After you create a Horizon virtual apps collection in Workspace ONE Access, log in to Horizon Console and configure SAML authentication on the Horizon Connection Server instances to allow users to launch Horizon desktops and applications using single sign-on. When SAML authentication is configured, users logged into the Intelligent Hub app or portal can launch their remote Horizon desktops and applications without going through a second login procedure.

You must configure SAML authentication on at least one Horizon Connection Server instance in a pod. The best practice is to configure SAML authentication on all instances in the pod.

If SAML authentication is not configured on some of the Horizon Connection Server instances in a pod, Workspace ONE Access uses the other instances for sync. However, make sure that any instance that does not have SAML authentication configured is not used for launch, otherwise users cannot launch Horizon desktops or applications. Do not use the instance as the Client Access FQDN or, if the Client Access FQDN points to a load balancer, as one of the nodes on the load balancer.

If none of the Horizon Connection Server instances in the pod have SAML authentication configured, sync fails.

Note: You do not need to configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider.


  1. Log in to Horizon Console as a user that has the Administrators role.
  2. Configure SAML authentication on the Horizon Connection Server instances.
    See the relevant version of the VMware Horizon documentation for information.
    Ensure that you specify the FQDN of the Workspace ONE Access service when you configure the SAML Authenticator.
    Important: The Horizon and Workspace ONE Access servers must be in time sync. If the servers are not in time sync, when users access a Horizon application or desktop, an invalid SAML message occurs.

What to do next

Important: If you change any settings or SAML configuration on the Horizon server, and you want to propagate the changes to the Workspace ONE Access service immediately, edit the virtual apps collection page in the Workspace ONE Access console and click Save. Otherwise, updates are propagated at the next sync.