To integrate Workspace ONE Access with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker or Horizon Cloud Service on IBM Cloud, make sure that you set up all the required components and follow the high-level guidelines listed here.

Components

You need the following components:

  • A Horizon Cloud tenant

    This deployment scenario applies only to Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud environments.

  • A Workspace ONE Access tenant
  • One or more instances of the Virtual App service, version 22.05 or later, installed on premises. The Virtual App service is a component of the Workspace ONE Access connector.

    You can download the connector from the Workspace ONE Access product page on VMware Customer Connect.

    The Virtual App service is required to sync resources and entitlements from your Horizon Cloud tenant to your Workspace ONE Access tenant.

    Important:
    • The Virtual App service does not support Federal Information Processing Standards (FIPS) mode. To use the Virtual App service, you must install the Workspace ONE Access connector in non-FIPS mode.
    • Ensure that all instances of the Virtual App service have line of sight to the Horizon Cloud tenant.
  • One or more instances of the Workspace ONE Access Directory Sync service, installed on premises. The Directory Sync service is a component of the Workspace ONE Access connector.

    The Directory Sync service is required to sync users and groups from Active Directory to your Workspace ONE Access tenant.

    After you install and configure the Directory Sync service, create a directory in your Workspace ONE Access tenant and sync the Active Directory users and groups that have Horizon Cloud desktop and application entitlements.

Integration Diagram

Figure 1. Workspace ONE Access Integration with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker or Horizon Cloud Service on IBM Cloud

An On Premises box includes Horizon Client, Access connector, DNS/NTP Services, and AD. Outside the box are an Access tenant and a Horizon Cloud tenant.
  1. The Directory Sync service syncs users and groups from Active Directory to the Workspace ONE Access tenant.
  2. The Virtual App service syncs Horizon Cloud resources and entitlements from the Horizon Cloud tenant to the Workspace ONE Access tenant.
  3. The end user accesses a desktop or application as follows:
    1. The end user logs into the Intelligent Hub app or portal and clicks a desktop or application.
    2. The Workspace ONE Access service generates a launch URL and passes it to the Horizon Client. The launch URL includes a SAML artifact ID.
    3. The Horizon Client accesses the launch URL.
    4. The Horizon Cloud tenant receives the request and validates the SAML artifact ID with the Workspace ONE Access service.
    5. If the SAML artifact ID is validated by the Workspace ONE Access service, the desktop or application is streamed to the Horizon Client by the Horizon Cloud tenant.