After you create a Horizon virtual apps collection in Workspace ONE Access, log in to Horizon Console and configure SAML authentication on the Horizon Connection Server instances to allow users to launch Horizon desktops and applications using single sign-on. When SAML authentication is configured, users logged into Workspace ONE can launch their remote Horizon desktops and applications from the Intelligent Hub app or portal without going through a second login procedure.

You must configure SAML authentication on at least one Horizon Connection Server instance in a pod. Configuring SAML authentication on all instances in the pod is recommended.

If SAML authentication is disabled on some of the Horizon Connection Server instances in a pod, Workspace ONE Access uses the other instances for sync. However, ensure that any instance that has SAML authentication disabled is not used for launch, otherwise users cannot launch Horizon desktops or applications. Do not use the instance as the Client Access FQDN or, if the Client Access FQDN points to a load balancer, as one of the nodes on the load balancer.

If SAML authentication is disabled on all the Horizon Connection Server instances in the pod, sync fails.

Note: You do not need to configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider.

Procedure

  1. Log in to Horizon Console as a user that has the Administrators role.
  2. Configure SAML authentication on the Horizon Connection Server instances.
    See the relevant version of the VMware Horizon documentation for information.
    Ensure that you specify the FQDN of the Workspace ONE Access service when you configure the SAML Authenticator.
    Important: The Horizon and Workspace ONE Access servers must be in time sync. If the servers are not in time sync, when users access a Horizon application or desktop, an invalid SAML message occurs.

What to do next

Important: If you change any settings or SAML configuration on the Horizon server, and you want to propagate the changes to the Workspace ONE Access service immediately, edit the virtual apps collection page in the Workspace ONE Access console and click Save. Otherwise, updates are propagated at the next sync.