Configure Horizon pods and pod federations in the VMware Identity Manager console to sync resources and entitlements to the VMware Identity Manager service.
To configure the pods and pod federations, you create one or more virtual apps collections in thepage and enter configuration information such as the Horizon Connection servers from which to sync resources and entitlements, pod federation details, the VMware Identity Manager connector to use for sync, and administrator settings such as the default launch client.
You can add all the Horizon pods and pod federations in one collection or you can create multiple collections, based on your needs. For example, you may choose to create separate collections for each pod federation or each pod for easier management and to distribute the sync load across multiple connectors. Or you may choose to include all pods and pod federations in one collection for test purposes and have another identical collection for your production environment.After you add the pods, configure client access URLs for specific network ranges.
- Set up Horizon according to Requirements for Integrating Horizon Pods and Requirements for Integrating Horizon Pod Federations.
- Set up VMware Identity Manager according to Set up Your VMware Identity Manager Environment.
- For each Horizon pod, ensure that you have the credentials of a user who has the Administrators role.
- You must use an administrator role that can perform the Manage Desktop Apps action in the Catalog service.
- Log in to the VMware Identity Manager console.
- Select the Virtual Apps Configuration. tab, then click
- Click Add Virtual Apps and select Horizon View On-Premises.
- Enter a unique name for the collection.
- From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.
If you have set up multiple connectors for high availability, click Add Connector and select the other connectors. The order in which the connectors are listed determines the failover order.
- In the Horizon Pods section, provide the configuration information for the Horizon pods that you are adding to this collection.
Connection Server Enter the fully qualified hostname of the Horizon Connection Server instance, such as connectionserver.example.com. The domain name must exactly match the domain name to which you joined the Horizon Connection Server instance. Username Enter the administrator username for the pod. The user must have the Administrators role in Horizon. Password Enter the administrator password for the pod. Smart Card Authentication If users use smart card authentication to sign in to the pod instead of passwords, select the check box. True SSO Enabled
Select this option if True SSO is enabled in Horizon. This option only applies to Horizon versions that support the True SSO feature.
When True SSO is enabled in Horizon, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario.
Sync Local Entitlements If local entitlements are configured for the pod, select this option.For example:
- To add multiple pods to the collection, click Add Pod and enter the configuration information for each pod.
- To add a pod federation, follow these steps.
Note: If the collection only includes individual Horizon pods that do not belong to a pod federation, do not enable this option.For example:
- Select the Enable check box in the Horizon Cloud Pod Architecture Configuration section.
- Enter the pod federation configuration information.
Option Description Federation Name The name of the pod federation. Add Horizon Pods Select all the pods that belong to the pod federation. The list displays all the pods that you have added to the collection.
Select each pod and click Add to List.
Selected Pods You can reorder the pods or remove them. Launch URL The global launch URL to be used to launch globally-entitled desktops or applications. For example, federationA.example.com.
The launch URL is typically the global load balancer URL of the pod federation. You can customize the launch URL for specific network ranges later in the configuration process.
- To add another pod federation, click Add Federation and enter the configuration information.
- Select the Do not sync duplicate applications check box to prevent duplicate applications from being synced from multiple servers.
When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Selecting this option prevents duplication of the desktop or application pools in your VMware Identity Manager catalog.
- Select the Configuring Horizon Connection Server 5.x check box if you are configuring any View Connection Server 5.x instances.
Selecting this option enables an alternative way of syncing resources that is required for View 5.x.Note: If you select the Perform Directory Sync option, the Configuring Horizon Connection Server 5.x option is also automatically selected as both options rely on the alternative way of syncing resources.
- Select the Perform Directory Sync check box if you want directory sync to be performed as part of resource sync when any users and groups that are entitled to Horizon pools in the Horizon Connection Server instances are missing in the VMware Identity Manager directory.
The Perform Directory Sync option does not apply to pod federations. If users and groups with global entitlements are missing in the VMware Identity Manager directory, directory sync is not triggered.
Users and groups synced through this process can be managed like any other users added by VMware Identity Manager directory sync.Important: Sync takes longer when you use the Perform Directory Sync option.Note: When this option is selected, the Configuring Horizon Connection Server 5.x option is also selected automatically as both options rely on an alternative way of syncing resources.
- From the Default Launch Client drop-down list, select the default client in which to launch Horizon applications or desktops.
Option Description NONE No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the Horizon Default display protocol setting is used to determine how to launch the desktop or application. BROWSER Horizon desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting. NATIVE Horizon desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.
This setting applies to all users for all resources in this collection.
The following order of precedence, listed from highest to lowest, applies to the default launch client settings:
- End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app.
- Administrator Default Launch Client setting for the collection, set in the VMware Identity Manager console.
- Horizon Horizon Administrator. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client. setting for the desktop or application pool, set in
- From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.
You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Virtual Apps Configuration page after you set up the collection and whenever there is a change in your View resources or entitlements.
- From the Activation Policy drop-down list, select how Horizon resources are made available to users in Workspace ONE.
With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.
The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop's Entitlements page.
Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow.
- Click Save.
The collection is created and appears in the Virtual Apps Configuration page. The resources in the collection are not synced yet.
- To sync the resources in the collection to VMware Identity Manager, click Sync in the Virtual Apps Configuration page.
Each time you change settings in Horizon, such as adding an entitlement or a user, a sync is required to propagate the changes to VMware Identity Manager.
- Configure Client Access URLs for the pods and pod federations.
You customize the URLs for specific network ranges. For example, different launch URLs are typically set for internal and external access.
- Review your network ranges and create new ones, if required.
- Click the tab.
- Click Network Ranges.
- Review the network ranges and click Add Network Range to add new ranges, if required.
- Click the Virtual App Settings. tab, then click
- Click Network Settings.
- Select the network range to configure.
The View CPA federation section lists the global launch URL of the pod federations you added to the collection. The View Pod section lists all the View pods that you added to the collection that have the Sync Local Entitlements option selected.
- In the View CPA federation section, for the global launch URL, specify the fully-qualified domain name of the server to which to direct launch requests for global entitlements that come from this network range. This is typically the global load balancer URL of the View pod federation deployment.
For example: lb.example.com
The global launch URL is used to launch globally-entitled resources.
- In the View Pod section, for each pod, specify the fully-qualified domain name of the server to which to direct launch requests for local entitlements that come from this network range. You can specify a Horizon Connection Server instance, a load balancer, or a security server. For example, if you are editing a range that provides internal access, you would specify the internal load balancer for the pod.
For example: lb.example.com
The client access URL is used to launch locally-entitled resources from the pod.Note: For information about the Wrap Artifact in JWT and Audience in JWT options, see Launching Horizon Resources Through Validating Gateways.
- Click Finish.
- Review your network ranges and create new ones, if required.