VMware Workspace ONE integrates with VMware Horizon Cloud to provide a simple and secure enterprise platform that allows end users to access their applications, data and services from any device, anywhere. Both platforms were built to integrate with each other, which provides a single user interface (UI) through the Workspace ONE enterprise catalog, to deliver applications to end users.
About Workspace ONE
Workspace ONE combines identity, real-time application delivery and mobility management to provide a digital workspace to your end users. This digital workspace delivers Software-as-a-Service (SaaS) applications, public native mobile applications—and when integrated with Horizon Cloud, virtual applications and desktops—all from a single, unified application store.
About Horizon Cloud
Horizon Cloud enables the delivery of cloud-hosted or on-premises virtual desktops and applications. With Horizon Cloud, you can leverage a cloud-based management plane and even infrastructure, instead of deploying an entire infrastructure to support VDI desktops and RDS applications traditionally. Your IT organization can focus on delivering applications and desktops, instead of spending time maintaining the infrastructure.
Benefits of Integration
The integration of Workspace ONE and Horizon Cloud provides a number of benefits:
Single Sign-On
One of the primary advantages that Workspace ONE and Horizon Cloud provide is secure, single sign-on (SSO) to both desktops and applications. This provides simplicity and ease of access while maintaining security. Users can utilize either the Workspace ONE web-based portal from any HTML 5 web browser or the Workspace ONE mobile application. And when used with an iOS-based device, users can utilize touch ID for SSO.
Two-Factor Authentication
Workspace ONE provides multiple multi-factor authentication methods, such as RSA, Radius, Certificate, Kerberos, and VMware Verify to protect your environment beyond the basic user ID and password. Workspace ONE also provides two-factor authentication (2FA) for Horizon Cloud to secure your Digital Workspace.
In addition, you can utilize step-up authentication, which allows additional multi-factor authentication beyond the initial authentication into Workspace ONE when accessing a desktop or application. This increases the security by requiring two-factor authentication to access a specific desktop or application, even if you don’t require it to access Workspace ONE.
Three Integration Options
Both Horizon Cloud and Workspace ONE have a cloud hosted option and an on-premises option. You can integrate the Horizon Cloud options with the Workspace ONE options in the following configurations:
Figure 2: Possible Integration Configuration Options
Although the two types of deployment have unique architecture requirements, both require an on-premises component. The on-premises component can be a virtual appliance or a Windows server, based on the type of deployment. For more information on the different deployments and their architecture, see VMware Workspace ONE Documentation.
Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud
Horizon Cloud with Hosted Infrastructure supports only Workspace ONE Cloud.
Figure 3: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud
The following Figure 4 illustrates the integration option for Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud. The VMware Identity Manager Connector (a) is deployed on-premises in your data center. This integrates with your Active Directory and synchronizes the resources between Horizon Cloud and Workspace ONE, along with desktop and application entitlements. This synchronization between the VMware Identity Manger Connector and Horizon Cloud occurs over the VPN or Direct Connect (b), which connects your data center to your Horizon Cloud tenant (c). The VMware Identity Manager Connector then synchronizes the resources and entitlements to the VMware Identity Manager (IDM) Cloud service (d).
Figure 4: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud
Integration 2: Horizon Cloud On Premises and Workspace ONE On Premises
Horizon Cloud with On-Premises Infrastructure supports both the on-premises and cloud versions of Workspace ONE.
Figure 5: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE
You can use Horizon Cloud with On-Premises Infrastructure to run desktops and applications in their data center using Hyper Converged Infrastructure (HCI) Appliances, but with a but with a cloud base control plane.
Figure 6 illustrates the integration option for Horizon Cloud On-Premises Infrastructure and on-premises version of Workspace ONE. VMware Identity Manager (a) is deployed as a virtual appliance in your data center. This provides integration with your Active Directory (b) and also performs the synchronization of the resources between Horizon Cloud and Workspace ONE (c), along with desktop entitlements.
Figure 6: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE
Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud
Horizon Cloud with On-Premises Infrastructure supports both the on-premises version of Workspace ONE and Workspace ONE Cloud.
Figure 7: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud
For Workspace ONE Cloud, the VMware Identity Manager Connector (a) is deployed on-premises in your data center (b). This provides integration with your Active Directory and also performs the synchronization (c) of the resources between Horizon Cloud and Workspace ONE, along with desktop entitlements. The VMware Identity Manager Connector then synchronizes the resources and entitlements to the IDM Cloud service (d).
Figure 8: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud
Tips on How to Integrate
To integrate Horizon Cloud with Workspace ONE, you deploy VMware Identity Manager or VMware Identity Manager Connector on-premises with one of the Horizon Cloud Service options described earlier. To start the integration, ensure that VMware Identity Manager or VMware Identity Manager Connector is configured and integrated with your Enterprise Directory.
For more information, see the VMware Horizon Cloud Service Documentation or VMware Workspace ONE Documentation.
Enable Horizon Cloud Desktops and Applications in VMware Identity Manager
With a Horizon Cloud and Workspace ONE integration, you can use the VMware Identity Manager Administration Console, a component of Workspace ONE, to enable desktops and applications.
- Log in to the VMware Identity Manager Administration Console.
- In the Catalog tab, select Manage Desktops and Applications > Horizon Cloud.
- Select Enable Horizon Cloud Deployments and Applications.
- Enter the following information for your environment:
- Click Save.
- Click Sync now to sync Desktop and App entitlements from the Horizon Cloud environment.
Configure SAML Authentication
You should configure a a SAML authentication between Horizon Cloud and VMware Identity Manager, the identity provider, to enable trust between the two. To establish trust, you first create a Federation Artifact for Horizon Cloud, then set up custom user ID mapping, and finally configure SAML authentication.
Create Federation Artifact for Horizon Cloud
To enable trust between Horizon Cloud and VMware Identity Manager, you create the Federation Artifact in the VMware Identity Manager Administration Console and add a SAML authentication in the Horizon Cloud Administration Console.
- In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
- In the left pane, select Horizon Cloud.
- Enter the following information for your Horizon Cloud environment:
- Click the Accept Certificate link next to the Tenant Appliance URLs.
- Click Save.
After creating a federation artifact, set the custom User ID mapping.
Custom User ID Mapping
You can use custom User ID Mapping to customize the user ID that is used in the SAML response when users launch Horizon Cloud Desktops and Applications. You can resolve SSO launch failures that are caused by a mismatch of the user ID attribute between VMware Identity Manager and Horizon Cloud.
- In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
- Click Horizon Cloud on the left.
- In the Horizon Cloud page, specify the name ID format to use.
- Click Save.
After setting the custom User ID mapping, configure the SAML authentication.
Configure SAML Authentication in Horizon Cloud
To configure SAML authentication in Horizon Cloud:
- In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
- In the left pane, click SAML Metadata.
- Click the Identity Provider (iDP) metadata link.
- Make a note of the URL from the browser’s address bar, such as https://VMwareIdentityMangerFQDN/SAAS/API/1.0/GET/metadata/idp.xml
- Log in to the Horizon Cloud Tenant.
- Navigate to Settings > General Settings > Edit.
- In the VMware Identity Manager section, enter the following required information:
- Click Save.
Enforce User Authentication through Workspace ONE Portal
You can set Horizon Cloud to enforce end user authentication through the Workspace ONE portal, requiring SAML-based authentication.
Figure 13: Enforcing User Authentication
- In the Administration Console, navigate to Settings > General Settings, and click Edit.
- In the User Account Configuration section, make selections according to your organization’s needs.
- Force Remote Users to vIDM – When set to Yes, users that are trying to access their desktops from locations outside of your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
- Force Internal Users to vIDM – When set to Yes, users that are trying to access their desktops from locations within your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
- Click Save to confirm the configuration to the system.
After you verify that user authentication is enforced, your users can launch desktops and applications securely from Workspace ONE.
Launch a Desktop or Application using Horizon Client or Supported Browser
Your end users can use either the Horizon Client or any supported HTML 5 browser to launch desktops and applications.
- In the Workspace ONE portal, click Bookmarks
- Double-click the desktop or application to launch.
To Wrap this up….
Step-by-step documentation on how to integrate Horizon Cloud with VMware Identity Manager can be found in the VMware Horizon Cloud Service Documentation and VMware Workspace ONE Documentation. If you want to try configuring the integration yourself, but do not have a Horizon Cloud or Workspace ONE environment yet, you are in luck. At VMworld, we are releasing a Hands-on-Labs for Horizon Cloud, which contains an entire module that walks you through the configuration of the integration. Make sure to check out HOL-1856-ADV-1 in the Hands-on-Labs at VMworld in Las Vegas!