In a blog post I created a while ago I explained how to integrate Horizon DaaS 7.0 with an on-premises installation of Identity Manager.
In this blog, I will explain how to integrate the newest Horizon DaaS version, DaaS 8.0, with Workspace One. The only exception is I will no longer use an on-premises installation for Identity Manager but use the cloud-hosted solution (SaaS) by VMware.
This is Part 1 of the blog series. In future blogs, I will explain how to integrate multiple services into Workspace One, such as AirWatch (Workspace One UEM).
Current Environment
Before we proceed, let’s explain our current lab environment:
- ESXi and vCenter, version 6.5 Update 1. Separate clusters and vCenters for management and VDI workloads.
- A fully installed Horizon DaaS 8.0 platform, containing one test Tenant environment.
- Tenant Connector Server; lc-cs01.
Connector Server requirements
Since the Identity Manager appliance is hosted by VMware, we do not need to import any OVF file or install a license file.
Instead, we must create a connection between our on-premises Tenant environment and the VMware SaaS Identity Manager. To do this, we install the VMware Identity Manager Connector Installer for Windows on a server which has at least the following requirements:
- Specs: 2vCPU, 6GB Memory, 50GB HDD
- OS: Windows Server 2008 R2. I personally used Windows Server 2016
- Active Directory Service Account for agent service and for authentication to backend systems
- Internal Network Ports. Please refer to this article.
- Outbound internet connection to the following Cloud Hosted IP addresses
Step by Step installation
The installation steps documented here, but there are basically six steps you will need to complete.
Step 1: Generate the Connector Activation Code
Before we can begin the installation of the Identity Manager Connector Installer for Windows, we must create an Activation Code in the VMware Identity Manager administration console. Go to Identity & Access Management, choose Setup, click Connectors, Add Connector.
Fill in a Connector ID Name which is recognizable for you (the hostname for example).
Next, click Generate Activation Code.
Copy the generated Activation Code. We will have to use it during the VMware Identity Manager Connector Installer for Windows setup phase. Click OK to save settings.
Step 2: Install the VMware Identity Manager Connector Installer for Windows
Once we have downloaded the VMware Identity Manager Connector Installer for Windows setup file and meet all mentioned requirements, we can begin with the installation.
Login to the Connector server with administrator credentials and start the installation. Next.
I Accept, Next.
For now, we only choose the VMware Identity Manager Connector component. Next.
Choose an installation folder. I used the default C:\VMware folder. Next.
A prompt appears for the installation of Java. Click Yes.
Since it’s a lab environment, I do not use any SSL certificates at this time. Next.
Paste the earlier copied Activation Code mentioned in Step 1 and fill in an Admin Password. Next.
Specify a Service Account mentioned earlier in the Connector Requirements chapter. Next.
The installation is ready to begin. Click Install.
Installation completed! Press Finish.
Step 3: Identity Manager – AD Authentication
When the Connector Server installation is completed, we can proceed by configuring the appliance with the Tenant Active Directory information and sync Active Directory User and Group objects.
There are several articles available on how to perform the basic configuration for Active Directory, but I still highly recommend Carl Stalhood’s blog series if you do not know how to configure the correct settings.
Once the AD configuration is complete, it’s time to configure and Enable Outbound Mode for the VMware Identity Manager Connector. We must do this to enable external users (users from the internet) to log on to the Workspace One portal. Please note, the connector can be used in both outbound and regular mode simultaneously. Even if you enable outbound mode, you can still configure Kerberos authentication for internal users using authentication methods and policies.
In the administration console Identity & Access Management tab, click Manage. Click the Built-in hyperlink.
Select the tenant AD domain, Authentication Method and Connector. Select Password (cloud deployment) as Connector Authentication Method. Click Save.
Next, open the Policies menu, select the authentication policy (in my case the default policy) and choose Edit.
Select Password (cloud deployment) as the AD authentication method for external users.
Step 4: Add Root CA certificate file
The next step is to add the Root CA (and Intermediate, if you have this) certificate to the Identity Manager administrator portal. The reason is Identity Manager must trust the connection to the Tenant appliances in order to sync all the Published Desktops and Applications.
Go to the Connector Server administrator portal by filling in https://<connector server FQDN>:8443
Click on Appliance Configurator
Fill in the Admin password mentioned in the setup process in Step 2.
Click the menu option in the left upper corner Install SSL Certificates. Click the Trusted CA’s tab.
Adding certificates can sometimes be a challenge. Luckily, Peter Bjork had written an excellent article how to do this correctly!
Once your done adding the Root CA certificate, the Identity Manager appliance will reboot in order to make the changes complete.
Step 5: Add Virtual App Catalog
Now it’s time to sync the Published Desktops and Applications from the Horizon DaaS 8.0 environment into Workspace One.
We log in the Identity Manager administration console, click Catalog, Virtual Apps. On the right, click Virtual App Configuration.
Next click the button Add Virtual Apps and select Horizon Cloud
Fill in the (tenant) Name, select the Connector and supply the tenant information, such as Tenant URL and Service Account and NETBIOS Domain.
Select a Default Launch Client, Sync Frequency and Activation Policy (Automatic or User Enabled)
Save and Synchronize the Horizon DaaS 8.0 resources to Workspace One. After waiting for about 5-10 minutes, the resources from the Horizon DaaS 8.0 environment should become available in the Catalog – Virtual Apps menu.
Step 6: Configure the Identity Manager iDP
As the last step, we must fill in the Identity Manager iDP into the Horizon DaaS admin portal. If you do not do this, you will receive the error message “Unable to complete login, single sign-on token is missing or invalid.”
Go to the Identity Manager administrator portal, click Catalog, Web Apps, Settings
Select in the left menu option under SaaS Apps, SAML Metadata and copy the Identity Provider (iDP) metadata URL to the clipboard.
Next, we log in to the Horizon DaaS admin portal. Click Settings, General Settings
Click Edit and scroll down to the IDM menu option. Click Add IDM
Paste the earlier copied Identity Provider (iDP) metadata URL and fill in the tenant external FQDN. Click Save
If done correctly, you will see the green status icon and you will be able to log on to the Workspace One portal to consume the Horizon DaaS 8.0 Published Desktops and Applications!
Conclusion
With the integration of Workspace One, you can extend the DaaS offering to also provide a self-service catalog, Conditional Access controls and Single Sign-On (SSO) for SaaS, Web, Cloud and native Mobile applications!
Stay tuned for the following series of this blog post! Please feel free to leave any comments.