Workspace ONE, or VMware Identity Manager (vIDM) administrators can configure access policies to restrict access to entitled desktops and applications in Horizon 7. To enforce policies created in vIDM you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements. When you log in to Horizon Client, the access policy directs you to log in through Workspace ONE to access your published desktops and applications.


  • Configure the access policies for applications in Workspace ONE. For more information about setting access policies, see the VMware Identity Manager Administration Guide.
  • Entitle users to published desktops and applications in Horizon Administrator.


  1. In Horizon Administrator, select Configuration > Servers.
  2. On the Connection Servers tab, select a server instance that is associated with a SAML authenticator and click Edit.
  3. On the Authentication tab, set the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) option to Required.
    The Required option enables SAML authentication. The end user can only connect to the Horizon server with a SAML token provided by vIDM or a third-party identity provider. You cannot start desktops or applications from Horizon Client manually.
  4. Select Enable Workspace ONE mode.
  5. In the Workspace ONE server hostname text box, enter the Workspace ONE Hostname FQDN value.
  6. (Optional) Select Block connections from clients that don't support Workspace ONE mode to restrict Horizon Clients that support Workspace ONE mode from accessing applications.
    Horizon Clients earlier than 4.5 do not support the Workspace ONE mode feature. If you select this option, Horizon Clients earlier than 4.5 cannot access applications in Workspace ONE. The Workspace ONE mode feature is not enabled for versions later than Horizon 7 version 7.2 if the Workspace ONE version is earlier than version 2.9.1.