Integration between Horizon 7 and VMware Identity Manager (formerly called Workspace ONE) uses the SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality. When SSO is enabled, users who log in to VMware Identity Manager or Workspace ONE with Active Directory credentials can launch remote desktops and applications without having to go through a second login procedure.

When VMware Identity Manager and Horizon 7 are integrated, VMware Identity Manager generates a unique SAML artifact whenever a user logs in to VMware Identity Manager and clicks a desktop or application icon. VMware Identity Manager uses this SAML artifact to create a Universal Resource Identifier (URI). The URI contains information about the Connection Server instance where the desktop or application pool resides, which desktop or application to launch, and the SAML artifact.

VMware Identity Manager sends the SAML artifact to the Horizon client, which in turn sends the artifact to the Connection Server instance. The Connection Server instance uses the SAML artifact to retrieve the SAML assertion from VMware Identity Manager.

After a Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the user's password, and uses the decrypted password to launch the desktop or application.

Setting up VMware Identity Manager and Horizon 7 integration involves configuring VMware Identity Manager with Horizon 7 information and configuring Horizon 7 to delegate responsibility for authentication to VMware Identity Manager.

To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML authenticator in Horizon 7. A SAML authenticator contains the trust and metadata exchange between Horizon 7 and VMware Identity Manager. You associate a SAML authenticator with a Connection Server instance.

Note: If you intend to provide access to your desktops and applications through VMware Identity Manager, verify that you create the desktop and application pools as a user who has the Administrators role on the root access group in Horizon Console. If you give the user the Administrators role on an access group other than the root access group, VMware Identity Manager will not recognize the SAML authenticator you configure in Horizon 7, and you cannot configure the pool in VMware Identity Manager.