To integrate a Workspace ONE Access tenant with a Horizon Cloud tenant that has Universal Broker enabled, you must log in to the Workspace ONE Access console and configure the mandatory user attributes. Configuring these user attributes is a multi-step process using multiple areas within the Workspace ONE Access console's Identity & Access Management area.

Note: This documentation page assumes that you are reading it because you are following the steps described in Horizon Cloud with Universal Broker - Integrate the Tenant with Workspace ONE Access and Intelligent Hub Services.. This page's contents are not applicable to any other situation or context.

At a high-level, in the Workspace ONE Access console, you:

  1. First use the Setup area of the Identity & Access Management area to add the additional Workspace ONE Access attributes that are mandatory for this integration.
  2. Then you use the Manage area of that Identity & Access Management area to appropriately map those required Workspace ONE Access attributes to your Active Directory attributes.

The userPrincipalName, objectGuid, sid, and netBios Workspace ONE Access attributes are mandatory and must be mapped to the appropriate Active Directory attributes as described in the following steps.

Additionally, sAMAccountName must be set as the directory search attribute for the Workspace ONE Access directory. You specify the directory search attribute at the time when you create the directory in the Workspace ONE Access console.

Prerequisites

Before you can configure user attributes in the Workspace ONE Access console in support of the integration steps of Universal Broker and Workspace ONE Access, you must have installed a compatible version of Workspace ONE Access connector and set up directory integration with Active Directory as specifically described in those integration steps.

As of this writing, that page's Step 5 is the relevant point where the connector installation and directory integration are referenced.

Procedure

  1. Log in to the console for your Workspace ONE Access tenant as administrator.
  2. Using the Setup part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where user attributes are configured for your Workspace ONE Access tenant.
    Look for the label User Attributes in the Setup area.
  3. In that console's screen for configuring the Workspace ONE Access user attributes, navigate past the list of default attributes to locate the section for adding other attributes to sync to the directory, and use the console's buttons to add the following attributes.
    Important: These attributes are 100% CASE-SENSITIVE!

    So that objectGuid must be entered with lowercase uid and NOT capital uid.

    netBios must be entered with lowercase ios and NOT capital ios.

    The 100% CASE-SENSITIVE NATURE is a technical fact of how it was implemented.

    Failure to adhere to the 100% CASE-SENSITIVE NATURE of these attributes in Workspace ONE admin UI will break the sync between Universal Broker to Workspace ONE Access and end users logging in will not see desktops and apps that you think they should see.

    • objectGuid
    • sid
    • netBios

    Please note that even though userPrincipalName is also mandatory for this integration, because it already appears in the list of default attributes, you do not have to specially add it here.

  4. Save your changes in that screen.
  5. Using the Manage area of the Workspace ONE Access console's Identity & Access Management area, map the Workspace ONE Access attributes to your Active Directory attributes.
    1. Using the Manage part of the Workspace ONE Access console's Identity & Access Management area, navigate to the screen where directories are configured and click the directory that contains the users and groups that have Horizon Cloud entitlements.
    2. In the screen for that directory, open the Sync Settings screen, then navigate to its Mapped Attributes page.
    3. Map the Workspace ONE Access user attributes to the Active Directory attributes as indicated.
      Important: Pay attention to how the Workspace ONE Access attributes are mapped to the Active Directory ones that have similar — but slightly different — names.

      Remember from the above steps that the Workspace ONE Access attributes are 100% CASE-SENSITIVE!

      So that objectGuid in Workspace ONE Access has lowercase uid and NOT capital uid.

      However, bear in mind that objectGuid in Workspace ONE Access with lowercase uid gets mapped to the Active Directory attribute that has the uppercase UID in it.

      Workspace ONE Access Attribute Active Directory Attribute
      userPrincipalName userPrincipalName
      objectGuid objectGUID
      sid objectSid
      netBios msDS-PrincipalName
  6. Save the settings.
  7. Verify that you selected all the users and groups that sync to your Horizon Cloud environment.
    In the Workspace ONE Access console, you can view and edit the lists of users and groups by navigating from the directory's Sync Settings screen into the Users tab and Groups tab.
  8. In the Workspace ONE Access console, return to that directory's page and click Sync to sync users and groups to Workspace ONE Access, now using all of the correct user attributes.

What to do next

Return to the steps in Horizon Cloud with Universal Broker - Integrate the Tenant with Workspace ONE Access and Intelligent Hub Services. and complete the remaining integration steps after the Configure User Access step.