VMware Workspace ONE Access – Horizon 8 Integration

Release date: November 9th 2021, Updated January 25th 2023

Welcome to my VMware Workspace ONE Access series. In this session I will describe how I configured the VMware Horizon integration using the VMware Workspace ONE Access connector I installed in my previous session: VMware Workspace ONE Access – Set Up Connector. As I’m using Cloud Pod Architecture in my VMware Horizon Environment, this has to be accounted for when integrating this into Workspace ONE Access. VMware has provided a comprehensive documentation about VMware Horizon access via VMware Workspace ONE Access here: Providing Access to VMware Horizon Desktops and Applications in Workspace ONE Access (v.22.09)

Anyway, after carefully examining the documentation, I start out by configuring the SAML authentication on my VMware Horizon Connection servers. I navigate to Settings -> Servers -> Connection Server. I select my Connection Server and click Edit…

I go to the Authentication tab and switch the delegation mode to Allowed. This means that my existing users can continue to use passwords for authenticating. Next, I click Manage SAML Authenticators…

Click Add to configure Workspace ONE Access as a SAML Authenticator

I fill in the form with Label, Description, Metadata URL and Administrative URL. I select “Enabled for Connection Server”. OK…

As I used a Self-Signed certificate for the Workspace One Access appliance, a warning about this is displayed, I click View Certificate and Accept…

The settings looks good, OK, OK, OK…

I repeat the process above with my other VMware Horizon Connection Server(s), once done I can configure the Virtual Apps Collection in Workspace ONE Access. From the Resources menu I select Virtual Apps Collection – NEW…

When the wizard launches, I click GET STARTED…

I SELECT Horizon, of course…

I give the Collection a Name and select my one and only Connector, Next…

Next, I click ADD A POD…

I specify my connection server and the service account with administrative permissions in VMware Horizon. (Using FQDN wont work if the Workspace ONE Access appliance don’t have DNS resolution in the ad.admin.frelab.net domain)

I repeat the step above to add my other connection server, as this is in its separate POD

As I’m running Cloud Pod Architecture in my Horizon environment, I select this and click ADD A FEDERATION…

To configure the federation, I provide the Federation Name, the Default Client Access FQDN (The Loadbalancer in front of my UAG’s) and make sure to select both my Pods, ADD…

Once the POD and the FEDERATION is configured, NEXT…

I configure a Weekly Sync Frequency, configure the Activation Policy and Default Launch Client, but leave the rest of the settings as Default, NEXT…

The Summary looks good, SAVE & CONFIGURE

Next, I will configure the Network Ranges. This is a very important step to get correct, as this is where we define the VMware Horizon Entry Points (Connection server/ UAG). As I will be using this only for external access, I will be editing ALL RANGES…

I adjust the Client Access FQDN to point to the loadbalancer in front of my UAG’s, SAVE…

My new Virtual Apps Collection is now ready and after a manual SYNC the Virtual Apps are available…

Finally, I log in with one of my test users and validate functionality…

With that, my session about VMware Horizon integration in Workspace ONE Access, is completed. I can now proceed with configuring the TrueSSO integration, which I have covered here: VMware Workspace ONE Access – VMware Horizon TrueSSO Configuration

Official VMware documentation:

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.