After you create a Horizon virtual apps collection in Workspace ONE Access, log in to Horizon Administrator and configure SAML authentication on the Horizon Connection Server instances to allow users to launch Horizon desktops and applications using single sign-on.

You must configure SAML authentication on at least one Horizon Connection Server instance in a pod. Configuring SAML authentication on all instances in the pod is recommended.

If SAML authentication is disabled on some of the Horizon Connection Server instances in a pod, Workspace ONE Access uses the other instances for sync. However, ensure that any instance with SAML authentication disabled is not used for launch, otherwise users cannot launch Horizon desktops or applications. Do not use the instance as the Client Access FQDN or, if the Client Access FQDN points to a load balancer, as one of the nodes on the load balancer.

If SAML authentication is disabled on all the Horizon Connection Server instances in the pod, sync fails.

Note: You do not need to configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider.

Procedure

  1. Log in to the Horizon Administrator as a user that has the administrator role.
  2. Configure SAML authentication on the Horizon Connection Server instances.
    See the Horizon 7 documentation for information.
    Ensure that you specify the FQDN of the Workspace ONE Access service when you configure the SAML Authenticator.
    Important: The Horizon and Workspace ONE Access servers must be in time sync. If the servers are not in time sync, when users access a Horizon application or desktop, an invalid SAML message occurs.

What to do next

Important: If you change any settings or SAML configuration on the Horizon server, make sure you edit the Virtual Apps Collection page in the Workspace ONE Access console and click Save to update the latest Horizon settings in the Workspace ONE Access service.