Integrating Horizon pod federations with VMware Identity Manager has the following requirements.
- VMware Identity Manager supports the Cloud Pod Architecture feature in Horizon 6.2 and later, for both applications and desktops.
- You can integrate a maximum of 10 pod federations with the VMware Identity Manager service. Each federation can contain up to 7 pods.
- Deploy Horizon Connection Server instances on the default port 443 or on a custom port.
- Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each Horizon Connection Server instance in your environment. VMware Identity Manager requires reverse lookup for Horizon Connection Server, Security Server, and load balancer instances. If reverse lookup is not properly configured, the VMware Identity Manager integration with Horizon fails.
- The VMware Identity Manager connector must be able to reach all the Horizon Connection Server instances in the pod federation.
- SAML authentication must be configured in Horizon, with the VMware Identity Manager service specified as the identity provider. You must use the service's fully-qualified domain name as part of the URL. Configuring SAML authentication on all the Horizon Connection Server instances in the pod federation is recommended. See Configure SAML Authentication in Horizon for more information.
Extending the SAML metadata expiration period on the Horizon Connection Server instances to 1 year is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information.
- Horizon Connection Server certificates will be synced to VMware Identity Manager.
- Deploy application and desktop pools in the Horizon pods.
- While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately.
- You can create pools in any folder in the Horizon server. Ensure that the admin user that you use to sync Horizon entitlements to VMware Identity Manager has root level access so that all pools can be synced.
If you add or remove application or desktop pools after integrating with VMware Identity Manager, for the changes to appear in the VMware Identity Manager service, you must sync again.
- You must create the pod federation, by initializing the Cloud Pod Architecture feature from one of the pods and joining all the other pods to the federation, before integrating with the VMware Identity Manager service. Global entitlements are replicated to pods when they join the federation.
If you join or remove a pod from the pod federation after you integrate with the VMware Identity Manager service, you must edit the pod federation details in the VMware Identity Manager console to add or remove the pod, save your changes, and sync again.
- In your Horizon environment, create global entitlements in the pod federation to entitle Active Directory users or groups to desktops and applications.
- The global entitlements that you want to sync to VMware Identity Manager must have the All sites scope policy set. Entitlements with any other scope policy are not synced.
- To enable end users to launch desktops or application in a Web browser, select the HTML Access option for the global entitlement in Horizon.
- (Optional) Create local entitlements on the pods, if required.
For more information about configuring Horizon, see the Horizon 6 or Horizon 7 documentation.