To integrate Horizon Cloud tenants with the VMware Identity Manager service, you create a virtual apps collection in the VMware Identity Manager console, which contains Horizon Cloud tenant information as well as sync settings, and sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service.

If you have multiple Horizon Cloud tenants, you can create separate virtual apps collections for each tenant or configure all the tenants in a single collection, based on your needs. Each collection is synced separately.

Prerequisites

Procedure

  1. Log in to the VMware Identity Manager console.
  2. Select the Catalog > Virtual Apps tab, then click Virtual Apps Configuration.
  3. Click Add Virtual Apps and select Horizon Cloud.
  4. Enter a unique name for the collection.
  5. From the Sync Connectors drop-down menu, select the connector that you want to use to sync the resources in this collection.

    If you have set up multiple connectors for high availability, click Add Connector and select the connectors. The order in which the connectors are listed determines the failover order.

  6. In the Tenants section, enter the Horizon Cloud tenant information.
    Important: Do not use non-ASCII characters when you enter your domain information.
    Option Description
    Tenant Host Fully-qualified domain name of your Horizon Cloud tenant host. For example: tenant1.example.com
    Tenant Port Port number of your Horizon Cloud tenant host. For example: 443
    Admin User User name for your Horizon Cloud tenant administrator account. For example: tenantadmin
    Admin Password Password for your Horizon Cloud tenant administrator account.
    Admin Domain Active Directory NETBIOS domain name in which the Horizon Cloud tenant administrator resides.
    Domains to Sync Active Directory NETBIOS domain names for syncing Horizon Cloud resources and entitlements.
    Note: This field is case-sensitive. Ensure that you use the proper case when you enter the names.
    Assertion Consumer Service URL

    The URL to which to post the SAML assertion. This URL is typically the Horizon Cloud tenant's floating IP address or hostname, or Unified Access Gateway URL. For example, https://mytenant.example.com.

    True SSO enabled on Horizon Cloud Select this option if True SSO is enabled for the Horizon Cloud tenant.

    When True SSO is enabled in the Horizon Cloud tenant, users do not require a password to log into their Windows desktops.

    However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario.

    Custom Id Mapping You can customize the user ID that is used in the SAML response when users launch Horizon Cloud applications and desktops. By default, User Principal Name is used. You can choose to use other name ID formats such as sAMAccountName or email address and customize the value.

    Name ID Format: Select the name ID format, such as Email address or User Principal Name. The default value is Unspecified (username).

    Name ID Value: Click Select from suggestions and pick from a predefined list of values or click Custom value and enter the value. This value can be any valid Expression Language (EL) expression such as ${user.userName}@${user.domain}. The default value is ${user.userPrincipalName}.
    Note: Ensure that the attributes you use in the expression are mapped attributes in the VMware directory. You can view mapped attributes in the directory's Sync Settings tab. In the above example, userName, userPrincipalName and domain are directory mapped attributes.

    The ability to select the name ID format is useful in scenarios such as the following:

    • When users from multiple sub-domains are synced, User Principal Name may not work. You can use a different name ID format such as sAMAccountName or email address to uniquely identify users.
    Important: Ensure that the name ID format setting is the same in both Horizon Cloud and VMware Identity Manager.
    For example:
    add Horizon Cloud profile

  7. To add another Horizon Cloud tenant to the collection, click Add Tenant and enter the configuration information for the tenant.
  8. From the Default Launch Client drop-down list, select the default client in which to launch Horizon Cloud applications or desktops.
    Option Description
    NONE No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the Horizon Cloud Default Protocol setting is used to determine how to launch the desktop or application.
    BROWSER Horizon Cloud desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.
    NATIVE Horizon Cloud desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all Horizon Cloud resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app.
    2. Administrator Default Launch Client setting for the collection, set in the VMware Identity Manager console.
    3. Horizon Cloud Default Protocol settings
  9. From the Sync Frequency drop-down menu, select how often you want to sync the resources in this collection.
    You can set up a regular sync schedule or choose to sync manually. If you select Manual, you must click Sync on the Virtual Apps Configuration page after you set up the collection and whenever there is a change in your Horizon Cloud resources or entitlements.
  10. From the Activation Policy drop-down list, select how Horizon Cloud resources are made available to users in Workspace ONE.
    With both the User Activated and Automatic options, the resources are added to the Catalog page. Users can use the resources from the Catalog page or move them to the Bookmarks page. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy that you select on this page applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the application or desktop's Entitlements page.

    Setting the activation policy for the collection to User Activated is recommended if you intend to set up an approval flow.

  11. Click Save.
    The collection is created and appears in the Virtual Apps page.
  12. To sync the resources and entitlements in the collection, click Sync in the Virtual Apps Configuration page.
    Each time resources or entitlements change in Horizon Cloud, a sync is required to propagate the changes to VMware Identity Manager.

What to do next

Configure SAML authentication in the Horizon Cloud tenant to enable trust between the VMware Identity Manager service and the Horizon Cloud tenant.