To integrate a Workspace ONE Access tenant with your Horizon Cloud environment that has Universal Broker enabled, you must log in to the Workspace ONE Access console and configure the mandatory user attributes. Configuring these user attributes is a multi-step process using multiple areas within the Workspace ONE Access console's Identity & Access Management area.

At a high-level, in the Workspace ONE Access console, you:

  1. First use the Setup area of the Identity & Access Management area to add the additional Workspace ONE Access attributes that are mandatory for this integration.
  2. Then you use the Manage area of that Identity & Access Management area to appropriately map those required Workspace ONE Access attributes to your Active Directory attributes.

The userPrincipalName, objectGuid, sid, and netBios Workspace ONE Access attributes are mandatory and must be mapped to the appropriate Active Directory attributes as described in the following steps. Additionally, sAMAccountName must be set as the directory search attribute for the Workspace ONE Access directory. You specify the directory search attribute at the time when you create the directory in the Workspace ONE Access console.

Prerequisites

Before you can configure user attributes, you must install the Workspace ONE Access connector and set up directory integration with Active Directory:
  • If you created a new Workspace ONE Access tenant from the Horizon Universal Console, install the Workspace ONE Access connector version 20.10 or 19.03.0.1.

    If you plan to add a Virtual Apps collection, install version 19.03.0.1. Do not install version 20.10 as Workspace ONE Access connectors 20.x do not support Virtual Apps collections.

  • If you are integrating an existing Workspace ONE Access tenant and you want to maintain your existing Virtual Apps collections or create new Virtual Apps collections, install or upgrade your Workspace ONE Access connector to version 19.03.0.1.
  • When you set up the directory in Workspace ONE Access, make sure you meet the following requirements:
    • Set sAMAccountName as the directory search attribute for the Workspace ONE Access directory.
    • Ensure that all Active Directory domains, users, and groups that are synced to your Horizon Cloud tenant are also synced to the Workspace ONE Access tenant. Otherwise, users will not see all their entitlements in the Hub catalog.
    Note: Only users that are synced from Active Directory can access Horizon Cloud applications and desktops from the Hub catalog. Other types of users, such as Just-in-Time users and local users, are not supported.

Procedure

  1. Log in to the console for your Workspace ONE Access tenant as administrator.
  2. Using the Setup part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where user attributes are configured for your Workspace ONE Access tenant.
    Look for the label User Attributes in the Setup area.
  3. In that console's screen for configuring the Workspace ONE Access user attributes, navigate past the list of default attributes to locate the section for adding other attributes to sync to the directory, and use the console's buttons to add the following attributes.
    Important: Make sure that you enter the names exactly as they are listed here.
    • objectGuid
    • sid
    • netBios
    Even though userPrincipalName is also mandatory for this integration, because it already appears in the list of default attributes, you do not have to add it here.
  4. Save your changes in that screen.
  5. Using the Manage area of the Workspace ONE Access console's Identity & Access Management area, map the Workspace ONE Access attributes to your Active Directory attributes.
    1. Using the Manage part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where directories are configured and click the directory that contains the users and groups that have Horizon Cloud entitlements.
    2. In the screen for that directory, open the Sync Settings screen, then navigate to its Mapped Attributes page.
    3. Map the Workspace ONE Access user attributes to the Active Directory attributes as indicated.
      Workspace ONE Access Attribute Active Directory Attribute
      userPrincipalName userPrincipalName
      objectGuid objectGUID
      sid objectSid
      netBios msDS-PrincipalName
  6. Save the settings.
  7. Verify that you selected all the users and groups that sync to your Horizon Cloud environment.
    In the Workspace ONE Access console, you can view and edit the lists of users and groups by navigating from the directory's Sync Settings screen into the Users tab and Groups tab.
  8. In the Workspace ONE Access console, return to that directory's page and click Sync to sync users and groups to Workspace ONE Access, now using all of the correct user attributes.