You use the steps here when your Horizon Cloud tenant environment is configured to use single-pod brokering and you want to use Workspace ONE Access with it. By integrating your Horizon Cloud on Microsoft Azure deployment with the cloud-hosted Workspace ONE Access environment, you can give your end users the ability to authenticate to their entitled pod-provisioned desktops and applications from a single unified catalog in Workspace ONE Access.
Horizon Cloud supports integration with the cloud-hosted Workspace ONE Access.
Achieving this integration requires deployment of a Workspace ONE Access connector that bridges your Workspace ONE Access environment with the pod. This connector gives you the ability to synchronize the end-user entitlements from the pod to Workspace ONE Access.
Background Information and Terminology
- You configure desktops and remote application assignments for your users and groups in the Horizon Universal Console as usual.
- After you complete the steps to integrate your pod with your Workspace ONE Access environment, you sync the pod's assignment information to Workspace ONE Access.
- Then you can see the desktops and applications in the Workspace ONE Access administration console and your end users can authenticate to their assigned resources from Workspace ONE Access.
- You can set up a regular sync schedule to sync the assignment information from Horizon Cloud to your Workspace ONE Access environment.
- The former name of Workspace ONE Access was VMware Identity Manager™. The former name of the connector was the VMware Identity Manager™ connector. You might continue to see references to the former name in the product, documentation, and KB articles, especially if you are using older connector versions.
- The Workspace ONE Access documentation uses the term entitlements when it describes the connector's synchronization from the pod to Workspace ONE Access.
In Horizon Cloud, an assignment represents the combination of a resource and entitlement.
In the Horizon Universal Console, adding a user to an assignment entitles that user to the assignment's pod-provisioned resource, such when you create a dedicated VDI desktop assignment.
- The Workspace ONE Access console has been updated with a wizard that uses the term Horizon Cloud Collection. You might see both phrases within the Workspace ONE Access documentation and the Horizon Cloud documentation: Virtual Apps Collection and Horizon Cloud Collection.
High-Level View of the Key Components
When your Horizon Cloud tenant environment is configured to use single-pod brokering, you integrate each individual pod in Microsoft Azure with Workspace ONE Access to use the features of Workspace ONE Access with the end-user resources provisioned from each pod.
Integration of a pod in Microsoft Azure with Workspace ONE Access involves the following key concepts.
- The pod deployed in Microsoft Azure
- Your Workspace ONE Access tenant environment
- A valid SSL certificate uploaded onto the pod's manager VMs. This SSL certificate allows the Workspace ONE Access connector to trust connecting to the pod when the Workspace ONE Access connector synchronizes the entitlements and pod-provisioned resources for the Horizon Cloud Virtual Apps Collection defined in Workspace ONE Access.
- A Workspace ONE Access connector is installed and settings put into place to sync to Workspace ONE Access the information about these resources:
- The Active Directory users and groups
- The pod's assignments (the pod-provisioned resources and the entitlements to those resources)
- Configuration settings in the Horizon Universal Console to set up the SAML artifact that allows Workspace ONE Access to perform the SAML communication with the pod.
Overview of the Integration Process
The following list is a high-level summary of the end-to-end steps to enable your end users to authenticate to their pod-provisioned desktops and applications using Workspace ONE Access.
Prior to these steps, you must have the pod already deployed in Microsoft Azure, your Horizon Cloud tenant configured to use single-pod brokering, and have your Workspace ONE Access cloud tenant.
- In your DNS server, map the pod manager's Azure load balancer IP address to a fully qualified domain name (FQDN), such as
mypod1.example.com. You can locate this IP address in the pod's details page. See Overview of Configuring SSL Certificates on the Pod Manager VMs for an illustration of where to locate that IP address within the pod's details page.Note: Prior to the July 2020 quarterly service release, this IP address had the label Tenant appliance IP address on the pod's details page. The current label is Pod Manager Load Balancer IP. Pods of recent manifests include a Microsoft Azure load balancer deployed for the pod manager instance by default, and the current label reflects that pod architecture. Even though pods of manifests lower than 1600 do not have a Microsoft Azure load balancer deployed for their pod manager VM, the IP address you need to use for this pairing task is the IP displayed next to that label in the pod's details page.
- Obtain a trusted SSL certificate based on that FQDN. For details on what is needed, see the following topics:
Note: The certificate file formats required for uploading an SSL certificate to the pod are different than the PEM file format used by the pod gateway configurations.
- Overview of Configuring SSL Certificates on the Pod Manager VMs
- Prerequisites for Configuring SSL Certificates on the Pod Manager VMs
- Upload that SSL certificate to the pod manager VMs, as described in Configure SSL Certificates Directly on the Pod Manager VMs.
Important: If the pod does not have an SSL certificate on it that is configured as described to present to the Workspace ONE Access connector attempting to connect to it, the connector's attempt to connect to the pod to sync the entitlements and resources will fail because the connector will not make an untrusted network connection. The pod's SSL certificate must be trusted by the Workspace ONE Access connector for it to successfully connect with the pod. Until you have uploaded an SSL certificate that meets the criteria onto the pod, you will be unable to successfully integrate Workspace ONE Access with the pod.
- Deploy the Workspace ONE Access connector appliance in a network that can communicate with both the Horizon Cloud pod and your Active Directory environment. The connector's purpose is both to sync resources and entitlements from the pod and sync users and groups from your Active Directory environment.
Read all of the connector-related prerequisites starting with the section below titled What You Need Before You Begin the Integration Steps.Important: You must also ensure that the authoritative time source you configure in that connector matches the NTP server that is configured for the pod. If the time sources do not match, syncing issues can occur. The pod's details page shows the pod's configured NTP server. You can open the pod's details page from the Horizon Universal Console Capacity page.
- Ensure that you meet the Workspace ONE Access prerequisites for integration, as documented in the Workspace ONE Access product documentation appropriate for your situation. See the section below titled What You Need Before You Begin the Integration Steps.
Refer to the Workspace ONE Access documentation's page Prerequisites for Integration.
- Enable the desktops from your Horizon Cloud environment to the Workspace ONE Access environment, as documented in the Workspace ONE Access product information.
Refer to the Workspace ONE Access documentation's page Configure Horizon Cloud Tenant in VMware Workspace ONE Access.
- Keep in mind these important points as you follow the steps in the Workspace ONE Access documentation
- Do not sync the collection until after you complete step 8 below of configuring your pod for Workspace ONE Access access.
- In the Workspace ONE Access screen for entering the Horizon Cloud tenant information, in the Host field in that screen, you specify the FQDN that you mapped in your DNS server to the pod manager's Azure load balancer IP address, to reach the pod manager VMs.
This FQDN must match the SSL certificate that you directly uploaded to the pod, as described in Configure SSL Certificates Directly on the Pod Manager VMs.
- Enter the settings that allow your configured Workspace ONE Access environment to be used as an identity management provider for the pod. See Steps for Configuring a Horizon Cloud Pod with the Relevant Workspace ONE Access Tenant Information.
- In your Workspace ONE Access cloud tenant, manually sync the collection so that you can verify in the next step. In the Workspace ONE Access administration console, locate the collection and click Sync.
- Verify end-user access to desktops and applications by logging in to Workspace ONE Access as an end user and launching a desktop and application from the catalog. See Confirm End-User Access to Desktop Assignments in Workspace ONE Access.
After you have verified the integration is working, you can optionally enforce end users to authenticate and access their desktops and applications through Workspace ONE Access. See Enforce End Users to Go Through Workspace ONE Access.
What You Need Before You Begin the Integration Steps
To fully complete the integration process end to end through to the step of verifying end-user access to the pod-provided desktops or RDS-based remote applications using Workspace ONE Access, ensure that you have the following items.
- As described in Overview of Configuring SSL Certificates on the Pod Manager VMs and Prerequisites for Configuring SSL Certificates on the Pod Manager VMs, you need an entry in your DNS server that maps the pod manager's Azure load balancer IP address to a fully qualified domain name (FQDN).
You want the FQDN that you will be using in the SSL certificate to resolve to the IP address that is displayed on the pod's details page in the Horizon Universal Console next to the Pod Manager Load Balancer IP label.
As an example, let's say you have the pod that is illustrated in the screenshot below and you want to use an FQDN of
mypod-a.example.comas the FQDN of that pod for the purposes of the Workspace ONE Access connection to the pod.
For this example, in your DNS, you would map
mypod-a.example.comto that depicted IP address of 192.168.21.4.
As you perform the steps in the Workspace ONE Access screen for entering the Horizon Cloud tenant information, you specify this FQDN for the Host field in that Workspace ONE Access screen.
- A fully configured pod that has a trusted and valid SSL certificate that you uploaded to the pod managers themselves using the pod details page. For details about uploading the certificate, see Overview of Configuring SSL Certificates on the Pod Manager VMs.
- Configured VDI desktop assignments, session desktop assignments, or remote application assignments for the pod.
- Access to your organization's configured Workspace ONE Access cloud tenant.
When using the cloud-hosted Workspace ONE Access, a Workspace ONE Access connector appliance is required for integrating your pod with that tenant. This connector sends the information about user and group entitlements to the virtual desktops and applications to your Workspace ONE Access tenant. You must install the Workspace ONE Access connector appliance in your Active Directory network. Follow the steps as documented in the Workspace ONE Access Cloud Documentation available from this documentation page and described in Deployment Scenario for Integrating Horizon Cloud with Workspace ONE Access. For the connector version that is required for this release, see the VMware Product Interoperability Matrixes at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Verify that the connector's configured authoritative time source matches the NTP server that is configured for the pod.Note: If you have an existing integration and VMware Workspace ONE® Access™ connector appliance, a best practice is to update the connector before updating the pod to the latest pod software level.
- Verify your configured Workspace ONE Access environment meets all of the prerequisites for integration with Horizon Cloud resources, as described in the Workspace ONE Access documentation page Prerequisites for Integration.