To integrate a Workspace ONE Access tenant with a Horizon Cloud tenant that has Universal Broker enabled, you must log in to the Workspace ONE Access console and configure the mandatory user attributes. Configuring these user attributes is a multi-step process using multiple areas within the Workspace ONE Access console's Identity & Access Management area.

Note: This entire article applies to a Horizon Cloud tenant configured to use Universal Broker with the tenant's pods.

At a high-level, in the Workspace ONE Access console, you:

  1. First use the Setup area of the Identity & Access Management area to add the additional Workspace ONE Access attributes that are mandatory for this integration.
  2. Then you use the Manage area of that Identity & Access Management area to appropriately map those required Workspace ONE Access attributes to your Active Directory attributes.

The userPrincipalName, objectGuid, sid, and netBios Workspace ONE Access attributes are mandatory and must be mapped to the appropriate Active Directory attributes as described in the following steps. Additionally, sAMAccountName must be set as the directory search attribute for the Workspace ONE Access directory. You specify the directory search attribute at the time when you create the directory in the Workspace ONE Access console.

Prerequisites

Before you can configure user attributes in the Workspace ONE Access console, you must install the Workspace ONE Access connector and set up directory integration with Active Directory.
Installing Workspace ONE Access connector
Choose the connector version according to your use case as follows.
Note: Using the latest version of the connector is recommended, to obtain the latest fixes and improvements.
Use case Connector details

When you created a new Workspace ONE Access tenant for your Horizon Cloud tenant and integrated it using the Horizon Universal Console, using the steps described in Integrate the Tenant with Workspace ONE Access and Intelligent Hub Services

Workspace ONE Access 20.10 or later is supported for this use case.

If you plan to add a Virtual Apps collection in the new Workspace ONE Access tenant, install version 21.08 or later. The 20.x versions do not support Virtual Apps collections.

When you integrated an existing Workspace ONE Access tenant that has existing Virtual Apps collections and you want to maintain that tenant's existing Virtual Apps collections, or you want to have Virtual Apps collections in that existing tenant

Install or upgrade your existing Workspace ONE Access connector deployment to version 21.08 or later.

Setting up the Active Directory integration
When you set up the directory in the Workspace ONE Access, make sure you meet the following requirements:
  • Set sAMAccountName as the directory search attribute for the Workspace ONE Access directory.
  • Ensure that all Active Directory domains, users, and groups that are synced to your Horizon Cloud tenant are also synced to the Workspace ONE Access tenant. Otherwise, users will not see all their entitlements in the Hub catalog.
Note: Only users that are synced from Active Directory can access Horizon Cloud applications and desktops from the Hub catalog. Other types of users, such as Just-in-Time users and local users, are not supported.

Procedure

  1. Log in to the console for your Workspace ONE Access tenant as administrator.
  2. Using the Setup part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where user attributes are configured for your Workspace ONE Access tenant.
    Look for the label User Attributes in the Setup area.
  3. In that console's screen for configuring the Workspace ONE Access user attributes, navigate past the list of default attributes to locate the section for adding other attributes to sync to the directory, and use the console's buttons to add the following attributes.
    Important: Make sure that you enter the case-sensitive attributes exactly as they appear here in this list.
    • objectGuid
    • sid
    • netBios
    Even though userPrincipalName is also mandatory for this integration, because it already appears in the list of default attributes, you do not have to add it here.
  4. Save your changes in that screen.
  5. Using the Manage area of the Workspace ONE Access console's Identity & Access Management area, map the Workspace ONE Access attributes to your Active Directory attributes.
    1. Using the Manage part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where directories are configured and click the directory that contains the users and groups that have Horizon Cloud entitlements.
    2. In the screen for that directory, open the Sync Settings screen, then navigate to its Mapped Attributes page.
    3. Map the Workspace ONE Access user attributes to the Active Directory attributes as indicated.
      Workspace ONE Access Attribute Active Directory Attribute
      userPrincipalName userPrincipalName
      objectGuid objectGUID
      sid objectSid
      netBios msDS-PrincipalName
  6. Save the settings.
  7. Verify that you selected all the users and groups that sync to your Horizon Cloud environment.
    In the Workspace ONE Access console, you can view and edit the lists of users and groups by navigating from the directory's Sync Settings screen into the Users tab and Groups tab.
  8. In the Workspace ONE Access console, return to that directory's page and click Sync to sync users and groups to Workspace ONE Access, now using all of the correct user attributes.