Before you integrate your Horizon Cloud tenant with Workspace ONE Access, ensure that you meet the prerequisites listed in this topic. This information applies to Workspace ONE Access integration with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker and Horizon Cloud Service on IBM Cloud environments, using Workspace ONE Access connector version 22.05 or later.
- Verify that you have the following components:
- A Workspace ONE Access tenant
- One or more Horizon Cloud tenants
- One or more instances of the Virtual App service, version 22.05 or later, installed on premises. The Virtual App service is a component of the Workspace ONE Access connector.
- In Workspace ONE Access connector version 22.05 and 22.09, the Virtual App service does not support Federal Information Processing Standards (FIPS) mode. To use the Virtual App service, you must install the Workspace ONE Access connector in non-FIPS mode.
- All Virtual App service instances must be able to reach the Horizon Cloud tenants.
- One or more instances of the Directory Sync service installed on premises. The Directory Sync service is a component of the Workspace ONE Access connector and syncs users and groups from Active Directory to Workspace ONE Access.
- Verify that each Horizon Cloud tenant meets the following requirements.
- The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, server-ta1.example.com instead of server-ta1.
- The tenant appliances must have valid, signed certificates issued by a CA. The certificate must match the FQDN of the tenant appliance. If the tenant appliances have self-signed certificates, you must upload the self-signed certificates as trusted root certificates on the Workspace ONE Access connector. You can upload the certificates by running the connector installer again and uploading the certificates on the Install Trusted Root Certificates page.
- Ensure that the Horizon Cloud tenant's underlying Horizon servers have valid certificates signed by a trusted Certificate Authority (CA). If you have not obtained CA-signed certificates and you are using self-signed certificates temporarily for testing purposes, you must upload the root certificates to the Virtual App service trust store using the Workspace ONE Access connector installer, and then restart the Virtual App service.
- If the Workspace ONE Access connector is using an outbound proxy server, the proxy server must have a valid, CA-signed certificate. If the proxy server has a self-signed certificate, you must upload its root certificate as a trusted root certificate on the connector.
- Ensure that the Horizon Cloud tenants and the Workspace ONE Access service are in time sync. If they are not in time sync, an invalid SAML error can occur when users run Horizon Cloud desktops and applications.
- Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud console. You can create the following types of pools in the Horizon Cloud tenant:
- Dynamic desktop pool, also known as floating desktop assignment
- Static desktop pool, also known as dedicated desktop assignment
- Session-based pool with desktops, also known as session desktop assignment
- Session-based pool with applications, also known as remote application assignment
For more information about the types of pools, see the Horizon Cloud documentation. Note that this information might be specific to the type of Horizon Cloud environment.
- Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Cloud console.
- In the Workspace ONE Access console, ensure that users and groups with Horizon Cloud entitlements are synced from Active Directory to Workspace ONE Access using directory sync.
Follow these guidelines:
- If you are integrating multiple Horizon Cloud tenants, ensure that you add all the relevant directories and domains to Workspace ONE Access so that users with entitlements in any of the Horizon Cloud tenants are synced to Workspace ONE Access.
- sAMAccountName must be set as the directory search attribute for the directory in Workspace ONE Access.
- Ensure that the distinguishedName attribute is mapped to the Active Directory attribute distinguishedName.
Note: Users must have the distinguishedName attribute set. If the distinguishedName attribute is not set for a user, the user might not be able to run desktops and applications.
- In the Workspace ONE Access console, navigate to the page.
- Select the directory that contains the users and groups with Horizon Cloud entitlements.
- On the directory page, click Sync Settings, then select the Mapped Attributes tab.
- Verify that the distinguishedName attribute is mapped to the Active Directory distinguishedName attribute.