To integrate Horizon pod federations with Workspace ONE Access, make sure that you meet the requirements listed here.
- Workspace ONE Access supports the Cloud Pod Architecture feature for both applications and desktops.
- You can integrate a maximum of 10 pod federations with the Workspace ONE Access service. Each federation can contain up to 7 pods.
- Deploy Horizon Connection Server instances on the default port 443 or on a custom port.
- Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each Horizon Connection Server instance in your environment. Workspace ONE Access requires reverse lookup for Horizon Connection Server, Security Server, and load balancer instances. If reverse lookup is not properly configured, the Workspace ONE Access integration with Horizon fails.
- The Workspace ONE Access Virtual App service must be able to reach all the Horizon Connection Server instances in the pod federation.
- Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If you have not obtained CA-signed certificates and are using self-signed certificates temporarily for testing purposes, you must upload the root certificates to the Virtual App service trust store using the Workspace ONE Access connector installer, and then restart the Virtual App service. See Set up Your Workspace ONE Access Environment for Horizon Integration for more information.
- SAML authentication must be configured in Horizon, with the Workspace ONE Access service specified as the identity provider. You must use the service's fully-qualified domain name as part of the URL. Configuring SAML authentication on all the Horizon Connection Server instances in the pod federation is recommended. See Configure SAML Authentication in Horizon for Workspace ONE Access Integration for more information.
Extending the SAML metadata expiration period on the Horizon Connection Server instances to 1 year is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information.
- Deploy application and desktop pools in the Horizon pods.
- While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately.
- You can create pools in any access group in the Horizon environment. Ensure that the admin user account that you use to sync Horizon assignments to Workspace ONE Access has admin permissions on the Horizon root access group so that pools and resources from all access groups can be synced to Workspace ONE Access.
If you add or remove application or desktop pools after integrating with Workspace ONE Access, for the changes to appear in the Workspace ONE Access service, you must sync again.
- You must create the pod federation, by initializing the Cloud Pod Architecture feature from one of the pods and joining all the other pods to the federation, before integrating with the Workspace ONE Access service. Global entitlements are replicated to pods when they join the federation.
If you join or remove a pod from the pod federation after you integrate the pod federation with the Workspace ONE Access service, you must edit the pod federation details in the Workspace ONE Access console to add or remove the pod, save your changes, and sync again.
- In your Horizon environment, create global entitlements in the pod federation to entitle Active Directory users or groups to desktops and applications.
- (Optional) Create local entitlements on the pods, if required.
- In Horizon 7 versions prior to 7.13, to enable end users to launch desktops or applications in a Web browser, select the HTML Access option for the global entitlement.
If you integrate Horizon 7.13 or later versions with Workspace ONE Access, end users always see the option in Intelligent Hub to launch applications and desktops in a browser. However, if HTML Access is not installed on the Horizon Connection servers, browser launch fails. For Horizon 7.13 and later versions, you must install HTML Access on the Horizon Connection servers. See the VMware Horizon HTML Access documentation for information.
For more information about configuring Horizon, see the VMware Horizon documentation.