Before you integrate Horizon Cloud with Workspace ONE Access, ensure that you meet the prerequisites.

  • Verify that you have the following setup:
    • A Workspace ONE Access on-premises deployment

      Integrating multiple Horizon Cloud tenants with a single Workspace ONE Access instance is supported in Workspace ONE Access 3.x and later.

    • A Workspace ONE Access connector installed on premises.

      Workspace ONE Access connector version 2016.1.1 or later is required for Horizon Cloud integration. Version 2017.8.1.0 or later is required for integration with multiple Horizon Cloud tenants.

    • One or more Horizon Cloud tenants that are accessible by the Workspace ONE Access service. Work with your Horizon Cloud representative to set this up.
      Important: Your Workspace ONE Access deployment and your Horizon Cloud tenants need VPN connectivity to work.
  • Verify that each Horizon Cloud tenant meets the following requirements.
    • The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, server-ta1.example.com instead of server-ta1.
    • The tenant appliances should have valid, signed certificates issued by a CA. The certificate must match the FQDN of the tenant appliance. If the tenant appliances have self-signed certificates, you must upload the self-signed certificate as a trusted root certificate in Workspace ONE Access. When you integrate multiple Horizon Cloud tenants, you must ensure that all the certificates have the same root certificate as only one root certificate can be uploaded to Workspace ONE Access.
  • Ensure that the Horizon Cloud tenants and the Workspace ONE Access service are in time sync. If they are not in time sync, an invalid SAML error can occur when users run Horizon Cloud desktops and applications.
  • Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud tenant administration console. You can create the following types of pools in the Horizon Cloud tenant:
    • Dynamic desktop pool, also known as floating desktop assignment
    • Static desktop pool, also known as dedicated desktop assignment
    • Session-based pool with desktops, also known as session desktop assignment
    • Session-based pool with applications, also known as remote application assignment

      For more information about the types of pools, see the Horizon Cloud documentation.

  • Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Cloud tenant administration console.
    Note: Only entitlements for users that belong to a registered group are synced. Users who do not belong to any group will not see their entitlements in Workspace ONE Access.
  • In the Workspace ONE Access console, ensure that users and groups with Horizon Cloud entitlements are synced from Active Directory to Workspace ONE Access using directory sync.

    Follow these guidelines:

    • If you are integrating multiple Horizon Cloud tenants, ensure that you add all the relevant directories and domains to Workspace ONE Access so that users with entitlements in any of the Horizon Cloud tenants are synced to Workspace ONE Access.
    • sAMAccountName must be set as the directory search attribute for the directory in Workspace ONE Access.
    • distinguishedName must be set as a required attribute for the Workspace ONE Access directory and it must be mapped to the Active Directory attribute distinguishedName.

      Attributes must be marked as required before the directory is created. After the directory is created, attributes cannot be changed from optional to required.

      1. In the Workspace ONE Access console, navigate to the Identity & Access Management > Setup > User Attributes page.
      2. Under Default Attributes, select the Required check box for distinguishedName.
      3. Click Save.
      4. While creating the directory, map the distinguishedName attribute to the Active Directory attribute distinguishedName.