Workspace ONE, or VMware Workspace ONE Access administrators can configure access policies to restrict access to entitled desktops and applications in VMware Horizon. To enforce policies created in VMware Workspace ONE Access you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements. When you log in to Horizon Client, the access policy directs you to log in through Workspace ONE to access your published desktops and applications.

Prerequisites

  • Configure the access policies for applications in Workspace ONE. For more information about setting access policies, see the VMware Identity Manager Administration Guide.
  • Entitle users to published desktops and applications in Horizon Console.

Procedure

  1. In Horizon Console, navigate to Settings > Servers.
  2. On the Connection Servers tab, select a server instance that is associated with a SAML authenticator and click Edit.
  3. On the Authentication tab, set the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) option to Required.
    The Required option enables SAML authentication. The end user can only connect to the Horizon server with a SAML token provided by vIDM or a third-party identity provider. You cannot start desktops or applications from Horizon Client manually.
  4. Select Enable Workspace ONE mode.
  5. In the Workspace ONE server hostname text box, enter the Workspace ONE Hostname FQDN value.
  6. (Optional) Select Block connections from clients that don't support Workspace ONE mode to restrict Horizon Clients that support Workspace ONE mode from accessing applications.