Integration between VMware Horizon and VMware Workspace ONE Access (formerly called Workspace ONE) uses the SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality. When SSO is enabled, users who log in to VMware Workspace ONE Access or Workspace ONE with Active Directory credentials can launch remote desktops and applications without having to go through a second login procedure.

When VMware Workspace ONE Access and VMware Horizon are integrated, VMware Workspace ONE Access generates a unique SAML artifact whenever a user logs in to VMware Workspace ONE Access and clicks a desktop or application icon. VMware Workspace ONE Access uses this SAML artifact to create a Universal Resource Identifier (URI). The URI contains information about the Connection Server instance where the desktop or application pool resides, which desktop or application to launch, and the SAML artifact.

VMware Workspace ONE Access sends the SAML artifact to the Horizon client, which in turn sends the artifact to the Connection Server instance. The Connection Server instance uses the SAML artifact to retrieve the SAML assertion from VMware Workspace ONE Access.

After a Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the user's password, and uses the decrypted password to launch the desktop or application.

Setting up VMware Workspace ONE Access and VMware Horizon integration involves configuring VMware Workspace ONE Access with VMware Horizon information and configuring VMware Horizon to delegate responsibility for authentication to VMware Workspace ONE Access.

To delegate responsibility for authentication to VMware Workspace ONE Access, you must create a SAML authenticator in VMware Horizon. A SAML authenticator contains the trust and metadata exchange between VMware Horizon and VMware Workspace ONE Access. You associate a SAML authenticator with a Connection Server instance.