To integrate Horizon Cloud tenants with the Workspace ONE Access service, you create a virtual apps collection in the Workspace ONE Access console. The collection contains configuration information, such as the Horizon Cloud tenant from which to sync assignments, the Virtual App service instance to use for sync, and sync settings.

If you have multiple Horizon Cloud tenants, you can create a separate virtual apps collection for each tenant or configure all the tenants in a single collection, based on your needs. Each collection syncs separately.

Note: This topic applies to Workspace ONE Access integration with Horizon Cloud Service on Microsoft Azure with Single-Pod Broker or Horizon Cloud Service on IBM Cloud, using Workspace ONE Access connector version 22.05 or later.



  1. Log in to the Workspace ONE Access console.
  2. Select Resources > Virtual Apps Collections.
  3. Click New.
  4. Select Horizon Cloud as the source type.

    Four tiles are displayed: Horizon, Citrix, ThinApp Package, and Horizon Cloud.
  5. In the New Horizon Cloud Collection wizard, enter the following information in the Connector page.
    Option Description
    Name Enter a unique name for the Horizon Cloud collection.
    Connector Select the connectors to use to sync this collection. You can add multiple connectors and arrange them in failover order. Only connectors that have the Virtual App service installed appear in the list.
    Important: A maximum of five connector instances is supported per Horizon Cloud virtual apps collection.
    For example:
    The connector page of the wizard has a collection named Horizon Cloud Desktops and Apps and a active connector.
  6. Click Next.
  7. In the Tenant page, click Add a Tenant and enter your Horizon Cloud tenant information.
    Important: Do not use non-ASCII characters when you enter your domain information.
    Option Description
    Host Fully-qualified domain name of your Horizon Cloud tenant host. For example:
    Port Port number of your Horizon Cloud tenant host. For example: 443
    Admin User User name for your Horizon Cloud tenant administrator account. For example: tenantadmin
    Admin Password Password for your Horizon Cloud tenant administrator account.
    Admin Domain Active Directory NETBIOS domain name in which the Horizon Cloud tenant administrator resides.
    Domains to Sync Active Directory NETBIOS domain names for syncing Horizon Cloud resources and entitlements.
    Assertion Consumer Service URL

    The URL to which to post the SAML assertion. This URL is typically the Horizon Cloud tenant's floating IP address or hostname, or the Unified Access Gateway URL. For example,

    True SSO Select this option only if True SSO is enabled for the Horizon Cloud tenant.

    When this option is enabled, users logged into the Intelligent Hub portal or app with a non-password authentication method such as SecurID will not be prompted for a password when they launch their Windows desktops.

    Custom ID Mapping You can customize the user ID that is used in the SAML response when users launch Horizon Cloud applications and desktops. By default, User Principal Name is used. You can choose to use other name ID formats such as sAMAccountName or email address and customize the value.

    Name ID Format: Select the name ID format, such as Email address or User Principal Name. The default value is Unspecified (username).

    Name ID Value: Click Select from suggestions and pick from a predefined list of values or click Custom value and enter the value. This value can be any valid Expression Language (EL) expression such as ${user.userName}@${user.domain}. The default value is ${user.userPrincipalName}.
    Note: Ensure that the attributes you use in the expression are mapped attributes in the VMware directory. You can view mapped attributes in the directory's Sync Settings tab. In the above example, userName, userPrincipalName, and domain are directory mapped attributes.

    The ability to select the name ID format is useful in scenarios such as the following:

    • When users from multiple sub-domains are synced, User Principal Name may not work. You can use a different name ID format such as sAMAccountName or email address to uniquely identify users.
    Important: Ensure that you use the same name ID format setting in Horizon Cloud and Workspace ONE Access.
    For example:
    Host value is, Port is 443, Admin User is tenantadmin, Admin Domain is FTE, Domains to Sync is FTE.
  8. Click Add.
  9. Add other tenants, if required, then click Next.
  10. In the Configuration page, enter the following information.
    Option Description
    Sync Frequency Select how often you want to sync the resources in the collection.

    You can set up an automatic sync schedule or choose to sync manually. To set a schedule, select the interval such as daily or weekly and select the time of day to run the sync. If you select Manual, you must click Sync > Sync with safeguards or Sync > Sync without safeguards on the virtual apps collections page after you set up the collection and whenever there is a change in your Horizon Cloud resources or entitlements.

    For more information about sync, see Syncing Virtual Apps Collections in Workspace ONE Access.

    Safeguards Thresholds Limits Configure sync safeguard thresholds if you want to limit the number of changes that can be made to applications, desktops, and assignments when the virtual apps collection syncs. If any of the thresholds is met, sync is cancelled.

    By default, Workspace ONE Access sets the threshold for all categories to 10%.

    Sync safeguards are ignored the first time a collection syncs and are applied to all subsequent syncs.

    For more information about sync safeguards, see Syncing Virtual Apps Collections in Workspace ONE Access.

    Activation Policy Select how you want to make resources in this collection available to users in the Intelligent Hub portal and app. If you intend to set up an approval flow, select User-Activated, otherwise select Automatic.

    With both the User-Activated and Automatic options, the resources are added to the Apps tab. Users can run the resources from the Apps tab or mark them as favorites and run them from the Favorites tab. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the user or group page available from the Accounts > Users or Accounts > User Groups pages.

    Default Launch Client Select the default client for end users accessing Horizon Cloud desktops and apps from the Intelligent Hub portal or app.

    None: No default preference is set at the administrator level. If this option is set to None and the end user does not set a preference either, the Horizon Default display protocol setting is used to determine how to launch the desktop or application.

    Browser: Desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.

    Native: Desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in Intelligent Hub.
    2. Administrator Default Launch Client setting for the collection, set in the Workspace ONE Access console.
    3. Horizon Cloud default protocol settings
    For example:
    Sync Frequency is Weekly, Sync Time is Sunday 23:55, Activation Policy is User-Activated, Default Launch Client is Native.
  11. Click Next.
  12. In the Summary page, review your selections, then click Save.


The collection is created, and it appears in the Virtual Apps Collections page. Resources in the collection are not yet synced. After you finish setting up the integration, you can either wait for the next scheduled sync or sync manually.

What to do next

Configure SAML authentication in the Horizon Cloud tenant to enable trust between the Workspace ONE Access service and the Horizon Cloud tenant. You cannot launch any applications until SAML authentication is configured.