By integrating your pod in Microsoft Azure with the cloud-hosted Workspace ONE Access environment, you can give your end users the ability to authenticate to their entitled pod-provisioned desktops and applications from a single unified catalog in Workspace ONE Access. You must deploy a Workspace ONE Access connector that bridges your Workspace ONE Access environment with the pod. This connector gives you the ability to synchronize the end-user entitlements from the pod to Workspace ONE Access.

Tip:
  • The former name of Workspace ONE Access was VMware Identity Manager™. The former name of the connector was the VMware Identity Manager™ connector. You might continue to see references to the former name in the product, documentation, and KB articles, especially if you are using older connector versions.
  • See the VMware Digital Workspace Tech Zone for an excellent write-up describing the integration between Horizon Cloud and Workspace ONE Access.
  • The Workspace ONE Access documentation uses the term entitlements when it describes the connector's synchronization from the pod to Workspace ONE Access. In Horizon Cloud , an assignment represents the combination of a resource and entitlement. In the Horizon Cloud Administration Console, adding a user to an assignment entitles that user to the assignment's pod-provisioned resource, such when you create a dedicated VDI desktop assignment.

Workspace ONE Access is an Identity as a Service (IDaaS) offering that provides application provisioning, a self-service catalog, conditional access controls, and single sign-on (SSO) for SaaS, web, cloud, and native mobile applications. Workspace ONE Access handles the authentication of users to access those items that you have configured for them in the Workspace ONE Access catalog. Horizon Cloud customers typically use the cloud-hosted Workspace ONE Access, hosted by VMware.

For an overview of this integration from the perspective of the Workspace ONE Access environment, see the Providing Access to VMware Horizon Cloud Service Desktops and Applications overview. You configure desktops and remote application assignments for your users and groups in the Horizon Cloud Administration Console as usual. After you complete the steps to integrate your pod with your Workspace ONE Access environment, you sync the pod's assignment information to Workspace ONE Access. Then you can see the desktops and applications in the Workspace ONE Access administration console and your end users can authenticate to their assigned resources from Workspace ONE Access. You can set up a regular sync schedule to sync the assignment information from Horizon Cloud to your Workspace ONE Access environment.

Note: The screenshots in the Workspace ONE Access documentation might look different from the user interface elements you see in your specific Workspace ONE Access environment.

High-Level View of the Key Components

Integration of a pod in Microsoft Azure with Workspace ONE Access involves the following key concepts.

  • The pod deployed in Microsoft Azure
  • Your Workspace ONE Access tenant environment
  • A valid SSL certificate uploaded onto the pod's manager VMs. This SSL certificate allows the Workspace ONE Access connector to trust connecting to the pod when the Workspace ONE Access connector synchronizes the entitlements and pod-provisioned resources for the Horizon Cloud Virtual Apps Collection in Workspace ONE Access.
  • A Workspace ONE Access connector is installed and settings put into place to sync to Workspace ONE Access the information about these resources:
    • The Active Directory users and groups
    • The pod's assignments (the pod-provisioned resources and the entitlements to those resources)
  • Configuration settings in the Horizon Cloud Administration Console to set up the SAML artifact that allows Workspace ONE Access to perform the SAML communication with the pod.

Overview of the Integration Process

The following list is a high-level summary of the end-to-end steps to enable your end users to authenticate to their pod-provisioned desktops and applications using Workspace ONE Access. Prior to these steps, you must have the pod already deployed in Microsoft Azure and have your Workspace ONE Access environment. If you want to integrate with a cloud-hosted Workspace ONE Access environment and you do not already have that tenant, you can initiate setting up a Workspace ONE Access cloud tenant using the Horizon Cloud Administration Console's Identity Management page. For details, see Identity Management Page in the Horizon Cloud Administration Console.

  1. In your DNS server, map the pod manager's Azure load balancer IP address to a fully qualified domain name (FQDN), such as mypod1.example.com. You can locate this IP address in the pod's details page. See Overview of Configuring SSL Certificates on the Horizon Cloud Pod's Manager VMs for an illustration of where to locate that IP address within the pod's details page.
    Note: Prior to the July 2020 quarterly service release, this IP address had the label Tenant appliance IP address on the pod's details page. The current label is Pod Manager Load Balancer IP. Pods of recent manifests include a Microsoft Azure load balancer deployed for the pod manager instance by default, and the current label reflects that pod architecture. Even though pods of manifests lower than 1600 do not have a Microsoft Azure load balancer deployed for their pod manager VM, the IP address you need to use for this pairing task is the IP displayed next to that label in the pod's details page.
  2. Obtain a trusted SSL certificate based on that FQDN. For details on what is needed, see the following topics:
    Note: The certificate file formats required for uploading an SSL certificate to the pod are different than the PEM file format used by the pod gateway configurations.
  3. Upload that SSL certificate as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs.
    Important: If the pod does not have an SSL certificate on it that is configured as described to present to the Workspace ONE Access connector attempting to connect to it, the connector's attempt to connect to the pod to sync the entitlements and resources will fail because the connector will not make an untrusted network connection. The pod's SSL certificate must be trusted by the Workspace ONE Access connector for it to successfully connect with the pod. Until you have uploaded an SSL certificate that meets the criteria onto the pod, you will be unable to successfully integrate Workspace ONE Access with the pod.
  4. Obtain a Workspace ONE Access environment, by subscribing to the cloud-hosted version to have a Workspace ONE Access tenant in the cloud.
    Note: If you set up a Workspace ONE Access tenant using the console's Identity Management page, the Workspace ONE Access tenant is associated with your Horizon Cloud customer record as part of that process. Pods that already exist for the same Horizon Cloud customer record can then be integrated with that tenant by deploying the Workspace ONE Access connector. In the following steps, make note of the connector-related details.
  5. Deploy Workspace ONE Access according to the Workspace ONE Access guidelines for the deployment model you are using.

    If you are using the cloud-hosted Workspace ONE Access, you must install the Workspace ONE Access connector appliance in your Active Directory network. Read all of the connector-related prerequisites starting with the section below titled What You Need Before You Begin the Integration Steps.

    Important: You must also ensure that the authoritative time source you configure in that connector matches the NTP server that is configured for the pod. If the time sources do not match, syncing issues can occur. The pod's details page shows the pod's configured NTP server. You can open the pod's details page as described in Managing Your Cloud-Connected Pods, for All Horizon Cloud Supported Pod Types.
  6. Ensure that you meet the Workspace ONE Access prerequisites for integration, as documented in the Workspace ONE Access product documentation appropriate for your situation. See the section below titled What You Need Before You Begin the Integration Steps.
    Important: In addition to the prerequisites listed below in this documentation topic, you must also ensure that your configured Workspace ONE Access environment meets the prerequisites for integration with Horizon Cloud resources, as described in the Workspace ONE Access documentation.
    Workspace ONE Access environment Link to Workspace ONE Access Prerequisites in the Workspace ONE Access Documentation
    Cloud-hosted Prerequisites for Integration of Workspace ONE Access with Horizon Cloud
  7. Enable the desktops from your Horizon Cloud environment to the Workspace ONE Access environment, as documented in the Workspace ONE Access product information appropriate for your situation.
    Important: In the Workspace ONE Access screen for entering the Horizon Cloud tenant information, in the Host field in that screen, you specify the FQDN that you mapped in your DNS server to the pod manager's Azure load balancer IP address. This FQDN must be the one on which the SSL certificate that you uploaded to the pod is based, as described in Overview of Configuring SSL Certificates on the Horizon Cloud Pod's Manager VMs, Prerequisites for Running the Horizon Cloud Administration Console's Upload Certificate Workflow to Configure SSL Certificates on the Horizon Cloud Pod's Manager VMs, and Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs.

    In the Configure Horizon Cloud Tenant in Workspace ONE Access topics that are linked below, the final step in those procedural topics describes how to sync the information about the entitlements from your Horizon Cloud environment. However, do not perform that sync step until after you complete step 5 below of configuring your pod for Workspace ONE Access access.

    Workspace ONE Access environment Link to Desktop Enablement Information in the Workspace ONE Access Documentation
    Cloud-hosted Configure Horizon Cloud Tenant in VMware Workspace ONE Access.
  8. Enter the settings that allow your configured Workspace ONE Access environment to be used as an identity management provider for the pod. See Configure a Horizon Cloud Pod in Microsoft Azure for Workspace ONE Access.
  9. In your Workspace ONE Access environment, sync the entitled desktops and applications to Workspace ONE Access. In the Workspace ONE Access administration console, navigate to the Virtual Apps Configuration page for the collection you created in Step 4 and click Sync.
  10. Verify end-user access to desktops and applications by logging in to Workspace ONE Access as an end user and launching a desktop and application from the catalog. See Confirm End-User Access to Desktop Assignments in Workspace ONE Access.

After you have verified the integration is working, you can optionally enforce end users to authenticate and access their desktops and applications through Workspace ONE Access. See Enforce Having End Users Go Through Workspace ONE Access to Access Their Horizon Cloud Entitled Desktops and Applications.

What You Need Before You Begin the Integration Steps

To fully complete the integration process end to end through to the step of verifying end-user access to the pod-provided desktops or RDS-based remote applications using Workspace ONE Access, ensure that you have the following items.

  • As described in Overview of Configuring SSL Certificates on the Horizon Cloud Pod's Manager VMs and Prerequisites for Running the Horizon Cloud Administration Console's Upload Certificate Workflow to Configure SSL Certificates on the Horizon Cloud Pod's Manager VMs, you need an entry in your DNS server that maps the pod manager's Azure load balancer IP address to a fully qualified domain name (FQDN). You want the FQDN that you will be using in the SSL certificate to resolve to the IP address that is displayed on the pod's details page in the Horizon Cloud Administration Console next to the Pod Manager Load Balancer IP label. As an example, let's say you have the pod that is illustrated in the screenshot below and you want to use an FQDN of mypod-a.example.com as the FQDN of that pod for the purposes of the Workspace ONE Access connection to the pod.
    Screenshot of the pod details for a pod named MontereyStores with a green arrow pointing to the pod manager's Azure load balancer IP address.

    For this example, in your DNS, you would map mypod-a.example.com to that depicted IP address of 192.168.21.4.
    mypod-a.example.com    192.168.21.4

    As you perform the steps in the Workspace ONE Access screen for entering the Horizon Cloud tenant information, you specify this FQDN for the Host field in that Workspace ONE Access screen.

  • A fully configured pod that has a trusted and valid SSL certificate that you uploaded to the pod itself using the pod details page. For details about uploading the certificate, see Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs.
  • Configured VDI desktop assignments, session desktop assignments, or remote application assignments for the pod.
  • Access to your organization's configured Workspace ONE Access tenant environment. Your Workspace ONE Access environment must be configured with trusted certificates.

    When using the cloud-hosted Workspace ONE Access, a Workspace ONE Access connector appliance is required for integrating your pod with that tenant. This connector sends the information about user and group entitlements to the virtual desktops and applications to your Workspace ONE Access tenant. You must install the Workspace ONE Access connector appliance in your Active Directory network. Follow the steps as documented in the Workspace ONE Access Cloud Documentation, also available from this documentation page, and see the description of this deployment scenario and subtopics. For the connector version that is required for this release, see the VMware Product Interoperability Matrixes at https://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

    Verify that the connector's configured authoritative time source matches the NTP server that is configured for the pod.

    Note: If you have an existing integration and VMware Workspace ONE® Access™ connector appliance, a best practice is to update the connector before updating the pod to the latest pod software level.
  • Verify your configured Workspace ONE Access environment meets all of the prerequisites for integration with Horizon Cloud resources, as described in the Workspace ONE Access documentation.
    Workspace ONE Access environment Link to Workspace ONE Access Prerequisites in the Workspace ONE Access Documentation Prerequisites
    Cloud-hosted Prerequisites for Integration