You manage a Horizon Cloud tenant environment using its administrative console. Ability to access that console relies on an authentication flow that provides for authentication of a My VMware account that has authorization to access that Horizon Cloud tenant and for authentication using an Active Directory domain that is registered to the same tenant.

For the login steps and a screenshot depicting the login screen, see Log In to the Horizon Universal Console to Perform Management Tasks on Your Horizon Cloud Environment

When you have integrated your Horizon Cloud environment with your Workspace ONE environment, you can log into your Horizon Cloud tenant using either Workspace ONE or the Horizon Cloud login screen.
Note: Users created with Just-in-Time user provisioning are not able to log in using the Horizon Cloud login screen. These users must log in using Workspace ONE.

In all of the following tenant states, the login screen provides two methods for authenticating to the tenant and accessing the console.

  • In the My VMware Credentials section of the login screen, enter My VMware account's credentials. The account credentials are the primary email address, such as user@example.com, and the password that are set in the account's profile. This choice sends the authentication request to the Horizon Cloud control plane.
  • In the VMware Cloud Services section of the login screen, click VMWARE CLOUD LOGIN. Clicking that button redirects the authentication request to VMware Cloud Services, to authenticate you according to your organization's configuration there. Your organization might have asked you to access their Horizon Cloud tenant using VMware Cloud Services and has the appropriate configuration in VMware Cloud Services to provide that access.

After using one of the above methods, the specific authentication flow that you see will vary depending on the state of the Horizon Cloud tenant at the time you are logging in — whether you are logging in before the tenant has any cloud-connected pods, after it has a single cloud-connected pod but no registered Active Directory domains, when the tenant has one registered Active Directory domain, and so on.

Initial Tenant State — No Cloud-Connected Pods

After you authenticate to the tenant, the console displays the Getting Started wizard with the Capacity section expanded by default. Until you cloud connect a pod, the Getting Started wizard is the only accessible user-interface page. At this point in time, you need to onboard a pod to Horizon Cloud to move the tenant beyond this initial state. For information about onboarding a pod, see Deployments and Onboarding to Horizon Cloud for Microsoft Azure and Horizon Pods and its subtopics.

The following screenshot illustrates the console when the tenant is in this initial state.


Screenshot of the Horizon Cloud administrative console's Getting Started wizard in the initial tenant state.

Tenant with One Cloud-Connected Pod and Zero Registered Active Directory Domains

After you authenticate to the tenant, the console's display might look little different than in the initial state. The Getting Started wizard is displayed with the Capacity section expanded by default and is the only accessible user-interface page. However, now you have access to configure your organization's Active Directory domain with this Horizon Cloud tenant. To move the tenant beyond this state, complete the steps in Performing Your First Active Directory Domain Registration in the Horizon Cloud Environment.

Tenant with a Single Registered Active Directory Domain

In this state, the authentication flow is different depending on which method you choose to use in the login screen.

  • Using the My VMware Credentials section of the login screen — after a successful authentication with the cloud plane using the provided credentials, the Horizon Cloud Active Directory login window is displayed with the name of the Active Directory domain that is registered with the tenant. In this Active Directory login window, provide credentials of your Active Directory account. After a successful authentication in this login screen, the console is displayed. The following screenshot illustrates this login window when a domain named EXAMPLEDOMAIN is registered with the tenant.
    The Active Directory Login screen in the Horizon Cloud authentication workflow.
  • Clicking the VMware Cloud Services button — the authentication request is sent to VMware Cloud Services. After a successful authentication with VMware Cloud Services, one of two things happens:
    • If the registered Active Directory domain that is registered with the Horizon Cloud tenant is also configured for enterprise federation with VMware Cloud services, the authentication flows according to that configuration. The authentication flow omits the Horizon Cloud Active Directory login window. After you authenticate according to what your organization configured in VMware Cloud Services for federated identity management, the console is displayed.
    • If the registered Active Directory domain is not federated in VMware Cloud Services, your browser is redirected to the Horizon Cloud Active Directory login window. In this Active Directory login window, provide credentials of your Active Directory account. After a successful authentication in this login screen, the console is displayed.
    Note: As of May 2020, this federated identity management feature is in Limited Availability and is currently qualified for use only when the Horizon Cloud tenant's cloud-connected pods are all pods in Microsoft Azure.

Tenant with More than One Registered Active Directory Domains

In this state, the authentication flow has these differences compared with the above single registered Active Directory domain state.

  • In the authentication flow where the Horizon Cloud Active Directory login window is displayed, you use the drop-down list to select the domain for which your provided credentials are valid. The following screenshot illustrates an example where the Horizon Cloud tenant has two registered Active Directory domains, DOMAIN-A and DOMAIN-B.

  • If you use the VMware Cloud Services authentication flow and your account belongs to an Active Directory domain that is both registered with the tenant and also has enterprise federation set up with VMware Cloud services, the authentication flow omits the Horizon Cloud Active Directory login window as described in the previous section. However, if your account belongs to an Active Directory domain that is registered with the tenant but your organization has not configured that domain for enterprise federation with VMware Cloud services, your browser is redirected to the Horizon Cloud Active Directory login window. In this case, you select your domain in the drop-down and provide your Active Directory credentials to log in.
    Note: As of May 2020, this federated identity management feature is in Limited Availability and is currently qualified for use only when the Horizon Cloud tenant's cloud-connected pods are all pods in Microsoft Azure.