To integrate Horizon pod federations with Workspace ONE Access, make sure that you meet the requirements listed here.
- Workspace ONE Access supports the Cloud Pod Architecture feature for both applications and desktops.
- You can integrate a maximum of 10 pod federations with the Workspace ONE Access service. Each federation can contain up to 7 pods.
- Deploy Horizon Connection Server instances on the default port 443 or on a custom port.
- Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each Horizon Connection Server instance in your environment. Workspace ONE Access requires reverse lookup for Horizon Connection Server, Security Server, and load balancer instances. If reverse lookup is not properly configured, the Workspace ONE Access integration with Horizon fails.
- The Workspace ONE Access Virtual App service must be able to reach all the Horizon Connection Server instances in the pod federation.
- Ensure that the Horizon Connection Servers have valid certificates signed by a trusted Certificate Authority (CA). If you have not obtained CA-signed certificates and are using self-signed certificates temporarily for testing purposes, you must upload the root certificates to the Virtual App service trust store using the Workspace ONE Access connector installer, and then restart the Virtual App service. See Set up Your Workspace ONE Access Environment for Horizon Integration for more information.
- SAML authentication must be configured in Horizon, with the Workspace ONE Access service specified as the identity provider. You must use the service's fully-qualified domain name as part of the URL. Configuring SAML authentication on all the Horizon Connection Server instances in the pod federation is recommended. See Configure SAML Authentication in Horizon for Workspace ONE Access Integration for more information.
Extending the SAML metadata expiration period on the Horizon Connection Server instances to 1 year is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information.
- Deploy application and desktop pools in the Horizon pods.
- While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately.
- You can create pools in any folder in the Horizon server. Ensure that the admin user that you use to sync Horizon entitlements to Workspace ONE Access has root level access so that all pools can be synced.
If you add or remove application or desktop pools after integrating with Workspace ONE Access, for the changes to appear in the Workspace ONE Access service, you must sync again.
- You must create the pod federation, by initializing the Cloud Pod Architecture feature from one of the pods and joining all the other pods to the federation, before integrating with the Workspace ONE Access service. Global entitlements are replicated to pods when they join the federation.
If you join or remove a pod from the pod federation after you integrate the pod federation with the Workspace ONE Access service, you must edit the pod federation details in the Workspace ONE Access console to add or remove the pod, save your changes, and sync again.
- In your Horizon environment, create global entitlements in the pod federation to entitle Active Directory users or groups to desktops and applications.
- The global entitlements that you want to sync to Workspace ONE Access must have the All sites scope policy set. Entitlements with any other scope policy are not synced.
- (Optional) Create local entitlements on the pods, if required.
- If you integrate Horizon 7.13 or later versions with Workspace ONE Access, end users always see the option in Intelligent Hub to launch applications and desktops in a browser. However, if HTML Client is not installed on the Horizon Connection servers, browser launch fails. For Horizon 7.13 and later versions, you must install HTML Client on the Horizon Connection servers.
For more information about configuring Horizon, see the VMware Horizon documentation.