Before you integrate your Horizon Cloud tenant with Workspace ONE Access, ensure that you meet the prerequisites listed in this topic. This information is applicable to Workspace ONE Access integration with Horizon Cloud Service environments with single-pod brokering enabled for the pods deployed in Microsoft Azure, or Horizon Cloud Service on IBM Cloud environments.

  • Verify that you have the following components:
    • A Workspace ONE Access tenant
    • A Workspace ONE Access connector installed on premises

      Install Workspace ONE Access connector version 19.03.0.1. See Installing and Configuring VMware Identity Manager Connector 19.03 (Windows) for information.

      Important: Do not install version 20.10 or 20.01 as these versions do not support Virtual Apps.
    • One or more Horizon Cloud tenants that can be accessed by the Workspace ONE Access connector
  • Verify that each Horizon Cloud tenant meets the following requirements.
    • The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, server-ta1.example.com instead of server-ta1.
    • The tenant appliances must have valid, signed certificates issued by a CA. The certificate must match the FQDN of the tenant appliance. If the tenant appliances have self-signed certificates, you must upload the self-signed certificate as a trusted root certificate in Workspace ONE Access. When you integrate multiple Horizon Cloud tenants, you must ensure that all the certificates have the same root certificate as only one root certificate can be uploaded to Workspace ONE Access.
  • Ensure that the Horizon Cloud tenants and the Workspace ONE Access service are in time sync. If they are not in time sync, an invalid SAML error can occur when users run Horizon Cloud desktops and applications.
  • Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud tenant administration console. You can create the following types of pools in the Horizon Cloud tenant:
    • Dynamic desktop pool, also known as floating desktop assignment
    • Static desktop pool, also known as dedicated desktop assignment
    • Session-based pool with desktops, also known as session desktop assignment
    • Session-based pool with applications, also known as remote application assignment

      For more information about the types of pools, see the Horizon Cloud documentation.

  • Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Cloud tenant administration console.
    Note: Only entitlements for users that belong to a registered group are synced. Users who do not belong to any group will not see their entitlements in Workspace ONE Access.
  • In the Workspace ONE Access console, ensure that users and groups with Horizon Cloud entitlements are synced from Active Directory to Workspace ONE Access using directory sync.

    Follow these guidelines:

    • If you are integrating multiple Horizon Cloud tenants, ensure that you add all the relevant directories and domains to Workspace ONE Access so that users with entitlements in any of the Horizon Cloud tenants are synced to Workspace ONE Access.
    • sAMAccountName must be set as the directory search attribute for the directory in Workspace ONE Access.
    • distinguishedName must be set as a required attribute for the Workspace ONE Access directory and it must be mapped to the Active Directory attribute distinguishedName.

      Attributes must be marked as required before the directory is created. After the directory is created, attributes cannot be changed from optional to required.

      1. In the Workspace ONE Access console, navigate to the Identity & Access Management > Setup > User Attributes page.
      2. Under Default Attributes, select the Required check box for distinguishedName.
      3. Click Save.
      4. While creating the directory, map the distinguishedName attribute to the Active Directory attribute distinguishedName.