The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions.
The Workspace and View integration implementation uses the SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality. When SSO is enabled, users who log in to Workspace with Active Directory credentials can launch remote desktops and applications without having to go through a second login procedure.
When Workspace and View are integrated, Workspace Manager generates a unique SAML artifact whenever a user logs in to Workspace Gateway and clicks a desktop or application icon. Workspace Manager uses this SAML artifact to create a Universal Resource Identifier (URI). The URI contains information about the View Connection Server instance where the desktop or application pool resides, which desktop or application to launch, and the SAML artifact.
Workspace Manager sends the SAML artifact to the Horizon client through Workspace Gateway, which in turn sends the artifact to the View Connection Server instance. The View Connection Server instance uses the SAML artifact to retrieve the SAML assertion from Workspace Manager through Workspace Gateway.
After a View Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the user's password, and uses the decrypted password to launch the desktop or application.
Setting up Workspace and View integration involves configuring Workspace with View information and configuring View to delegate responsibility for authentication to Workspace.
To delegate responsibility for authentication to Workspace, you must create a SAML authenticator in View. A SAML authenticator contains the trust and metadata exchange between View and Workspace. You associate a SAML authenticator with a View Connection Server instance.
If you intend to provide access to your desktops and applications through Workspace, verify that you create the desktop and application pools as a user who has the Administrators role on the root access group in View Administrator. If you give the user the Administrators role on an access group other than the root access group, Workspace will not recognize the SAML authenticator you configure in View, and you cannot configure the pool in Workspace.