Before you integrate your Horizon Cloud tenant with Workspace ONE Access, ensure that you meet the prerequisites listed in this topic. This information applies to Workspace ONE Access integration with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud environments, using Workspace ONE Access connector 19.03.0.1.
- Verify that you have the following components:
- A Workspace ONE Access tenant
- A Workspace ONE Access connector installed on premises
Install Workspace ONE Access connector version 19.03.0.1. See Installing and Configuring VMware Identity Manager Connector 19.03 (Windows) for information.Important: Do not install a later version as later versions do not support integration with these types of Horizon Cloud Service environments.
- One or more Horizon Cloud tenants that can be accessed by the Workspace ONE Access connector
- Verify that each Horizon Cloud tenant meets the following requirements.
- The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, server-ta1.example.com instead of server-ta1.
- The tenant appliances must have valid, signed certificates issued by a CA. The certificate must match the FQDN of the tenant appliance. If the tenant appliances have self-signed certificates, you must upload the root certificate as a trusted root certificate on the Workspace ONE Access connector, using the connector admin pages at https://connectorFQDN:8443/cfg/login. When you integrate multiple Horizon Cloud tenants, you must ensure that all the certificates have the same root certificate as only one root certificate can be uploaded to Workspace ONE Access.
- If the Workspace ONE Access connector is using an outbound proxy server, the proxy server must have a valid, CA-signed certificate. If the proxy server has a self-signed certificate, you must upload its root certificate as a trusted root certificate on the connector, using the connector admin pages at https://connectorFQDN:8443/cfg/login.
- Ensure that the Horizon Cloud tenants and the Workspace ONE Access service are in time sync. If they are not in time sync, an invalid SAML error can occur when users run Horizon Cloud desktops and applications.
- Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud tenant administration console. You can create the following types of pools in the Horizon Cloud tenant:
- Dynamic desktop pool, also known as floating desktop assignment
- Static desktop pool, also known as dedicated desktop assignment
- Session-based pool with desktops, also known as session desktop assignment
- Session-based pool with applications, also known as remote application assignment
For more information about the types of pools, see the Horizon Cloud documentation.
- Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Cloud tenant administration console.
Note: Only entitlements for users that belong to a registered group are synced. Users who do not belong to any group will not see their entitlements in Workspace ONE Access.
- In the Workspace ONE Access console, ensure that users and groups with Horizon Cloud entitlements are synced from Active Directory to Workspace ONE Access using directory sync.
Follow these guidelines:
- If you are integrating multiple Horizon Cloud tenants, ensure that you add all the relevant directories and domains to Workspace ONE Access so that users with entitlements in any of the Horizon Cloud tenants are synced to Workspace ONE Access.
- sAMAccountName must be set as the directory search attribute for the directory in Workspace ONE Access.
- distinguishedName must be set as a required attribute for the Workspace ONE Access directory and it must be mapped to the Active Directory attribute distinguishedName.
Attributes must be marked as required before the directory is created. After the directory is created, attributes cannot be changed from optional to required.
- In the Workspace ONE Access console, navigate to the page.
- Under Default Attributes, select the Required check box for distinguishedName.
- Click Save.
- While creating the directory, map the distinguishedName attribute to the Active Directory attribute distinguishedName.