Integrating Horizon pod federations with Workspace ONE Access has the following requirements.

  • Workspace ONE Access supports the Cloud Pod Architecture feature in Horizon 6.2 and later, for both applications and desktops.
  • You can integrate a maximum of 10 pod federations with the Workspace ONE Access service. Each federation can contain up to 7 pods.
  • Deploy Horizon Connection Server instances on the default port 443 or on a custom port.
  • Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each Horizon Connection Server instance in your environment. Workspace ONE Access requires reverse lookup for Horizon Connection Server, Security Server, and load balancer instances. If reverse lookup is not properly configured, the Workspace ONE Access integration with Horizon fails.
  • The Workspace ONE Access connector must be able to reach all the Horizon Connection Server instances in the pod federation.
  • SAML authentication must be configured in Horizon, with the Workspace ONE Access service specified as the identity provider. You must use the service's fully-qualified domain name as part of the URL. Configuring SAML authentication on all the Horizon Connection Server instances in the pod federation is recommended. See Configure SAML Authentication in Horizon for more information.

    Extending the SAML metadata expiration period on the Horizon Connection Server instances to 1 year is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information.

  • Horizon Connection Server certificates will be synced to Workspace ONE Access.
  • Deploy application and desktop pools in the Horizon pods.
    • While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately.
    • You can create pools in any folder in the Horizon server. Ensure that the admin user that you use to sync Horizon entitlements to Workspace ONE Access has root level access so that all pools can be synced.

    If you add or remove application or desktop pools after integrating with Workspace ONE Access, for the changes to appear in the Workspace ONE Access service, you must sync again.

  • You must create the pod federation, by initializing the Cloud Pod Architecture feature from one of the pods and joining all the other pods to the federation, before integrating with the Workspace ONE Access service. Global entitlements are replicated to pods when they join the federation.

    If you join or remove a pod from the pod federation after you integrate with the Workspace ONE Access service, you must edit the pod federation details in the Workspace ONE Access console to add or remove the pod, save your changes, and sync again.

  • In your Horizon environment, create global entitlements in the pod federation to entitle Active Directory users or groups to desktops and applications.
  • The global entitlements that you want to sync to Workspace ONE Access must have the All sites scope policy set. Entitlements with any other scope policy are not synced.
    Global Entitlements page

  • To enable end users to launch desktops or application in a Web browser, select the HTML Access option for the global entitlement in Horizon.
  • (Optional) Create local entitlements on the pods, if required.

For more information about configuring Horizon, see the Horizon 6 or Horizon 7 documentation.