When the VMware Identity Manager service is integrated with a validating gateway, such as F5, the Wrap Artifact in JWT setting must be enabled in the VMware Identity Manager service to authenticate Horizon resources assigned to users.

When Wrap Artifact in JWT is enabled to authenticate a Horizon resource launch request, the VMware Identity Manager service generates a digitally signed JWT token that includes the SAML artifact to allow for verification.

This JWT token is sent to the validating gateway in the DMZ. The gateway validates the JWT token from VMware Identity Manager and extracts the SAML artifact value from the token. The gateway forwards the request with the real SAML artifact value to the Horizon Connector Server. The Connector Server verifies the request and the user is signed in to the Horizon resource.

If Wrap Artifact in JWT is not enabled, the validating gateway does not pass the artifact to the Horizon Connect Server for validation and authentication fails.


The validating gateway configured with the following VMware Identity Manger details.

  • SSL Certificate
  • OAuth2 client ID and secret
  • VMware Identity Manager validation endpoint URL


  1. Log in to the VMware Identity Manager console.
  2. Select the Catalog > Virtual Apps tab, then click Virtual App Settings.
  3. Click Network Settings and select the network range of IP addresses that the Horizon resource can use.
    The View Pod section lists all the View pods that you added to the collection that have the Sync Local Entitlements option selected. See Configure Horizon Pods and Pod Federations in VMware Identity Manager for steps to configure client access URLs for pods and pod federations.
  4. In the View Pod section, enable the Wrap Artifact in JWT check box on the Horizon environment that is configured.
  5. If more than one validating gateway can process requests, create unique identifiers and add the names to the Audience in JWT text box.
    This audience name is configured in the validating gateway setup and is used to verify that this gateway is the intended audience. If the audience in JWT does not match the audience name configured here, the request is rejected.
  6. Click Finish.

What to do next

The unique audience names that you add here must also be added to the validating gateway configuration.