In a blog post I created a while ago I explained how to integrate Horizon DaaS 7.0 with an on-premises installation of Identity Manager.

In this blog, I will explain how to integrate the newest Horizon DaaS version, DaaS 8.0, with Workspace One. The only exception is I will no longer use an on-premises installation for Identity Manager but use the cloud-hosted solution (SaaS) by VMware.

This is Part 1 of the blog series. In future blogs, I will explain how to integrate multiple services into Workspace One, such as AirWatch (Workspace One UEM).

Current Environment

Before we proceed, let’s explain our current lab environment:

  • ESXi and vCenter, version 6.5 Update 1. Separate clusters and vCenters for management and VDI workloads.
  • A fully installed Horizon DaaS 8.0 platform, containing one test Tenant environment.
  • Tenant Connector Server; lc-cs01.

Connector Server requirements

Since the Identity Manager appliance is hosted by VMware, we do not need to import any OVF file or install a license file.

Instead, we must create a connection between our on-premises Tenant environment and the VMware SaaS Identity Manager. To do this, we install the VMware Identity Manager Connector Installer for Windows on a server which has at least the following requirements:

  • Specs: 2vCPU, 6GB Memory, 50GB HDD
  • OS: Windows Server 2008 R2. I personally used Windows Server 2016
  • Active Directory Service Account for agent service and for authentication to backend systems
  • Internal Network Ports. Please refer to this article.
  • Outbound internet connection to the following Cloud Hosted IP addresses

Step by Step installation

The installation steps documented here, but there are basically six steps you will need to complete.

Step 1: Generate the Connector Activation Code

Before we can begin the installation of the Identity Manager Connector Installer for Windows, we must create an Activation Code in the VMware Identity Manager administration console. Go to Identity & Access Management, choose Setup, click Connectors, Add Connector.

2018-09-03 14_04_52-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Fill in a Connector ID Name which is recognizable for you (the hostname for example).

Next, click Generate Activation Code.

2018-08-29 14_08_50-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Copy the generated Activation Code. We will have to use it during the VMware Identity Manager Connector Installer for Windows setup phase. Click OK to save settings.

2018-08-29 14_09_01-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Step 2: Install the  VMware Identity Manager Connector Installer for Windows

Once we have downloaded the VMware Identity Manager Connector Installer for Windows setup file and meet all mentioned requirements, we can begin with the installation.

Login to the Connector server with administrator credentials and start the installation. Next.

2018-08-29 13_34_32-Windows10-IC

I Accept, Next.

2018-08-29 13_35_08-Windows10-IC

For now, we only choose the VMware Identity Manager Connector component. Next.

2018-08-29 13_35_27-Windows10-IC

Choose an installation folder. I used the default C:\VMware folder. Next.

2018-08-29 13_35_55-Windows10-IC

A prompt appears for the installation of Java. Click Yes.

2018-08-29 13_36_16-Windows10-IC

Since it’s a lab environment, I do not use any SSL certificates at this time. Next.

2018-08-29 14_04_23-Windows10-IC

Paste the earlier copied Activation Code mentioned in Step 1 and fill in an Admin Password. Next.

2018-08-29 14_09_45-Windows10-IC

Specify a Service Account mentioned earlier in the Connector Requirements chapter. Next.

2018-08-29 14_16_21-Windows10-IC

The installation is ready to begin. Click Install.

2018-08-29 14_17_16-Windows10-IC

Installation completed! Press Finish.

2018-08-29 14_30_35-Windows10-IC

Step 3: Identity Manager – AD Authentication

When the Connector Server installation is completed, we can proceed by configuring the appliance with the Tenant Active Directory information and sync Active Directory User and Group objects.

There are several articles available on how to perform the basic configuration for Active Directory, but I still highly recommend Carl Stalhood’s blog series if you do not know how to configure the correct settings.

Once the AD configuration is complete, it’s time to configure and Enable Outbound Mode for the VMware Identity Manager Connector. We must do this to enable external users (users from the internet) to log on to the Workspace One portal. Please note, the connector can be used in both outbound and regular mode simultaneously. Even if you enable outbound mode, you can still configure Kerberos authentication for internal users using authentication methods and policies.

In the administration console Identity & Access Management tab, click Manage. Click the Built-in hyperlink.

2018-09-03 13_28_55-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Select the tenant AD domain, Authentication Method and Connector. Select Password (cloud deployment) as Connector Authentication Method. Click Save.

2018-09-03 13_31_38-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Next, open the Policies menu, select the authentication policy (in my case the default policy) and choose Edit.

2018-09-03 13_33_11-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Select Password (cloud deployment) as the AD authentication method for external users.

2018-09-03 13_33_30-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Step 4: Add Root CA certificate file

The next step is to add the Root CA (and Intermediate, if you have this) certificate to the Identity Manager administrator portal. The reason is Identity Manager must trust the connection to the Tenant appliances in order to sync all the Published Desktops and Applications.

Go to the Connector Server administrator portal by filling in https://<connector server FQDN>:8443

Click on Appliance Configurator

2018-09-03 10_44_02-Windows10-IC

Fill in the Admin password mentioned in the setup process in Step 2.

2018-09-03 10_44_48-Windows10-IC

Click the menu option in the left upper corner Install SSL Certificates. Click the Trusted CA’s tab.

2018-09-03 10_45_33-Windows10-IC

Adding certificates can sometimes be a challenge. Luckily, Peter Bjork had written an excellent article how to do this correctly!

Once your done adding the Root CA certificate, the Identity Manager appliance will reboot in order to make the changes complete.

Step 5: Add Virtual App Catalog

Now it’s time to sync the Published Desktops and Applications from the Horizon DaaS 8.0 environment into Workspace One.

We log in the Identity Manager administration console, click Catalog, Virtual Apps. On the right, click Virtual App Configuration.

2018-09-03 11_04_10-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Next click the button Add Virtual Apps and select Horizon Cloud

2018-09-03 11_04_56-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Fill in the (tenant) Name, select the Connector and supply the tenant information, such as Tenant URL and Service Account and NETBIOS Domain.

2018-09-03 11_05_59-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Select a Default Launch Client, Sync Frequency and Activation Policy (Automatic or User Enabled)

2018-09-03 11_06_15-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Save and Synchronize the Horizon DaaS 8.0 resources to Workspace One. After waiting for about 5-10 minutes, the resources from the Horizon DaaS 8.0 environment should become available in the Catalog – Virtual Apps menu.

2018-09-03 13_53_28-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Step 6: Configure the Identity Manager iDP

As the last step, we must fill in the Identity Manager iDP into the Horizon DaaS admin portal. If you do not do this, you will receive the error message “Unable to complete login, single sign-on token is missing or invalid.”

Go to the Identity Manager administrator portal, click Catalog, Web Apps, Settings

2018-09-03 11_19_37-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Select in the left menu option under SaaS Apps, SAML Metadata and copy the Identity Provider (iDP) metadata URL to the clipboard.

2018-09-03 11_21_00-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer

Next, we log in to the Horizon DaaS admin portal. Click Settings, General Settings

2018-09-03 11_27_14-VMware Horizon DaaS

Click Edit and scroll down to the IDM menu option. Click Add IDM

2018-09-03 11_30_48-VMware Horizon DaaS

Paste the earlier copied Identity Provider (iDP) metadata URL and fill in the tenant external FQDN. Click Save

2018-09-03 11_32_01-VMware Horizon DaaS

If done correctly, you will see the green status icon and you will be able to log on to the Workspace One portal to consume the Horizon DaaS 8.0 Published Desktops and Applications!

2018-09-03 11_32_55-VMware Horizon DaaS

2018-09-03 12_55_55-Login Consultants Netherlands B.V. Workspace ONE - Internet Explorer2018-09-03 12_56_14-Login Consultants Netherlands B.V. — Workspace ONE - Internet Explorer

 

Conclusion

With the integration of Workspace One, you can extend the DaaS offering to also provide a self-service catalog, Conditional Access controls and Single Sign-On (SSO) for SaaS, Web, Cloud and native Mobile applications!

Stay tuned for the following series of this blog post! Please feel free to leave any comments.