Before you integrate Horizon Cloud with VMware Identity Manager, ensure that you meet the prerequisites.

  • Verify that you have the following setup:
    • A VMware Identity Manager on-premises deployment

      Integrating multiple Horizon Cloud tenants with a single VMware Identity Manager instance is supported in VMware Identity Manager 3.x and later.

    • If you use an additional, external connector, ensure that you use version 2016.1.1 or later. Integration with multiple Horizon Cloud tenants is supported in connector 2017.8.1.0 and later.
    • One or more Horizon Cloud tenants that are accessible by the VMware Identity Manager service. Work with your Horizon Cloud representative to set this up.
      Important: Your VMware Identity Manager deployment and your Horizon Cloud tenants need VPN connectivity to work.
  • Verify that each Horizon Cloud tenant meets the following requirements.
    • The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, instead of server-ta1.
    • The tenant appliances should have valid, signed certificates issued by a CA. The certificate must match the FQDN of the tenant appliance. If the tenant appliances have self-signed certificates, you must upload the self-signed certificate as a trusted root certificate in VMware Identity Manager. When you integrate multiple Horizon Cloud tenants, you must ensure that all the certificates have the same root certificate as only one root certificate can be uploaded to VMware Identity Manager.
  • Ensure that the Horizon Cloud tenants and the VMware Identity Manager service are in time sync. If they are not in time sync, an invalid SAML error can occur when users run Horizon Cloud desktops and applications.
  • Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud tenant administration console. You can create the following types of pools in the Horizon Cloud tenant:
    • Dynamic desktop pool, also known as floating desktop assignment
    • Static desktop pool, also known as dedicated desktop assignment
    • Session-based pool with desktops, also known as session desktop assignment
    • Session-based pool with applications, also known as remote application assignment

      For more information about the types of pools, see the Horizon Cloud documentation.

  • Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Cloud tenant administration console.
    Note: Only entitlements for users that belong to a registered group are synced. Users who do not belong to any group will not see their entitlements in VMware Identity Manager.
  • In the VMware Identity Manager console, ensure that users and groups with Horizon Cloud entitlements are synced from Active Directory to VMware Identity Manager using directory sync.

    Follow these guidelines:

    • If you are integrating multiple Horizon Cloud tenants, ensure that you add all the relevant directories and domains to VMware Identity Manager so that users with entitlements in any of the Horizon Cloud tenants are synced to VMware Identity Manager.
    • sAMAccountName must be set as the directory search attribute for the directory in VMware Identity Manager.
    • distinguishedName must be set as a required attribute for the VMware Identity Manager directory and it must be mapped to the Active Directory attribute distinguishedName.

      Attributes must be marked as required before the directory is created. After the directory is created, attributes cannot be changed from optional to required.

      1. In the VMware Identity Manager console, navigate to the Identity & Access Management > Setup > User Attributes page.
      2. Under Default Attributes, select the Required check box for distinguishedName.
      3. Click Save.
      4. While creating the directory, map the distinguishedName attribute to the Active Directory attribute distinguishedName.