To integrate Horizon Cloud tenants with the VMware Identity Manager service, you create a virtual apps collection in the VMware Identity Manager console, which contains Horizon Cloud tenant information as well as sync settings, and sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service.

If you have multiple Horizon Cloud tenants, you can create separate virtual apps collections for each tenant or configure all the tenants in a single collection, based on your needs. Each collection is synced separately.

Prerequisites

Procedure

  1. Log in to the VMware Identity Manager console.
  2. Select the Catalog > Virtual Apps Collections tab.
  3. Click New.
  4. Select Horizon Cloud as the source type.
  5. In the New Horizon Cloud Virtual Apps Collection wizard, enter the following information in the Connector page.
    Option Description
    Name Enter a unique name for the Horizon Cloud collection.
    Connector Select the connector that you want to use to sync this collection. To select the connector, select the directory that is associated with it. If you have set up a cluster of connectors, all the connector instances appear in the Host list and you can arrange them in failover order for this collection.
    Important: After you create the collection, you cannot select a different directory.
  6. Click Next.
  7. In the Tenant page, click Add a Tenant and enter your Horizon Cloud tenant information.
    Important: Do not use non-ASCII characters when you enter your domain information.
    Option Description
    Host Fully-qualified domain name of your Horizon Cloud tenant host. For example: tenant1.example.com
    Port Port number of your Horizon Cloud tenant host. For example: 443
    Admin User User name for your Horizon Cloud tenant administrator account. For example: tenantadmin
    Admin Password Password for your Horizon Cloud tenant administrator account.
    Admin Domain Active Directory NETBIOS domain name in which the Horizon Cloud tenant administrator resides.
    Domains to Sync Active Directory NETBIOS domain names for syncing Horizon Cloud resources and entitlements.
    Note: This field is case-sensitive. Ensure that you use the proper case when you enter the names.
    Assertion Consumer Service URL

    The URL to which to post the SAML assertion. This URL is typically the Horizon Cloud tenant's floating IP address or hostname, or the Unified Access Gateway URL. For example, https://mytenant.example.com.

    True SSO Enable this option only if True SSO is enabled for the Horizon Cloud tenant.

    When this option is enabled, users logged into VMware Identity Manager with a non-password authentication method such as SecurID will not be prompted for a password when they launch their Windows desktops.

    Custom ID Mapping You can customize the user ID that is used in the SAML response when users launch Horizon Cloud applications and desktops. By default, User Principal Name is used. You can choose to use other name ID formats such as sAMAccountName or email address and customize the value.

    Name ID Format: Select the name ID format, such as Email address or User Principal Name. The default value is Unspecified (username).

    Name ID Value: Click Select from suggestions and pick from a predefined list of values or click Custom value and enter the value. This value can be any valid Expression Language (EL) expression such as ${user.userName}@${user.domain}. The default value is ${user.userPrincipalName}.
    Note: Ensure that the attributes you use in the expression are mapped attributes in the VMware directory. You can view mapped attributes in the directory's Sync Settings tab. In the above example, userName, userPrincipalName, and domain are directory mapped attributes.

    The ability to select the name ID format is useful in scenarios such as the following:

    • When users from multiple sub-domains are synced, User Principal Name may not work. You can use a different name ID format such as sAMAccountName or email address to uniquely identify users.
    Important: Ensure that you use the same name ID format setting in Horizon Cloud and VMware Identity Manager.
  8. Click Add.
  9. Add other tenants, if required, then click Next.
  10. In the Configuration page, enter the following information.
    Option Description
    Sync Frequency Select how often you want to sync the resources in the collection.

    You can set up an automatic sync schedule or choose to sync manually. To set a schedule, select the interval such as daily or weekly and select the time of day to run the sync. If you select Manual, you must click Sync on the Virtual Apps Collections page after you set up the collection and whenever there is a change in your Horizon Cloud resources or entitlements.

    Activation Policy Select how you want to make resources in this collection available to users in the Workspace ONE portal and app. If you intend to set up an approval flow, select User-Activated, otherwise select Automatic.

    With both the User-Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the user or group page in the Users & Groups tab.

    Default Launch Client Select the default client for end users accessing Horizon Cloud desktops and apps from the Workspace ONE portal or app.
    None No default preference is set at the administrator level. If this option is set to None and the end user does not set a preference either, the Horizon Cloud Default Protocol setting is used to determine how to launch the desktop or application.
    Browser Horizon Cloud desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.
    Native Horizon Cloud desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in the Workspace ONE portal. This setting is not available in the Workspace ONE app.
    2. Administrator Default Launch Client setting for the collection, set in the VMware Identity Manager console.
    3. Horizon Cloud Default Protocol settings
  11. Click Next.
  12. In the Summary page, review your selections, then click Save.
    The collection is created and appears in the Virtual Apps Collections page.
  13. To sync the resources and entitlements in the collection, select the collection in the Virtual Apps Collections page and click Sync.
    Each time resources or entitlements change in Horizon Cloud, a sync is required to propagate the changes to VMware Identity Manager.

What to do next

Configure SAML authentication in the Horizon Cloud tenant to enable trust between the VMware Identity Manager service and the Horizon Cloud tenant.