When the Workspace ONE Access service is integrated with a validating gateway, such as F5, the Wrap Artifact in JWT setting must be enabled in the Workspace ONE Access service to authenticate Horizon resources assigned to users.

When Wrap Artifact in JWT is enabled to authenticate a Horizon resource launch request, the Workspace ONE Access service generates a digitally signed JWT token that includes the SAML artifact to allow for verification.

This JWT token is sent to the validating gateway in the DMZ. The gateway validates the JWT token from Workspace ONE Access and extracts the SAML artifact value from the token. The gateway forwards the request with the real SAML artifact value to the Horizon Connection Server. The Connection Server verifies the request and the user is signed in to the Horizon resource.

If Wrap Artifact in JWT is not enabled, the validating gateway does not pass the artifact to the Horizon Connection Server for validation and authentication fails.


  • The validating gateway must be configured with the following Workspace ONE Access details.
    • SSL Certificate
    • OAuth2 client ID and secret
    • Workspace ONE Access validation endpoint URL
  • A Super Admin role is required in Workspace ONE Access to perform this procedure.


  1. Log in to the Workspace ONE Access console.
  2. Select Resources > Virtual Apps Collections.
  3. Click the Horizon collection to edit, then click the Network Ranges tab.
  4. Click the network range of IP addresses that the Horizon resource can use.
    The Pod section lists all the Horizon pods that you added to the collection that have the Sync Local Entitlements option selected. See Configure Horizon Pods and Pod Federations in Workspace ONE Access for steps to configure the Client Access FQDNs for pods and pod federations.
  5. In the Pod section, turn on the Wrap Artifact in JWT option on the Horizon environment that is configured.

    Enable JWT on Horizon pod

  6. If more than one validating gateway can process requests, create unique identifiers and add the names to the Audience in JWT text box.
    This audience name is configured in the validating gateway setup and is used to verify that this gateway is the intended audience. If the audience in JWT does not match the audience name configured here, the request is rejected.
  7. Click Save, then click Finish in the Network Ranges page.

What to do next

The unique audience names that you add here must also be added to the validating gateway configuration.