To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon Administrator. A SAML authenticator contains the trust and metadata exchange between Horizon 7 and the device to which clients connect.

You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.

You can allow one static authenticator and multiple dynamic authenticators to go live at a time. You can configure vIDM (Dynamic) and Unified Access Gateway (Static) authenticators and retain them in active state. You can make connections through either of these authenticators.

You can configure more than one SAML authenticator to a Connection Server and all the authenticators can be active simultaneously. However, the entity-ID of each of these SAML authenticators configured on the Connection Server must be different.

The status of the SAML authenticator in dashboard is always green as it is predefined metadata that is static in nature. The red and green toggling is only applicable for dynamic authenticators.

For information about configuring a SAML authenticator for VMware Unified Access Gateway appliances, see Deploying and Configuring Unified Access Gateway.


  • Verify that Workspace ONE, VMware Identity Manager, or a third-party gateway or load balancer is installed and configured. See the installation documentation for that product.

  • Verify that the root certificate for the signing CA for the SAML server certificate is installed on the connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. For information about certificate authentication, see the Horizon 7 Installation document.
  • Make a note of the FQDN or IP address of the Workspace ONE server, VMware Identity Manager server, or external-facing load balancer.
  • If you are using Workspace ONE or VMware Identity Manager, make a note of the URL of the connector Web interface.
  • If you are creating an authenticator for Unified Access Gateway or a third-party appliance that requires you to generate SAML metadata and create a static authenticator, perform the procedure on the device to generate the SAML metadata, and then copy the metadata.


  1. In Horizon Administrator, select Configuration > Servers.
  2. On the Connection Servers tab, select a server instance to associate with the SAML authenticator and click Edit.
  3. On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator.
    Option Description
    Disabled SAML authentication is disabled. You can launch remote desktops and applications only from Horizon Client.
    Allowed SAML authentication is enabled. You can launch remote desktops and applications from both Horizon Client and VMware Identity Manager or the third-party device.
    Required SAML authentication is enabled. You can launch remote desktops and applications only from VMware Identity Manager or the third-party device. You cannot launch desktops or applications from Horizon Client manually.
    You can configure each Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.
  4. Click Manage SAML Authenticators and click Add.
  5. Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.
    Option Description
    Type For Unified Access Gateway or a third-party device, select Static. For VMware Identity Manager select Dynamic. For dynamic authenticators, you can specify a metadata URL and an administration URL. For static authenticators, you must first generate the metadata on the Unified Access Gateway or a third-party device, copy the metadata, and then paste it into the SAML metadata text box.
    Label Unique name that identifies the SAML authenticator.
    Description Brief description of the SAML authenticator. This value is optional.
    Metadata URL (For dynamic authenticators) URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the Connection Server instance. In the URL https://<YOUR HORIZON SERVER NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON SERVER NAME> and replace it with the FQDN or IP address of the VMware Identity Manager server or external-facing load balancer (third-party device).
    Administration URL (For dynamic authenticators) URL for accessing the administration console of the SAML identity provider. For VMware Identity Manager, this URL should point to the VMware Identity Manager Connector Web interface. This value is optional.
    SAML metadata (For static authenticators) Metadata text that you generated and copied from the Unified Access Gateway or a third-party device.
    Enabled for Connection Server Select this check box to enable the authenticator. You can enable multiple authenticators. Only enabled authenticators are displayed in the list.
  6. Click OK to save the SAML authenticator configuration.
    If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for Horizon 7 and VMware Identity Manager or the third-party device.

    The Manage SAML Authenticators dialog box displays the newly created authenticator.

  7. In the System Health section on the Horizon Administrator dashboard, select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
    If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if VMware Identity Manager is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.

What to do next

Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server.