This content is part of the Essential Guide: Virtual desktop security guide

Single sign-on enhances VDI user experience

Single sign-on capabilities probably seem unimportant to desktop admins, but SSO can make end users' remote desktop experience much better. Here are some SSO strategies.

Whether you're looking at VMware View, Citrix XenDesktop or another VDI solution, the goal is the same: simplifying desktop administration and operations while maintaining or enhancing the user experience.

The user experience is affected by how profiles are managed and how applications and graphics are delivered. But the desktop and application login capabilities are where virtual desktop infrastructure (VDI) can provide significant benefits.

When a users logs into a typical desktop, he needs to enter his username and password and select the domain name. This is not a big deal because the end user is used to this in the physical desktop world. But with VDI, the desktop can be used in a "follow-me" scenario.

For example, a doctor in one exam room wants to quickly go to another exam room or operating room and doesn't want to waste time logging in. With certain single sign-on (SSO) products, the doctor can use his badge to tap a USB-attached pad that automatically logs him into the desktop or reconnects him to his desktop.

That might not seem like an important capability to desktop admins, but this little feature can make end users' experience 100% better. The major identity management tools can also perform SSO for applications and make a real difference to end users.

Imagine being able to walk into a room, tap your badge on the USB badge reader, and be automatically logged into your desktop and applications all at the same time. Compare that with traditional desktops, where end users need to re-enter their passwords for each application on the desktop.

Not only does SSO simplify user logins; it can also integrate with authentication technologies to enhance security. Ease of use and security are particularly important in the health care and government, so SSO has helped VDI adoption in those markets.

To make SSO solutions from companies such as Imprivata and Sentillion Inc. function securely in VDI environments, you'll need to do some work upfront.

Integrating SSO, authentication
The majority of the architecture and setup work involved in integrating SSO technologies is for performing screen captures. For example, Imprivata needs to capture the login screen and apply it to each application on that desktop. The administrator then has to tell the software where to enter the username and password so that the SSO system will work normally.

SSO offerings can also add "three-factor authentication" to the VDI environment when used with other software.

Many people are familiar with two-factor authentication such as RSA's SecureID, in which a user has a key fob with a security code on it. When the user logs into his desktop, he needs to enter a security code with a four-digit PIN. In a three-factor environment, an end user needs the RSA product plus a user badge. But an SSO setup can be integrated with RSA so that instead of the badge logging the user in, the badge is used to ensure that the user is who he says he is. The user then needs to enter the security code and PIN.

SSO in View, XenDesktop
Because SSO is important to end users, both VMware and Citrix are providing SSO technologies to increase the desirability of their respective VDI technologies.

Citrix Dazzle, renamed Receiver in XenDesktop 5, provides the ability to store logins in a central SSO database based on Active Directory. This gives users a collection of their logins that can be passed through to their desktop applications. But remember, this is not a true SSO with smart card functionality. For the current Citrix method to work, users have to manage their passwords, which is not the case with SSO vendor software.

VMware hasn't introduced its SSO capability yet, but the company announced plans for it at VMworld 2010. This product, code-named Project Horizon, will supposedly provide a centralized access point for all types of applications, including Software as a Service, virtualized applications, desktop applications and more. With Project Horizon, users will pass their logins from the centralized site to all other applications managed by the site, thereby standardizing logins across the enterprise.

Though there are different approaches to SSO, they can all enhance security and the end users' desktop experience.

Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. He can be reached at [email protected] for any questions, comments or suggestions.

Dig Deeper on Virtual desktop infrastructure and architecture