The synchronization and launch architecture diagrams depict how Workspace ONE Access synchronizes on-premises Horizon resources and user assignments from the Horizon Connection Server to the Workspace ONE Access service and how it launches these resources from Workspace ONE.

Horizon Resources and Assignments Synchronization

Figure 1. Synchronization Architecture Diagram

Synchronization Diagram of Horizon Resources and Assignments

  1. The Directory Sync service syncs users and groups from Active Directory to the Workspace ONE Access service.
  2. The Virtual App service syncs Horizon resources and assignments from the Horizon Connection Server to the Workspace ONE Access service.

Horizon Applications and Desktops Launch

Figure 2. Launch Architecture Diagram

Launch Diagram of Horizon Resources from Workspace ONE

The blue arrows in the diagram depict the authentication flow.

  1. A user enters Active Directory credentials to log into the Workspace ONE Intelligent Hub app or portal.
  2. The Workspace ONE Access service sends encrypted credentials to the User Auth service.
  3. The User Auth service verifies the credentials with Active Directory.
  4. The User Auth service sends an OK message to the Workspace ONE Access service, allowing the user to log in.

The black arrows in the diagram depict the launch flow.

  1. The user launches a Horizon resource from the Workspace ONE Intelligent Hub app or portal.
  2. The Workspace ONE Access service creates a launch URL with the SAML artifact and passes it to the Horizon Client.
  3. The Horizon Client connects to the Horizon Connection Server through Unified Access Gateway (UAG).
  4. The Horizon Connection Server resolves the SAML artifact with the Workspace ONE Access service to get the SAML assertion and validates it.
  5. The Horizon Connection server renders the Horizon resource to the end user through the Horizon Client.