To provide users the ability to run a Horizon application or desktop from the VMware Identity Manager service and have single sign-on from VMware Identity Manager to the application or desktop, configure SAML authentication in Horizon.

SAML authentication must be configured on at least one Horizon Connection Server instance in a pod. Configuring SAML authentication on all the instances in a pod is recommended.

If SAML authentication is disabled on some of the Horizon Connection Server instances in a pod, VMware Identity Manager uses the other instances and sync continues to work. However, you must ensure that any instance with SAML authentication disabled is not used for launch. Do not use the instance in the Client Access URL or, if the Client Access URL points to a load balancer, as one of the nodes on the load balancer. If you do so, users will not be able to run the Horizon desktops or applications.

If SAML authentication is disabled on all the Horizon Connection Server instances in the pod, sync fails.

Note: You do not need to configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider.


  1. Log in to the Horizon Administrator as a user with the Administrator role assigned.
  2. Configure SAML authentication for the Horizon Connection Server instances. You must use the VMware Identity Manager service's fully-qualified domain name on the Authenticator configuration page.
    Important: The Horizon and VMware Identity Manager servers must be in time sync. If the servers are not in time sync, when you try to run a Horizon application or desktop, an invalid SAML message occurs.

What to do next

Important: If you change any settings or SAML configuration on the Horizon server, make sure you edit the Horizon Virtual Apps page in the VMware Identity Manager console and click Save to update the latest Horizon settings in the VMware Identity Manager service.