The following diagram illustrates the high-level architecture and communication flow of the components in a Horizon Cloud environment that is configured with Universal Broker and integrated with Workspace ONE Access and Intelligent Hub services.


Architecture and communication flow diagram for integration between Workspace ONE Access, Hub services, and Horizon Cloud tenant with Universal Broker
  1. During the activation workflow, the Workspace ONE Access tenant is registered for integration with your Horizon Cloud tenant.
  2. The Workspace ONE Access Connector syncs the Workspace ONE Access tenant with the Active Directory users and groups.
  3. The user authenticates through Workspace ONE Access and requests to load the Hub catalog.
  4. The Workspace ONE Intelligent Hub services fetch information about the user’s entitlements from all configured sources of the catalog. Sources can include Workspace ONE Access, Workspace ONE UEM, Okta, and the Universal Broker service.
  5. The Hub catalog presents a unified catalog of entitlements to the user. The catalog includes the user's assignment entitlements fetched from the Universal Broker service.
  6. From the catalog, the user clicks an assigned desktop or application to start a connection session to it.
  7. The Workspace ONE Intelligent Hub services prepare the start URL for the assigned resource by communicating with Workspace ONE Access and generating a SAML artifact, which is appended to the Universal Broker URL. The services then send the start URL to the Workspace ONE Intelligent Hub client.
    Note: For this integration feature, the Hub Browser is the only supported Workspace ONE Intelligent Hub client. The Intelligent Hub app is not supported.
  8. The Workspace ONE Intelligent Hub client starts the Horizon Client desktop or web application.
  9. Horizon Client forwards the authentication request to the Universal Broker service.
  10. Through communications with Workspace ONE Access, the Universal Broker service resolves the SAML artifact and validates the trusted user.
  11. Horizon Client requests the assigned desktop or application from the Universal Broker service.
  12. After determining which pod can best provide the assigned resource, the Universal Broker service sends a message to the Universal Broker client, which runs within that pod. The Universal Broker client forwards the message to the Universal Broker plugin running on the Connection Server (for a Horizon pod) or to the active pod manager (for a pod in Microsoft Azure). The Universal Broker plugin or the active pod manager identifies the best available resource to allocate to the end user.
  13. The Universal Broker service returns a connection response to Horizon Client which includes the unique FQDN of the pod. The unique FQDN is typically the FQDN of either the Horizon pod's local load balancer or the Microsoft Azure load balancer.
  14. After passing through the load balancer, the request goes to the Unified Access Gateway for the pod. The Unified Access Gateway validates that the request is trusted and prepares the Blast Secure Gateway, PCoIP Secure Gateway, and tunnel server.
  15. The user receives the assigned desktop or application and establishes a connection session based on the configured secondary protocol (Blast Extreme, PCoIP, or RDP).