In this blog, I will explain how to integrate the newest Horizon DaaS version, DaaS 9.0, with Workspace One Access.

In the past, I already created two blog posts about this subject;

Just like the previous blog post for Horizon DaaS 8.0, I will not use an on-premises installation for Workspace ONE Access (Identity Manager) but use the cloud-hosted solution (SaaS) by VMware.

Current Environment

Before we proceed, let’s explain our current lab environment:

  • ESXi and vCenter, version 6.7 Update 3. Separate clusters and vCenters for management and VDI workloads.
  • A fully installed Horizon DaaS 9.0 platform, containing one test Tenant environment.
  • Tenant Connector Server; lc-cs01.

Connector Server requirements

Since the Workspace ONE Access appliances are hosted by VMware, we can skip the steps to import appliance OVF file(s) and install any license files.

We can jump right to creating the connection (bridge) between our on-premises Horizon Daas 9.0 tenant environment and the Workspace ONE Access tenant hosted in the cloud. We will use the Workspace ONE Access connector servers for this purpose.

There are basically two options for the connectors: The “new” connector and the “legacy” connector. For integration with “Virtual Apps“, in this case my Horizon DaaS 9.0 environment, we are required to install the legacy connector.

Peter Björk (@thepeb) explains the legacy connector really well in below video:

To begin the installation, we need to download the VMware Identity Manager Connector Installer for Windows version 19.03 on a server which has at least the following requirements:

  • Specs: 2vCPU, 6GB Memory, 50GB HDD
  • OS: Windows Server 2008 R2 or higher. I personally used Windows Server 2016
  • Active Directory Service Account for agent service and for authentication to backend systems
  • Firewall configuration, please refer to the previously mentioned requirements hyperlink.
  • Outbound internet connection to the following Cloud Hosted IP addresses
  • For production environments: Install two connector servers.

Workspace ONE Access Connector server installation

We begin the setup by installing the Identity Manager Connector installer on the connector server. Start the installer, click Next.

2020-05-15 11_34_31-W10-09-FLT

The default location (C:\VMware) is fine. Next.

2020-05-15 11_34_50-W10-09-FLT

We are not migrating anything, this is a new installation. Next.

2020-05-15 11_35_04-W10-09-FLT

The hostname is automatically filled in. Next.

2020-05-15 11_35_13-W10-09-FLT

Run the service with the previously mentioned required AD Service Account. Please note: this account must be a member of the local administrator’s group of the connector server. Next.

2020-05-15 11_35_53-W10-09-FLT

Install.

2020-05-15 11_36_02-W10-09-FLT

Yes, launch the admin console of the Workspace ONE Access Connector.

2020-05-15 11_40_33-W10-09-FLT

The browser opens automatically. We are prompted with the Workspace ONE Access connector wizard. Continue.

2020-05-15 11_41_11-W10-09-FLT

Fill in the password for the admin account. After the installation is complete you can log in to the Workspace ONE connector admin portal (https://fqdn-connector-server:8443) with this account and the password you supply here.

2020-05-15 11_41_32-W10-09-FLT

For the next step, we need the activation code. Log in to Workspace ONE Access Administration Console and select the Identity & Access Management menu. Next, go to Setup (on the right) and choose Legacy Connectors (on the left). Add a connector and generate an Activation Code. Make sure you copy the entire code.

2020-05-15 11_40_11-VMware Workspace ONE

Go back to the Workspace ONE Access connector wizard. Paste the Activation Code in here. Continue.

2020-05-15 11_42_02-W10-09-FLT

If you have met all requirements, the setup is complete and you are ready to go to the next phase of the installation!

2020-05-15 11_42_44-W10-09-FLT

Workspace ONE Access setup – Active Directory sync

Log in to the Workspace ONE Access Administration Console. Before we start configuring the Horizon DaaS tenant Active Directory Sync settings, we must configure required AD User Attributes. Go to the Identity & Access Management menu, choose Setup and select the User Attributes menu.

For Horizon environments we must select two options:

  • distinguishedName
  • userPrincipalName

The attributes email, firstName, lastName and userName are already default selected.

It’s important to note that synced AD users must have these AD attributes filled in. For example, if the email field for a user is empty in AD, the sync log will show you an error that this user is not synced into Workspace ONE Access.

2020-05-15 11_45_32-VMware Workspace ONE

2020-05-15 11_45_43-VMware Workspace ONE

Click Save.

2020-05-15 11_47_12-VMware Workspace ONE

Click Manage, select Directories and click on the Add Directory button. Select Add Active Directory over LDAP/IWA.

2020-05-15 19_14_39-Login Consultants Nederland BV - Workspace ONE

Fill in the Directory Name; the Horizon DaaS tenant Active Directory domain FQDN. Select the connector server from the drop-down menu. Choose Yes to also perform Authentication for the connector. Leave the Directory Search Attribute on sAMAccountName.

Do NOT select STARTTLS. VMware has provided a hotfix for this scenario. It basically means you will have to replace two files on the connector server and restart the VMware Identity Manager service.

2020-05-15 11_49_29-VMware Workspace ONE

Scroll down and fill in the Active Directory Service Account in UPN and supply the password. Click Save & Next.

2020-05-15 11_49_35-VMware Workspace ONE

Workspace ONE Access will try to connect to the Active Directory server. This can take a minute.

2020-05-15 11_50_22-VMware Workspace ONE

If all goes OK, you can select your Horizon DaaS tenant domain and click Next.

2020-05-15 11_50_33-VMware Workspace ONE

We want to filter the Active Directory sync settings to only sync the AD groups we specify. Fill in the DistinguishedName of the domain, for example: DC=domain,DC=local.

Please note, you can also drill-down to a specific OU in Active Directory and not use the root.

Click Select. The Groups to Sync field will appear with the number of AD groups of the domain. Click on the hyperlink.

2020-05-15 11_51_41-VMware Workspace ONE

You can now search for certain groups in Active Directory. Select the AD groups you want to sync.

The groups you want to sync are basically:

  • The Workspace ONE Access Administration Console users (Super Admins)
  • AD group(s) you have assigned to the desktop pools in the Horizon DaaS 9.0 tenant environment.

Please note: you are not allowed to select the Domain Users group.

Select the groups you want to sync. Click Save.

2020-05-15 19_32_27-Login Consultants Nederland BV - Workspace ONE

Verify the AD groups are selected, click Next.

2020-05-15 11_54_05-VMware Workspace ONE

You can also filter for certain users in Active Directory. In this setup, we are going to skip this step. Click Next.2020-05-15 11_54_23-VMware Workspace ONE

We are now ready to sync the Active Directory Groups to Workspace ONE Access. Click Save & Sync.

2020-05-15 19_36_02-Login Consultants Nederland BV - Workspace ONE

The sync has started. You can click on the Sync Log hyperlink to track the progress.

 

2020-05-15 11_54_36-VMware Workspace ONE

Edit your newly configured Active Directory. Press Sync Settings.

2020-05-15 19_39_12-Login Consultants Nederland BV - Workspace ONE

You can change the sync settings to automatically sync on a certain schedule. In my case, I have selected Hourly. You can also (re)configure the Domain, Attributes and add/remove Active Directory groups. Click Save.

2020-05-15 11_56_52-VMware Workspace ONE

Go to the Users & Groups menu. Select Groups. Notice the synced AD groups are now listed here.

2020-05-15 12_06_52-VMware Workspace ONE

You can manually sync the users from each group by clicking on the group hyperlink and select the Users button.

We will only manually sync the users for the Administration Console AD user group (Super Admins).

The groups of the published resources in the Horizon DaaS tenant environment will automatically sync once the specific published resource is also synced with Workspace ONE Access (we will do this in the following chapters!).

2020-05-15 12_09_12-VMware Workspace ONE

Click the Roles tab. Select the Super Admin role and click Assign. Search for the synced AD admin group. Click Save. 2020-05-15 12_10_09-VMware Workspace ONE2020-05-15 12_10_30-VMware Workspace ONE

Members of this Super Admin group can now also access the Administration Console of Workspace ONE Access by logging in to the Workspace ONE Access portal and clicking on their profile button in the right upper corner. The option Administration Console is now available.

2020-05-15 20_11_45-Intelligent Hub

Outbound Mode configuration

Next, we will configure Workspace ONE Access in outbound mode. If we do not do this, external users (i.e. users from the internet) will get redirected to the internal connector server, which of course is not available for them since they are not able to connect to it.

Please note, the connector can be used in both outbound and regular mode simultaneously. Even if you enable outbound mode, you can still configure Kerberos authentication for internal users using authentication methods and policies.

Within the tab Identity & Access Management, click Manage, Select Identity Providers and select the Built-in iDP by clicking the hyperlink.

2020-05-15 12_12_15-VMware Workspace ONE

Select the previously configured Active Directory. Select ALL RANGES. Select the connector server from the drop-down menu. Click Add Connector.

2020-05-15 12_12_41-VMware Workspace ONE

A new option appears; Password (cloud deployment). Select this option. Click Save.

2020-05-15 12_13_23-VMware Workspace ONE

Go to the Policies menu. Edit the default_access_policy_set.

2020-05-15 20_31_54-Login Consultants Nederland BV - Workspace ONE

Go to Configuration. Edit both Policy Rules (Web Browser and Workspace ONE App or Hub App)

2020-05-15 20_33_09-Login Consultants Nederland BV - Workspace ONE

Change the user authentication from Password to Password (cloud deployment). As mentioned, do this for both Policy Rules.

2020-05-15 20_33_34-Login Consultants Nederland BV - Workspace ONE

Both policy rules are now changed. Hit Save.

2020-05-15 12_14_49-VMware Workspace ONE

Add the Virtual Apps Collection

We are almost ready to sync the Horizon DaaS 9.0 tenant published resources to Workspace ONE Access. Before we can attempt to sync, we must make sure the connector server trusts the Horizon DaaS tenant portal. We do this by uploading the Horizon DaaS tenant portal root and intermediate certificates to the connector server.

Log on to the Workspace ONE connector admin portal via https://fqdn-connector-server:8443

Go to the menu option Install SSL Certificates. Click on the tab Trusted CA’s.

2020-05-15 12_40_37-W10-09-FLT

Upload the root and intermediate certificates of the tenant portal using the following format:

2020-05-15 20_51_24-W10-09-FLT

If you are unsure how to do this correctly, please refer to the following VMware blog post.

Once the certificates are uploaded, the connector server will restart the services. This process can take a few minutes to complete.

When the certificate upload is complete, we are ready to configure the Virtual Apps Collection sync in Workspace ONE Access.

Go to Catalog and choose Virtual Apps Collection.

2020-05-15 12_17_42-VMware Workspace ONE

Click on the Get Started wizard.

2020-05-15 12_17_58-VMware Workspace ONE

Select Horizon Cloud2020-05-15 12_18_11-VMware Workspace ONE

Fill in a name for the Virtual App Collection. Next.

2020-05-15 12_18_47-VMware Workspace ONE

Click Add a Tenant

2020-05-15 12_19_40-VMware Workspace ONE

Fill in the tenant details:

  • Host: tenant user portal FQDN (without https://)
  • Port: 443
  • Admin user & password: an AD Service Account with administration permissions in the tenant admin portal.
  • Admin domain & Domains to Sync: Tenant Active Directory (NETBIOS)
  • Assertion Customer Service URL: tenant user portal FQDN (with https://)

Leave the rest of the settings default. Click Add.

 

2020-05-15 12_21_53-VMware Workspace ONE2020-05-15 12_22_00-VMware Workspace ONE

The tenant configuration is added. Click Next.

2020-05-15 12_22_30-VMware Workspace ONE

Specify the Sync Frequency, Activation Policy and Default Launch client. Click Next.

2020-05-15 12_22_40-VMware Workspace ONE

2020-05-15 12_23_10-VMware Workspace ONE2020-05-15 12_23_22-VMware Workspace ONE

If everything is correctly filled in, hit Save. The Virtual App Collection is now added and we are ready to sync the published resources.

2020-05-15 12_42_08-VMware Workspace ONE

Select the Virtual App Collection. Click on the Sync button.

2020-05-15 12_42_18-VMware Workspace ONE

The Horizon DaaS tenant published resources will now sync. This can take a minute or two.

2020-05-15 12_42_27-VMware Workspace ONE2020-05-15 12_42_34-VMware Workspace ONE2020-05-15 12_42_47-VMware Workspace ONE

All the Horizon DaaS tenant published resources are synced. Click Save. In the Catalog menu and Virtual Apps, you can now see all the tenant published resources.

2020-05-15 12_43_14-VMware Workspace ONE

Configure the Workspace ONE Access iDP

One final step to go! We must configure the Workspace ONE Access iDP information into the Horizon DaaS tenant admin portal, otherwise Single-Sign-On will not work for the end-users.

In the Workspace ONE Access Administration Console, open the Catalog menu en click Web Apps.

2020-05-15 12_44_10-VMware Workspace ONE

Select the SAML Metadata menu option.

2020-05-15 12_44_22-VMware Workspace ONE

Copy the Identity Provider iDP metadata URL by pressing the Copy URL hyperlink.

2020-05-15 12_44_36-VMware Workspace ONE

Go to your Horizon DaaS 9.0 tenant admin portal. Go to Settings and chose Identity Management.

2020-05-15 12_45_14-Horizon Cloud

Click New.

2020-05-15 12_45_23-Horizon Cloud

Paste the Identity Provider iDP metadata URL you copied in the previous step. Fill in the Horizon DaaS tenant URL (without https://) in the Client Access FQDN. I’m not redirecting the Horizon DaaS tenant portal to the Workspace ONE Access user portal at this stage, so I’m leaving this disabled.

Hit Save.

2020-05-15 12_46_14-Horizon Cloud

When you see a green icon, this means the connection is successfully established!

2020-05-15 12_46_30-Horizon Cloud

 

Workspace ONE Access portal

We are now able to log on to the Workspace ONE Access user portal! Of course, we must be member of one of the synced AD groups we configured in the AD sync settings chapter. Once logged in, we see all our Horizon DaaS 9.0 tenant published resources are ready for use!

2020-05-15 12_47_28-Intelligent Hub

Want to enable MFA? Workspace ONE Access comes with a built-in solution; VMware Verify.

You can read all necessary configuration steps in my colleague’s blog https://www.geursen.net