This topic explains how to integrate VMware Workspace ONE Access and Intelligent Hub services with your Horizon Cloud environment when you have enabled Universal Broker. The integration process adds your Horizon Cloud assignments to the Workspace ONE Intelligent Hub catalog, where entitled users can access them conveniently and securely.

The Horizon Universal Console provides for integrating an existing Workspace ONE Access cloud tenant with your Horizon Cloud tenant.

The console supports this integration when the following requirements are met in your Horizon Cloud tenant.

  • The Horizon Cloud tenant has Universal Broker configured. You view the tenant's current configuration in the Horizon Universal Console Broker page.
  • All participating pods are running the corresponding minimum software versions:
    • For Horizon Cloud pods in Microsoft Azure, integration is supported for manifest 2474.0 and later.
    • For Horizon pods, integration is supported for Connection Server 7.13 and Connection Server 2012 (8.1.0) and later.
Note: For other considerations and limitations related to this feature, see Horizon Cloud — Known Limitations.
Terminology - entitlements and assignments
  • In Workspace ONE, the term entitlement is used to describe the synchronization from the Universal Broker service to the Workspace ONE Intelligent Hub services.
  • In Horizon Cloud, an assignment represents the combination of both the resource and an entitlement. In the Horizon Universal Console, adding a user to an assignment entitles that user to the assignment's pod-provisioned resource.

Procedure

  1. In the Horizon Universal Console, start the integration wizard by navigating to the Broker page's Identity & Access tab.

    A screenshot of the display of the Broker page's Identity & Access tab with a green arrow pointing to that tab.

  2. In the wizard's step 1, use the displayed Select menu to specify the Workspace ONE Access cloud tenant to integrate with your Horizon Cloud tenant.

    A screenshot of the wizard's step 1 Provide Workspace ONE Access Cloud Tenant and a green arrow pointing to the step's Select menu.
    • If the URL of the tenant appears as an option in the drop-down menu (such as a tenant that was previously integrated with your Horizon Cloud tenant in a Single-Pod Broker environment), select that option. Then skip to step 4 of this documentation page's procedure.
    • If the URL of the tenant does not appear as an option in the drop-down menu, select Add existing cloud tenant to integrate your Workspace ONE Access tenant. Then continue with the following step.
    Note: You can integrate only one Workspace ONE Access tenant with your Horizon Cloud tenant.
  3. For Add existing cloud tenant, provide the required details for adding your Workspace ONE Access tenant to this Horizon Cloud tenant.
    1. Create a Remote App Access client on your Workspace ONE Access tenant.
      You need the client ID and shared secret of this client to complete the integration wizard. For more information, see Create a Remote App Access Client.
    2. After you select Add existing cloud tenant in the Horizon Universal Console integration wizard's step 1, follow the on-screen prompts for the information required from that configured client.
      The following screenshot illustrates the wizard's step 1 after you select Add existing cloud tenant.
      A screenshot illustrating the console's fields when Add existing cloud tenant is selected in the menu.

      Setting Description
      Workspace ONE Access Tenant URL

      Enter the full URL of the Workspace ONE Access tenant. For example:

      https://AccessTenant.myCompany.com
      OAuth Client ID Enter the client ID of the configured Remote App Access client, as described in Create a Remote App Access Client.
      Shared Secret Enter the generated shared secret of the configured Remote App Access client, as described in Create a Remote App Access Client.
      Terms of Service Review the terms of service using the link provided, and select the check box to indicate agreement with the terms.

      The following screenshot illustrates the fields with sample data. The console is dynamic and the display you see might be different depending on your specific situation.


      A screenshot illustrating sample information typed into the wizard's step 1 for adding an existing Workspace ONE Access cloud tenant.

    3. When you have provided all the required information, click Next.
      The system validates the provided data with the specified Workspace ONE Access tenant. After the tenant is successfully validated, the console displays the tenant details.

      After a successful validation, the wizard's step 2 becomes available for continuing with the integration steps.

  4. To support the integration, complete the following prerequisites.
    1. Verify that all participating pods are updated to the latest supported version. See the list of requirements at the beginning of this topic.
    2. Ensure you have an installed version of Workspace ONE Access Connector that is compatible for the integration of Universal Broker with Workspace ONE Access and Intelligent Hub Services.
      In general, VMware recommends installing the latest available version that is also compatible with use of Universal Broker and your tenant's pods, because the latest version will have the most up-to-date fixes and improvements. As usual, please refer to the Workspace ONE Access Connector documentation page and its Release Notes for information about the various versions of Workspace ONE Access Connector. The earliest version where compatibility started with Universal Broker was v19.03.0.1.

      As part of that connector installation, the connector is paired with your Workspace ONE Access cloud tenant. See the Workspace ONE Access Connector documentation for how to install that connector.

      Attention: Please note that in the combination of Workspace ONE Access and Universal Broker and Horizon Cloud on Microsoft Azure deployments, the Virtual Apps Collections feature is unsupported.

      The integration of Universal Broker with Workspace ONE Access supersedes and replaces the use of the legacy Virtual Apps Collections for Horizon Cloud on Microsoft Azure deployments.

      Therefore, if you are following this page because you previously had existing single-pod-broker Horizon Cloud on Microsoft Azure deployments integrated with Workspace ONE Access and then you transitioned to Universal Broker, you would have had a Workspace ONE Access Connector paired with your Workspace ONE Access tenant from before the transition to Universal Broker. When that Workspace ONE Access Connector is at least v19.03.0.1, that version is compatible with Universal Broker and Workspace ONE Access integration. A v19.03.0.1 connector can remain in place until you go through this page's steps, and until you reach the Step 7.d. If that connector is an earlier version than v19.03.0.1, then please upgrade that earlier version to at least v19.03.0.1 so that the integration of Universal Broker and Workspace ONE Access will work with it.

      Then in Step 7.d in this page, you will then be required to clean up any existing Virtual Apps Collections those deployments might have, according to the console's on-screen clean-up guidance. Completing the clean-up activities will make the same apps continue to work in Workspace ONE Access and Intelligent Hub Services by using the modern features of the integrated Universal Broker and Workspace ONE Access and Intelligent Hub Services.

      Then post-clean-up, it is strongly recommended that you upgrade the existing Workspace ONE Access Connector to the latest version that is compatible with Universal Broker to get the most up-to-date fixes and improvements.

    3. Set up directory integration between that installed Workspace ONE Access Connector and your Active Directory.
      When you set up the directory in Workspace ONE Access, make sure you meet the following requirements:
      • Set sAMAccountName as the directory search attribute for the Workspace ONE Access directory.
      • Ensure that all Active Directory domains, users, and groups that are synced to your Horizon Cloud tenant are also synced to the Workspace ONE Access tenant. Otherwise, users will not see all their entitlements in the Hub catalog.
      Note: Only users that are synced from Active Directory can access Horizon Cloud applications and desktops from the Hub catalog. Other types of users, such as Just-in-Time users and local users, are not supported.
    4. Configure very specific, case-sensitive user attributes as described in Configure User Access.
    5. Configure the required settings for Workspace ONE Intelligent Hub, as described in Configure Intelligent Hub for Horizon Cloud Integration.
    6. Configure the mandatory user attributes for your Workspace ONE Access tenant, as described in Configure User Attributes for Horizon Cloud Integration.
      Workspace ONE Access requires the configuration of these attributes to maintain consistency with Horizon Cloud users and to sync assignment entitlements.
  5. When you have completed all of the prerequisites, return to the integration wizard in theHorizon Universal Console and confirm that you have completed the prerequisites.
    In the console, navigate to the Broker page's Identity & Access tab, expand step 2, select the check boxes for all the listed prerequisites, and click Next.
    Prerequisites list in the Access page.
  6. In the integration wizard's step 3, activate the Workspace ONE Intelligent Hub service and complete the integration workflow.
    1. To start the activation process, click Activate. The console displays status messages when the activation is initiated, in progress, and completed successfully. It can take up to 15 minutes to complete the activation.
    2. After you complete the activation, verify that entitled users can see their Horizon Cloud assignments in the Hub catalog and successfully connect to these assigned resources from the catalog.
    3. Return to the integration wizard in theHorizon Universal ConsoleBroker page's Identity and Access tab, and select the check box that indicates your end users have access to their assignments from the catalog.
    4. Now follow the console's on-screen guidance that you see displayed.
      The console display is dynamic, and will reflect your specific situation.

      Therefore, you must carefully read the specific on-screen guidance that is displayed to you, identify what it is telling you to do, and then follow it according to your specific situation:

      When you are integrating a Workspace ONE Access tenant that was not previously integrated with your Horizon Cloud on Microsoft Azure deployments using Single-Pod Broker
      Follow the console's on-screen guidance to confirm the integration.
      When you are integrating a Workspace ONE Access tenant that was previously integrated with your Horizon Cloud on Microsoft Azure deployment using Single-Pod Broker which was subsequently transitioned to Universal Broker
      The console will present guidance to you related to the legacy integration. Follow the console's on-screen guidance about cleaning up the legacy integration.

      As you follow the on-screen guidance and steps, the legacy integration will be transformed to a Universal Broker integrated environment. Allow the clean-up tasks to proceed automatically in the background.

      To set your expectations, these clean-up tasks apply to the following items.

      • Identity Provider configuration entries that were set up from the Identity Management page in Horizon Universal Console.
      • Virtual Apps collections and Resource Sync profiles.
        Remember: The Virtual Apps Collections feature is unsupported in the combination of Workspace ONE Access and Universal Broker and Horizon Cloud on Microsoft Azure deployments. In this integration process of Workspace ONE Access with Universal Broker, cleaning up all existing Virtual Apps collections from those Horizon Cloud on Microsoft Azure deployments is a requirement.

        The system's automatic clean-up using the console's Clean Up button applies only to Virtual Apps collections in which all the tenant host entries for Horizon Cloud on Microsoft Azure deployments belong to this Horizon Cloud tenant undergoing the integration. If a Virtual Apps collection contains tenant host entries belonging to a different Horizon Cloud tenant or to a non-Horizon Cloud host, you must manually clean up either the tenant host entries or the Virtual Apps collection as appropriate. Then afterward you complete that manual clean-up, you must select the check box confirming that you have completed the manual clean-up tasks.

    When the system identifies that the integration is successfully complete, the console displays a banner message indicating that the integration workflow is now complete.

What to do next

If you want, configure redirection policies as described in Configure Intelligent Hub Redirection for User Connections.