To integrate Horizon Cloud tenants with the VMware Identity Manager service, you create a virtual apps collection in the VMware Identity Manager administration console, which contains Horizon Cloud tenant information as well as sync settings, and sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service.

About this task

If you have multiple Horizon Cloud tenants, you can create separate virtual apps collections for each tenant or configure all the tenants in a single collection, based on your needs. Each collection is synced separately.

Prerequisites

  • Verify that you meet the prerequisites described in Prerequisites for Integration.

  • Verify that the Horizon Cloud tenant name is a fully-qualified domain name (FQDN). For example, tenantA.example.com.

  • Verify that the tenant appliance has a valid SSL certificate from a Certificate Authority. Self-signed certificates are not supported. The certificate must match the FQDN of the tenant appliance.

Procedure

  1. Log in to the VMware Identity Manager administration console.
  2. Select the Catalog > Virtual Apps Collection tab.
  3. Click Add Virtual Apps and select Horizon Cloud.
  4. Enter a unique name for the collection.
  5. From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.

    If you have set up multiple connectors for high availability, click Add Connector and select the connectors. The order in which the connectors are listed determines the failover order.

  6. In the Tenants section, enter the Horizon Cloud tenant information.
    Important:

    Do not use non-ASCII characters when you enter your domain information.

    Option

    Description

    Tenant Host

    Fully-qualified domain name of your tenant host. For example: tenant1.example.com

    Tenant Port

    Port number of your tenant host. For example: 443

    Admin User

    User name for your tenant administrator account. For example: tenantadmin

    Admin Password

    Password for your tenant administrator account.

    Admin Domain

    Active Directory NETBIOS domain name in which the tenant administrator resides.

    Domains to Sync

    Active Directory NETBIOS domain names for syncing Horizon Cloud resources and entitlements.

    Note:

    This field is case-sensitive. Ensure that you use the proper case when you enter the names.

    Assertion Consumer Service URL

    The URL to which to post the SAML assertion. This URL is typically the Horizon Cloud tenant's floating IP or Access Point URL. For example, https://mytenant.example.com.

    True SSO enabled on Horizon Cloud

    Select this option if True SSO is enabled for the Horizon Cloud tenant.

    When True SSO is enabled in the Horizon Cloud tenant, users do not require a password to log into their Windows desktops.

    However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario.

    Custom Id Mapping

    You can customize the user ID that is used in the SAML response when users launch Horizon Cloud applications and desktops. By default, User Principal Name is used. You can choose to use other name ID formats such as sAMAccountName or email address and customize the value.

    Option

    Description

    Name ID Format

    Select the name ID format, such as Email address or User Principal Name. The default value is Unspecified (username).

    Name ID Value

    Click Select from suggestions and pick from a predefined list of values or click Custom value and enter the value. The default value is ${user.userPrincipalName}.

    The ability to select the name ID format is useful in scenarios such as the following:

    • When users from multiple sub-domains are synced, User Principal Name may not work. You can use a different name ID format such as sAMAccountName or email address to uniquely identify users.

    Important:

    Ensure that the name ID format setting is the same in both Horizon Cloud and VMware Identity Manager.

    For example:

    add Horizon Cloud profile


  7. To add another Horizon Cloud tenant to the collection, click Add Tenant and enter the configuration information for the tenant.
  8. From the Default Launch Client drop-down list, select the default client in which to launch Horizon Cloud applications or desktops.

    Option

    Description

    NONE

    No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the Horizon Cloud Default Protocol setting is used to determine how to launch the desktop or application.

    BROWSER

    Horizon Cloud desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.

    NATIVE

    Horizon Cloud desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all Horizon Cloud resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app.

    2. Administrator Default Launch Client setting for the collection, set in the VMware Identity Manager console.

    3. Horizon Cloud Default Protocol settings

  9. From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.

    You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Catalog > Virtual Apps Collection page after you set up the collection and whenever there is a change in your Horizon Cloud resources or entitlements.

  10. From the Activation Policy drop-down list, select how Horizon Cloud resources are made available to users in Workspace ONE.

    With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop's Entitlements page.

    Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow.

  11. Click Save.

    The collection is created and appears in the Virtual Apps Collections page.

  12. To sync the resources and entitlements in the collection, click Sync in the Virtual Apps Collections page.

    Each time resources or entitlements change in Horizon Cloud, a sync is required to propagate the changes to VMware Identity Manager.

What to do next

Configure SAML authentication in the Horizon Cloud tenant to enable trust between the VMware Identity Manager service and the Horizon Cloud tenant.