Integrating Workspace ONE Access with Horizon 8 using the new 21.08 Access Connector

Post navigation

If you wish to have a single portal where you offer your staff virtual desktops, web applications, remote desktop applications, you may wish to leverage Workspace ONE Access.

Workspace ONE Access offers a friendly application portal as shown below:

This example Workspace ONE application catalog is available from VMware TestDrive which clients and partners can try out for a free 30 day trial.  Please contact your VMware contact for an invitation.

You can leverage the Sandbox Workspace ONE tenant in TestDrive, or VMware can provide you with an appropriate tenant for production.

I’ll previously referred to two excellent articles by Justin Johnson (VMware) on how you can configure Workspace ONE Access to connect to your existing Active Directory and secondly configure Workspace ONE Access to publish your Horizon VDI desktops.

• Integrating A Cloud Instance Of VMware Identity Manager With Active Directory – link
• Cloud Options For Accelerating Workspace One Adoption In Traditional Horizon Environments – link

The following blog article details the integration of Horizon 8 with the new 21.08 Access Connector.

Horizon 8 SAML Configuration

Prior to setting up and syncing the Access connector with the Horizon environment, the Horizon Connection server must have SAML authentication enabled and SAML authenticators created.

Within the Horizon Administrator, navigate to Settings – Server – Connection Servers. Select the Connection server you want to integrate with Access with and select Edit. Select Authentication.

Change the setting Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) from Disabled to Allowed. Then click the Add button to create a new SAML authenticator as shown.

You’ll replace the text <YOUR SAML AUTHENTICATOR NAME> with the DNS name of your Access Server. In my case, I entered darrylmtd-440.vmwareidentity.com

Click OK then Save. You’ve now enabled this within Horizon.

Horizon 8 Connection Server Certificate

For the new Access 21.08 Connector to work correctly with Horizon, it needs to trust the certificate on Horizon server. This is typically public certificate. If you’re using an internal certificate, it needs to upload the internal root and any intermediate certificates (which we’ll detail below).

If you haven’t setup Horizon with an internal certificate authority the following two videos explain the process you need to follow using an internal Microsoft CA.

Part 1) Creating SSL certificate Template for a Horizon connection server – link 

Part 2)   Generating and replacing self signed certificate for Horizon connection server – link

Installing the Access Connector

The next step is to install the Workspace ONE Access Connector as follows:

1. Log in to Workspace ONE Access.
2. Select Identity & Access Management.
3. Select Connectors.
4. Click New.
5. Click Go to MyVMware.com and download the latest version of the connector to your computer (21.08)
6. Click Next.
7. Enter a password for the configuration file, such as VMware1!VMware1! (as the password must be a minimum of 14 characters)
8. Click Download Configuration File and save this to your computer. Click Next.
9. Copy the connector and configuration file to your Windows server.
10. Install the connector and select a custom installation
11. When prompted, select your internal root (and any intermediate certs) as shown:

12. Complete the rest of the Access Connector installation wizard.

13. On the Access admin portal, you’ll see the connector as activated as shown.

Adding an Active Directory to Access

The next step is to add your on-premises Active Directory (AD) to Access and synchronise your users and groups. It’s important to synchronise the groups which are also used within Horizon.

1. Log in to Workspace ONE Access.
2. Select Identity & Access Management.
3. Select Manage.
4. Select Directories.
5. Select Add Directory > Add Active Directory over LDA
6. Enter a Directory name.
7. Accept the Directory Sync and Authentication defaults.
8. Enter the Bind User Details for your Active Directory. For example:

Note: An easier way to collect this information is to enable Advanced Features in Active Directory Users and Computers. Then select Properties > Attribute > select the required value > View and copy your required attribute.

1. Click Save & Next.
2. Confirm the Directory is selected and click Next.
3. Review the Map User Attributes and click Next.
4. Enter the group(s) that you want to synchronize to Access by entering their names. Select them as required. Click Next to continue.
5. Enter the name(s) of Organizational Unit (OU) which contain users that you would like synchronize to Access. Click Next to continue.
6. Select the Sync Frequency and select Sync Directory.
7. If you select Users & Groups > Users, you should see some of your Active Directory users synchronizing to Access.
8. Likewise, select Users & Groups > Groups and review your groups have been synchronized to Access. You can select each group and select the Users tab. Then select Sync Users as required.

Your directory should be synchronised as shown:

Your IDP for your directory should have a similar configuration:

You can test that this is working correctly by logging into your Access portal using an AD users.

Creating A Virtual App Collection

The next step is to setup Access with your on-premises Horizon applications.

1. From the Access Admin console, click on Catalog – Virtual Apps Collection

2. Select Horizon

3. Enter a name and choose your Access Connector as shown

4. Select Add a Pod

5. Enter your Horizon pod details. My Horizon connection server URL is shown in this example:

6. Select Add then click Next

7. Select the Sync Frequency

8. Review the Add Operation and Delete Operation values then click Next

9. Click Save and Configure.

If you see the following error, then you likely haven’t added the root and intermediate certificates to the Access Connector as detailed above.

If everything is working fine, you’ll see the following screen:

If you now select Catalog – Virtual Apps you should see all of your Horizon on-prem applications similar to the following example:

When the user logs into the Access portal, they will see not only their Web (SaaS) applications but also the Horizon applications too !

Thats it! If you have any issues, please post your queries here or to the Horizon Communities page.