The last two years, I’ve been busy with a lot VMware Horizon DaaS projects in EMEA. Horizon DaaS is a platform which usually is installed at a Service Provider datacentre. With the Horizon DaaS platform, the Service Provider centrally manages all customers (tenants) with the Service Center portal. For each separate tenant, VMware Horizon DaaS provides a user portal for the end-users to consume the published applications and desktop resources.
With the integration of Identity Manager, this offering can be extended to also provide a self-service catalog, conditional access controls and Single Sign-On (SSO) for SaaS, Web, Cloud and native Mobile applications.
In this blog post, I will show you how to integrate these services together.
Installation and basic configuration
The installation of the Identity Manager appliance itself is straightforward and not covered in this blog post. Basic installation steps are required before you can proceed with the Horizon DaaS integration, this contains the following items:
- Appliance (OVF) installation
- Adding the license file
- Active Directory integration
- Certificate installation
There are several articles available how to perform the basic configuration. I personally have used the one Carl Stalhood posted a while ago.
Before we proceed, let’s explain my current lab environment:
- ESXi and vCenter, version 6.0 Update 3
- A fully installed Horizon DaaS 7.0 platform, containing two test tenants
- Identity Manager, version 2.8.1. Single appliance, not clustered.
Integration with the Horizon DaaS platform
Once the basic configuration of the Identity Manager appliance is complete, we can continue with the integration with the Horizon DaaS platform. Because Horizon DaaS shares the same codebase as Horizon Cloud (formally known as Horizon Air) we can use this article as a reference.
Step 1: Make sure the Portal FQDN matches the server certificate.
Open the Appliance Configurator, select Identity Manager FQDN.
Fill in the correct FQDN; this must match the external portal URL.
Next, open the menu option Install Certificate.
There are two options available:
- Terminate SSL on Identity Manager: The server, root and key files are installed on the Identity Manager appliance. With this option, the SSL traffic is decrypted at the Identity Manager appliance. If there is a load-balancer in front, there is no requirement to install the server certificate on the load balancer itself and can be configured with the SSL_Bridge option to pass-through the SSL traffic.
- Terminate SSL on Load Balancer: On the Identity Manager appliance, you only need to install the root certificate. The server, root and key files will be installed on the load balancer and this device will decrypt the SSL traffic.
In my lab environment, I had to install the server, root and key files on the Identity Manager appliance, even though I installed these on the load balancer already. Without this, I wasn’t able to configure the Federation Artifact (see Step 3)
Step 2: Configure the Horizon Admin IDM URL.
Open the Identity Manager Admin Console. Click Catalog, Settings. Click the hyperlink Identity Provider (IdP) metadata
The metadata XML file will open. Copy the “entityID” URL, as shown below.
Before we can add this URL to the Horizon Admin portal, we must first check if the identity manager integration is enabled. In Service Center, edit the Tenant Policy and search for the option “vidm.integration.enabled”. Set this option to “true”, as shown below.
Please note: In most cases, the above option cannot be set by customers (i.e. tenant administrators) themselves. They must request this configuration at their Service Provider.
Next, open the Horizon Admin portal. Go to Settings, General Settings. Click the Edit button.
Paste the previous copied IDM URL. Set the Timeout SSO token (default is zero) and specify the tenant user portal FQDN.
Please note: Without the mentioned Tenant Policy setting, this option is not available.
If correctly configured, you will see a green status indicator.
Step 3: Add the Horizon DaaS Federation Artifact.
Open the Identity Manager Admin Console, Open the Catalog menu option, select Settings and choose Horizon Air on the left menu.
Here, you must fill in the full FQDN of the tenant user portal URL. For tenant appliance URL’s, it doesn’t really matter what’s filled in, it can either be the tenant user portal FQDN, the tenant IP addresses, or each individual tenant DNS address.
After the configuration is complete, click Save.
Once the Federation Artifact is saved, select the hyperlink Accept Certificate.
At this point, you will receive a warning as shown in above image. Don’t worry, this can safely be ignored. The important part is the Federation Artifact configuration is saved.
Step 4: Add and Synchronize the Horizon DaaS applications
Open the Identity Manager Admin Console, Open the Catalog menu option, select Application Catalog
On the right, click Manage Desktop Applications, Horizon Air Application.
Fill in all required information. Make sure you add a (service) account which is an administrator in the Horizon Admin portal.
If you click Save, you should see a message at the top left “Values have been saved”. After about 5 minutes, you should see a Sync Now button appear in the left bottom corner.
Synchronize the Horizon DaaS resources. After another wait for about 5-10 minutes, the resources from the Horizon DaaS environment should become available in the Application Catalog menu.
Once you entitle user(s) or group(s) to the applications, these should become available to the end-user in the Workspace ONE portal!