You manage a Horizon Cloud tenant environment using its administrative console. Ability to access that console relies on an authentication flow that provides for authentication of a VMware Customer Connect account that has authorization to access that Horizon Cloud tenant and for authentication using an Active Directory domain that is registered to the same tenant.

For the login steps and a screenshot depicting the login screen, see Log In to the Horizon Universal Console to Perform Management Tasks on Your Horizon Cloud Environment

When you have integrated your Horizon Cloud environment with your Workspace ONE environment, you can log into your Horizon Cloud tenant using either Workspace ONE or the Horizon Cloud login flow.
Note: Users created with Just-in-Time user provisioning are not able to log in using the Horizon Cloud login flow. These users must log in using Workspace ONE.

In all of the following tenant states, the login flow redirects the authentication request to VMware Cloud Services.

  • If your organization has a specific configuration in VMware Cloud Services, you are authenticated according to that organizational configuration.
  • Otherwise, you use your VMware Customer Connect account's credentials in the VMware Cloud Services login flow. (The VMware Customer Connect account was previously named the My VMware account.) The account credentials are the primary email address, such as user@example.com, and the password that are set in the account's profile.

After using one of the above methods, the specific authentication flow that you see will vary depending on the state of the Horizon Cloud tenant at the time you are logging in — whether you are logging in before the tenant has any cloud-connected pods, after it has a single cloud-connected pod but no registered Active Directory domains, when the tenant has one registered Active Directory domain, and so on.

Initial Tenant State — No Cloud-Connected Pods

After you authenticate to the tenant, the console displays the Getting Started wizard with the Capacity section expanded by default. Until you cloud connect a pod, the Getting Started wizard is the only accessible user-interface page. At this point in time, you need to onboard a pod to Horizon Cloud to move the tenant beyond this initial state. For information about onboarding a pod, see Deployments and Onboarding to Horizon Cloud for Microsoft Azure and Horizon Pods and its subtopics.

Tip: If you meet the license and role requirements, the View perpetual keys link is available to you. Click the View perpetual keys link to access the Perpetual Keys page where you can view and generate perpetual keys for foundational VMware products. After your first pod is onboarded and domain registration is completed, the link is available on both the Licenses page and the Getting Started page, if you meet the license and role requirements. See Horizon Cloud - Obtaining License Information Using the Horizon Universal Console.

The following screenshot illustrates the console when the tenant is in this initial state.


Screenshot of the Horizon Cloud administrative console's Getting Started wizard in the initial tenant state.

Tenant with One Cloud-Connected Pod and Zero Registered Active Directory Domains

After you authenticate to the tenant, the console's display might look little different than in the initial state. The Getting Started wizard is displayed with the Capacity section expanded by default and is the only accessible user-interface page. However, now you have access to configure your organization's Active Directory domain with this Horizon Cloud tenant. To move the tenant beyond this state, complete the steps in Perform the First Required Active Directory Domain Registration for Your Horizon Cloud Control Plane Tenant.

Tenant with a Single Registered Active Directory Domain

After a successful authentication with VMware Cloud Services, one of two things happens:

  • If the registered Active Directory domain that is registered with the Horizon Cloud tenant is also configured for enterprise federation with VMware Cloud services, the authentication flows according to that configuration. The authentication flow omits the Horizon Cloud Active Directory login window. After you authenticate according to what your organization configured in VMware Cloud Services for federated identity management, the console is displayed.
  • If the registered Active Directory domain is not federated in VMware Cloud Services, your browser is redirected to the Horizon Cloud Active Directory login window. In this Active Directory login window, provide credentials of your Active Directory account. After a successful authentication in this login screen, the console is displayed. The following screenshot illustrates this login window when a domain named EXAMPLEDOMAIN is registered with the tenant.
    The Active Directory Login screen in the Horizon Cloud authentication workflow.

Tenant with More than One Registered Active Directory Domains

In this state, the authentication flow has these differences compared with the above single registered Active Directory domain state.

  • In the authentication flow where the Horizon Cloud Active Directory login window is displayed, you use the drop-down list to select the domain for which your provided credentials are valid. The following screenshot illustrates an example where the Horizon Cloud tenant has two registered Active Directory domains, DOMAIN-A and DOMAIN-B.
    The Active Directory Login screen in the Horizon Cloud authentication workflow with a green arrow pointing to the selection list when the tenant has multiple registered domains.
  • If your account belongs to an Active Directory domain that is both registered with the tenant and also has enterprise federation set up with VMware Cloud services, the authentication flow omits the Horizon Cloud Active Directory login window as described in the previous section. However, if your account belongs to an Active Directory domain that is registered with the tenant but your organization has not configured that domain for enterprise federation with VMware Cloud services, your browser is redirected to the Horizon Cloud Active Directory login window. In this case, you select your domain in the drop-down and provide your Active Directory credentials to log in.
    Note: As of May 2020, this federated identity management feature is in Limited Availability and is currently qualified for use only when the Horizon Cloud tenant's cloud-connected pods are all pods in Microsoft Azure.