On the Identity Management page, you can add, edit, and configure those identity management providers you want to use with your Horizon Cloud environment.

The Identity Management page displays the currently configured providers, including the following information for each.

  • Status - Current status of the listed configuration. Hover on the icon to see the current status.
  • Workspace ONE Access URL - The metadata URL of the identity management provider.
  • Workspace ONE Redirection - Indicates whether automatic redirection to Workspace ONE Access is configured for the listed configuration. You can only enable redirection for one identity provider per tenant. This feature is primarily used with the feature to force end-user access to their desktops and applications through Workspace ONE Access. See Configure the Option to Force End-User Access to Use Workspace ONE Access.
  • Timeout SSO Token - Timeout value in minutes.
  • Data Center - Name of your data center.
  • Tenant Address - Address of the tenant appliance.

Create an Identity Management Provider Configuration

To configure a new entry on this page:

  1. Click New.
  2. Enter information as described below.
    Field Description
    VMware Workspace ONE Access Metadata URL The SAML identity provider (IdP) metadata URL from your Workspace ONE Access environment. You usually can obtain the environment's SAML IdP metadata URL using the Workspace ONE Access administration console and navigating to Catalog > Settings > SAML Metadata. When you click the Identity Provider (IdP) metadata link on that page, your browser's address bar displays the URL, typically in the form https://WS1FQDN/SAAS/API/1.0/GET/metadata/idp.xml, where WS1FQDN is the fully qualified domain name (FQDN) of your Workspace ONE Access environment. For more details, see the Workspace ONE Access product documentation.
    Timeout SSO Token Timeout value in minutes.
    Data Center Name of your data center. Select from the drop-down list.
    Client Access FQDN FQDN of the tenant appliance, such as https://HorizonDaaSTenantApplianceFQDN/admin/SAML/metadata, where HorizonDaaSTenantApplianceFQDN is the FQDN of your data center's tenant floating host appliance. This value must correspond to the settings that you configured in the corresponding federation artifact in the Workspace ONE Access environment.
    Workspace ONE Redirection When you also have the configuration to force end-user access to go through Workspace ONE Access, you can set this toggle to YES to have the end users' clients automatically redirect to their Workspace ONE Access environment. Read about the options to force end-user access to go through Workspace ONE Access in Configure the Option to Force End-User Access to Use Workspace ONE Access.

    With the automatic redirection configured to YES, in the end-user clients, when the client attempts to connect to Horizon Cloud and is forcing access through Workspace ONE Access, the client is automatically redirected to the Workspace ONE Access environment that is specified in this identity management provider configuration. When the toggle is set to NO, automatic redirection is not enabled, and the clients display an informational message to the user instead.

    Note: You can have this redirection enabled for only one of the identity management URLs per tenant address. If you try to enable this feature for multiple Workspace ONE Access URLs and the same tenant, an error message is displayed.
  3. Click Save.

Edit Settings for a Configuration

To edit the information for a configuration on this page:

  1. Select the listed configuration.
  2. Click Edit.
  3. Edit the following information.
    Field Description
    Timeout SSO Token Timeout value in minutes.
    Client Access FQDN

    Enter here the FQDN of the tenant appliance, such as https://HorizonDaaSTenantApplianceFQDN/admin/SAML/metadata, where HorizonDaaSTenantApplianceFQDN is the FQDN of your data center's tenant floating host appliance. This value must correspond to the settings that you configured in the corresponding federation artifact in the Workspace ONE Access environment.

    Workspace ONE Redirection When editing the configuration, you can change the current setting of this toggle.

    When you also have the configuration to force end-user access to go through Workspace ONE Access, you can set this toggle to YES to have the end users' clients automatically redirect to their Workspace ONE Access environment. Read about the options to force end-user access to go through Workspace ONE Access in Configure the Option to Force End-User Access to Use Workspace ONE Access. With the automatic redirection configured to YES, in the end-user clients, when the client attempts to connect to Horizon Cloud and is forcing access through Workspace ONE Access, the client is automatically redirected to the Workspace ONE Access environment that is specified in this identity management provider configuration. When the toggle is set to NO, automatic redirection is not enabled, and the clients display an informational message to the user instead.

    Note: You can have Workspace ONE redirection enabled for only one of the identity management URLs per tenant address. If you try to enable this feature for multiple URLs and the same tenant, an error message is displayed.
  4. Click Save.

Configure the Option to Force End-User Access to Use Workspace ONE Access

For each listed provider, you can use the following steps to configure whether end users can access their assigned desktops and remote applications directly from Horizon Cloud or must access only using Workspace ONE Access.

Note: When you change these settings, it can take up to 5 minutes for the update to take effect.
  1. Click Configure.
  2. Edit settings as described below.
    Field Description
    Force Remote Users to Workspace ONE Access Select YES to block remote user access except through the identity management provider. Option only displays if that provider status is green.
    Force Internal Users to Workspace ONE Access Select YES to block internal user access except through the identity management provider. Option only displays if that provider status is green.
  3. Click Save.

When you force end-user access through Workspace ONE Access, you typically also edit the corresponding identity provider configuration to specify that the end-user clients automatically redirect to Workspace ONE Access. See Edit Settings for a Configuration.

The feature to force end-user access to Workspace ONE Access works with the Workspace ONE Access redirection feature in the following ways.

Force end-user access through Workspace ONE Access setting Workspace ONE Access redirection setting What happens when the end user's client connects to Horizon Cloud to access their desktops and applications
Enabled (yes) Enabled (yes) Client is automatically redirected to Workspace ONE Access.
Enabled (yes) Disabled (no) Client displays a message that tells the user that they must access Horizon Cloud using Workspace ONE Access. Automatic redirection does not occur.
Disabled (no) Enabled (yes) Client displays the Horizon Cloud login screen for the end user to log in. Automatic redirection does not occur because forced access to Workspace ONE Access is not enabled.
Disabled (no) Disabled (no) Client displays the Horizon Cloud login screen for the end user to log in. In this scenario, both forced access and the automatic redirection features are disabled.

Remove a Configuration

To remove one of the configurations:

  1. Select the configuration in the list.
  2. Click Remove.
  3. Click Delete to confirm.