After you create a virtual apps collection for the Horizon Cloud integration in the Workspace ONE Access console, configure SAML authentication in the Horizon Cloud tenant.

If you are integrating multiple Horizon Cloud tenants, ensure that you configure SAML authentication in all the tenants.

Note: This topic applies to Workspace ONE Access integration with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and with Horizon Cloud Service on IBM Cloud, using Workspace ONE Access connector 19.03.0.1.
Important: The Horizon Cloud tenant appliance and Workspace ONE Access must be in time sync. If they are not in time sync, when you try to launch Horizon Cloud desktops and applications, an invalid SAML message appears.

Procedure

  1. In the Workspace ONE Access console, select the Catalog > Virtual Apps tab, then click Settings.
  2. In the left pane, under SaaS Apps, click SAML Metadata.
  3. In the Download SAML Metadata tab, click Copy URL next to the Identity Provider (IdP) metadata link.
    The URL, which is in a format similar to https:// VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml, is copied to your clipboard.

    SAML metadata form

  4. Log in to the Horizon Cloud tenant.
  5. Navigate to Settings > Identity Management.
  6. Click New.
  7. Configure the required settings.
    Option Description
    Identity Manager URL The Workspace ONE Access IdP metadata URL you copied. The URL is typically in the following format:

    https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml

    Timeout SSO Token (Optional) The amount of time, in minutes, after which the SSO token times out.
    Data Center The Horizon Cloud data center name. Select the name from the drop-down list.
    Tenant Address The Horizon Cloud tenant address. Specify the floating IP address or hostname of the Horizon Cloud tenant appliance, or the Unified Access Gateway IP address or hostname. For example, mytenant.example.com.
    On Horizon Cloud on Azure, the following settings appear.
    Option Description
    VMware Identity Manager URL The Workspace ONE Access IdP metadata URL you copied. The URL is typically in the following format:

    https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml

    Timeout SSO Token (Optional) The amount of time, in minutes, after which the SSO token times out.
    Location Select a location to filter the Node drop-down list to the nodes associated with that location.
    Node Select the node you are integrating with Workspace ONE Access.
    Data Center The Horizon Cloud data center name. Select the name from the drop-down list.
    Tenant Address The Horizon Cloud tenant address. Specify the floating IP address or hostname of the Horizon Cloud tenant appliance, or the Unified Access Gateway IP address or hostname. For example, mytenant.example.com.
  8. Click Save.
    If the integration is successful, the status is green.
  9. To block user access except through Workspace ONE Access, click Configure and edit the settings.
    Option Description
    Force Remote Users to Identity Manager Select YES to block remote user access except through IDM. Option only displays if Identity Manager status is green.
    Force Internal Users to Identity Manager Select YES to block internal user access except through IDM. Option only displays if Identity Manager status is green.

Results

Your integration is complete. After you sync Horizon Cloud resources to Workspace ONE Access, you can view Horizon Cloud desktop and application pools in the Workspace ONE Access console and end users can launch the resources to which they are entitled from the Intelligent Hub portal or app.