To integrate a pod in Microsoft Azure with Workspace ONE Access, you must configure the pod with the appropriate Workspace ONE Access information. You use the Horizon Universal Console to configure this information.


Verify that an SSL certificate based on that FQDN is uploaded to the pod itself, as described in Configure SSL Certificates Directly on the Pod Manager VMs, Such as When Integrating the Workspace ONE Access Connector Appliance with the Horizon Cloud Pod in Microsoft Azure, So that Connector Can Trust Connections to the Pod Manager VMs. That SSL certificate must be based on the FQDN that you mapped to the pod manager's Azure load balancer IP address in your DNS server, as described in step 4 of A Horizon Cloud Environment with Single-Pod Brokering — Integrating the Environment's Horizon Cloud Pods in Microsoft Azure with Workspace ONE Access.

Verify that your Workspace ONE Access environment is configured use that FQDN, for synchronizing the pod-provisioned end-user resources and entitlements to Workspace ONE Access.

Verify that you have the following information:

  • The SAML identity provider (IdP) metadata URL from your Workspace ONE Access environment. You obtain the environment's SAML IdP metadata URL using the Workspace ONE Access administration console and navigating to Catalog > Settings > SAML Metadata. When you click the Identity Provider (IdP) metadata link on that page, your browser's address bar displays the URL, typically in the form https://WS1AccessFQDN/SAAS/API/1.0/GET/metadata/idp.xml, where WS1AccessFQDN is the fully qualified domain name (FQDN) of your Workspace ONE Access environment. For details, see the Workspace ONE Access product information appropriate for your situation:
    Workspace ONE Access environment Configure SAML Authentication Steps
    Cloud-hosted Configure SAML Authentication in the Horizon Cloud Tenant
  • The FQDN that you tell your end users to make their connections to, for connecting to Horizon Cloud.


  1. In the Horizon Universal Console, navigate to Settings > Identity Management and click New.
  2. Configure the following options.
    Setting Description
    VMware Workspace ONE Access Metadata URL Type your Workspace ONE Access environment's SAML IdP metadata URL, typically of the form https://WS1AccessFQDN/SAAS/API/1.0/GET/metadata/idp.xml where WS1AccessFQDN is the FQDN of your Workspace ONE Access environment.
    Timeout SSO Token Type the amount of time, in minutes, after which you want the SSO token to time out. The prefilled, system-default value is zero (0).
    Location Select one of your locations to filter the Pod drop-down to the set of pods associated with that location.
    Pod Select the pod for which this configuration applies.
    Data Center The drop-down displays a numeric related to the Horizon Cloud pod software version. Keep the default.
    Client Access FQDN Type the FQDN that you tell your end users to make their connections to, for connecting to Horizon Cloud.
    Workspace ONE Redirection When you also have the configuration to force end-user access to go through Workspace ONE Access, you can set this toggle to YES to have the end users' clients automatically redirect to their Workspace ONE Access environment. You can read about setting the options to force end-user access to go through Workspace ONE Access in Configure the Option to Force End-User Access to Use Workspace ONE Access.

    With the automatic redirection configured to YES, in the end-user clients, when the client attempts to connect to Horizon Cloud and you have configured forced authentication through Workspace ONE Access, the client is automatically redirected to the Workspace ONE Access environment that is integrated with the pod. When the toggle is set to NO, automatic redirection is not enabled. When automatic redirection is not enabled and forced access is configured, the clients display an informational message to the user instead. For more details, see Horizon Cloud Environment with Single-Pod Brokering — Enforce Having End Users Go Through Workspace ONE Access to Access Their Entitled Desktops and Applications.

    Note: You can enable Workspace ONE Access redirection for only one of the identity management providers that are configured here. If the toggle is already set to YES for another configuration and you try to set the toggle to YES, an error message is displayed.
  3. Click Save.


A status of green indicates that the configuration is successful.

What to do next

In your Workspace ONE Access environment, sync the entitled desktops and applications to Workspace ONE Access. In the Workspace ONE Access administration console, navigate to Catalog > Virtual Apps until you are on the Virtual Apps Configuration page. Click Sync to sync the Horizon Cloud collection.

  • Each time resources or entitlements change in Horizon Cloud, a sync is required to propagate the changes to Workspace ONE Access.
  • You must also ensure that the authoritative time source you configure in that connector matches the NTP server that is configured for the pod. If the time sources do not match, syncing issues can occur. The pod's details page shows the pod's configured NTP server. You can open the pod's details page from the Managing Your Cloud-Connected Pods, for All Horizon Cloud Supported Pod Types.