Access and Horizon as well.
Horizon Pod True SSO setting in Workspace ONE Access
When you attempt to launch a Windows desktop or application within Access and you’re immediately prompted for a password as follows. Let’s check True SSO is enabled.
Within Workspace ONE Access, go to Resources – Virtual Apps Collections – Click the Horizon pod and click Edit – click on Pod and Federation – Click the Horizon Connection Server – ensure True SSO is enabled as shown:
True SSO Trigger Mode
If your Windows desktop successfully launches but then you’re prompted for a password (within the operating system screen) as shown, let’s check True SSO Trigger mode is set to Enabled.
Within your Horizon Admin console, select Servers – Connection Servers – select your Connection Server(s) and select Edit – Authentication – Manage SAML Authenticators – select your SAML Authenticator for your Access server – scroll down and ensure TrueSSO Trigger Mode is set to Enabled as shown.
In case you cannot set the TrueSSO Trigger mode within the Horizon admin UI, please see this kb.
With this setting changed, you should be able to successfully login to a Windows desktop or application from Access without needing to enter your userid/password!
I hope this blog article has giving you a few additional pointers to get True SSO working. Please comment below if some of these suggestions worked for you. I’d also recommend reviewing the posts on the Horizon community forum too.
Updates
4 October 2024 – updated link to the True SSO Diagnostic Utility
18 March 2025 – updated link to the True SSO Diagnostic Utility to Internet archive
17 October 2025 – link to new Omnissa Tru SSO diagnostic Utility
Many Miles Away 
Thanks Darry. It helps a lot!