In this blog, I will explain how to integrate the newest Horizon DaaS version, DaaS 9.0, with Workspace One Access.
In the past, I already created two blog posts about this subject;
- Horizon DaaS 7.0: integrate Horizon DaaS 7.0 with an on-premises installation of Identity Manager
- Horizon DaaS 8.0: How to integrate Horizon DaaS 8.0 with Workspace One
Just like the previous blog post for Horizon DaaS 8.0, I will not use an on-premises installation for Workspace ONE Access (Identity Manager) but use the cloud-hosted solution (SaaS) by VMware.
Before we proceed, let’s explain our current lab environment:
- ESXi and vCenter, version 6.7 Update 3. Separate clusters and vCenters for management and VDI workloads.
- A fully installed Horizon DaaS 9.0 platform, containing one test Tenant environment.
- Tenant Connector Server; lc-cs01.
Connector Server requirements
Since the Workspace ONE Access appliances are hosted by VMware, we can skip the steps to import appliance OVF file(s) and install any license files.
We can jump right to creating the connection (bridge) between our on-premises Horizon Daas 9.0 tenant environment and the Workspace ONE Access tenant hosted in the cloud. We will use the Workspace ONE Access connector servers for this purpose.
There are basically two options for the connectors: The “new” connector and the “legacy” connector. For integration with “Virtual Apps“, in this case my Horizon DaaS 9.0 environment, we are required to install the legacy connector.
Peter Björk (@thepeb) explains the legacy connector really well in below video:
To begin the installation, we need to download the VMware Identity Manager Connector Installer for Windows version 19.03 on a server which has at least the following requirements:
- Specs: 2vCPU, 6GB Memory, 50GB HDD
- OS: Windows Server 2008 R2 or higher. I personally used Windows Server 2016
- Active Directory Service Account for agent service and for authentication to backend systems
- Firewall configuration, please refer to the previously mentioned requirements hyperlink.
- Outbound internet connection to the following Cloud Hosted IP addresses
- For production environments: Install two connector servers.
Workspace ONE Access Connector server installation
We begin the setup by installing the Identity Manager Connector installer on the connector server. Start the installer, click Next.
The default location (C:\VMware) is fine. Next.
We are not migrating anything, this is a new installation. Next.
The hostname is automatically filled in. Next.
Run the service with the previously mentioned required AD Service Account. Please note: this account must be a member of the local administrator’s group of the connector server. Next.
Yes, launch the admin console of the Workspace ONE Access Connector.
The browser opens automatically. We are prompted with the Workspace ONE Access connector wizard. Continue.
Fill in the password for the admin account. After the installation is complete you can log in to the Workspace ONE connector admin portal (https://fqdn-connector-server:8443) with this account and the password you supply here.
For the next step, we need the activation code. Log in to Workspace ONE Access Administration Console and select the Identity & Access Management menu. Next, go to Setup (on the right) and choose Legacy Connectors (on the left). Add a connector and generate an Activation Code. Make sure you copy the entire code.
Go back to the Workspace ONE Access connector wizard. Paste the Activation Code in here. Continue.
If you have met all requirements, the setup is complete and you are ready to go to the next phase of the installation!
Workspace ONE Access setup – Active Directory sync
Log in to the Workspace ONE Access Administration Console. Before we start configuring the Horizon DaaS tenant Active Directory Sync settings, we must configure required AD User Attributes. Go to the Identity & Access Management menu, choose Setup and select the User Attributes menu.
For Horizon environments we must select two options:
The attributes email, firstName, lastName and userName are already default selected.
It’s important to note that synced AD users must have these AD attributes filled in. For example, if the email field for a user is empty in AD, the sync log will show you an error that this user is not synced into Workspace ONE Access.
Click Manage, select Directories and click on the Add Directory button. Select Add Active Directory over LDAP/IWA.
Fill in the Directory Name; the Horizon DaaS tenant Active Directory domain FQDN. Select the connector server from the drop-down menu. Choose Yes to also perform Authentication for the connector. Leave the Directory Search Attribute on sAMAccountName.
Do NOT select STARTTLS. VMware has provided a hotfix for this scenario. It basically means you will have to replace two files on the connector server and restart the VMware Identity Manager service.
Scroll down and fill in the Active Directory Service Account in UPN and supply the password. Click Save & Next.
Workspace ONE Access will try to connect to the Active Directory server. This can take a minute.
If all goes OK, you can select your Horizon DaaS tenant domain and click Next.
We want to filter the Active Directory sync settings to only sync the AD groups we specify. Fill in the DistinguishedName of the domain, for example: DC=domain,DC=local.
Please note, you can also drill-down to a specific OU in Active Directory and not use the root.
Click Select. The Groups to Sync field will appear with the number of AD groups of the domain. Click on the hyperlink.
You can now search for certain groups in Active Directory. Select the AD groups you want to sync.
The groups you want to sync are basically:
- The Workspace ONE Access Administration Console users (Super Admins)
- AD group(s) you have assigned to the desktop pools in the Horizon DaaS 9.0 tenant environment.
Please note: you are not allowed to select the Domain Users group.
Select the groups you want to sync. Click Save.
Verify the AD groups are selected, click Next.
You can also filter for certain users in Active Directory. In this setup, we are going to skip this step. Click Next.
We are now ready to sync the Active Directory Groups to Workspace ONE Access. Click Save & Sync.
The sync has started. You can click on the Sync Log hyperlink to track the progress.
Edit your newly configured Active Directory. Press Sync Settings.
You can change the sync settings to automatically sync on a certain schedule. In my case, I have selected Hourly. You can also (re)configure the Domain, Attributes and add/remove Active Directory groups. Click Save.
Go to the Users & Groups menu. Select Groups. Notice the synced AD groups are now listed here.
You can manually sync the users from each group by clicking on the group hyperlink and select the Users button.
We will only manually sync the users for the Administration Console AD user group (Super Admins).
The groups of the published resources in the Horizon DaaS tenant environment will automatically sync once the specific published resource is also synced with Workspace ONE Access (we will do this in the following chapters!).
Click the Roles tab. Select the Super Admin role and click Assign. Search for the synced AD admin group. Click Save.
Members of this Super Admin group can now also access the Administration Console of Workspace ONE Access by logging in to the Workspace ONE Access portal and clicking on their profile button in the right upper corner. The option Administration Console is now available.
Outbound Mode configuration
Next, we will configure Workspace ONE Access in outbound mode. If we do not do this, external users (i.e. users from the internet) will get redirected to the internal connector server, which of course is not available for them since they are not able to connect to it.
Please note, the connector can be used in both outbound and regular mode simultaneously. Even if you enable outbound mode, you can still configure Kerberos authentication for internal users using authentication methods and policies.
Within the tab Identity & Access Management, click Manage, Select Identity Providers and select the Built-in iDP by clicking the hyperlink.
Select the previously configured Active Directory. Select ALL RANGES. Select the connector server from the drop-down menu. Click Add Connector.
A new option appears; Password (cloud deployment). Select this option. Click Save.
Go to the Policies menu. Edit the default_access_policy_set.
Go to Configuration. Edit both Policy Rules (Web Browser and Workspace ONE App or Hub App)
Change the user authentication from Password to Password (cloud deployment). As mentioned, do this for both Policy Rules.
Both policy rules are now changed. Hit Save.
Add the Virtual Apps Collection
We are almost ready to sync the Horizon DaaS 9.0 tenant published resources to Workspace ONE Access. Before we can attempt to sync, we must make sure the connector server trusts the Horizon DaaS tenant portal. We do this by uploading the Horizon DaaS tenant portal root and intermediate certificates to the connector server.
Log on to the Workspace ONE connector admin portal via https://fqdn-connector-server:8443
Go to the menu option Install SSL Certificates. Click on the tab Trusted CA’s.
Upload the root and intermediate certificates of the tenant portal using the following format:
If you are unsure how to do this correctly, please refer to the following VMware blog post.
Once the certificates are uploaded, the connector server will restart the services. This process can take a few minutes to complete.
When the certificate upload is complete, we are ready to configure the Virtual Apps Collection sync in Workspace ONE Access.
Go to Catalog and choose Virtual Apps Collection.
Click on the Get Started wizard.
Select Horizon Cloud
Fill in a name for the Virtual App Collection. Next.
Click Add a Tenant
Fill in the tenant details:
- Host: tenant user portal FQDN (without https://)
- Port: 443
- Admin user & password: an AD Service Account with administration permissions in the tenant admin portal.
- Admin domain & Domains to Sync: Tenant Active Directory (NETBIOS)
- Assertion Customer Service URL: tenant user portal FQDN (with https://)
Leave the rest of the settings default. Click Add.
The tenant configuration is added. Click Next.
Specify the Sync Frequency, Activation Policy and Default Launch client. Click Next.
If everything is correctly filled in, hit Save. The Virtual App Collection is now added and we are ready to sync the published resources.
Select the Virtual App Collection. Click on the Sync button.
The Horizon DaaS tenant published resources will now sync. This can take a minute or two.
All the Horizon DaaS tenant published resources are synced. Click Save. In the Catalog menu and Virtual Apps, you can now see all the tenant published resources.
Configure the Workspace ONE Access iDP
One final step to go! We must configure the Workspace ONE Access iDP information into the Horizon DaaS tenant admin portal, otherwise Single-Sign-On will not work for the end-users.
In the Workspace ONE Access Administration Console, open the Catalog menu en click Web Apps.
Select the SAML Metadata menu option.
Copy the Identity Provider iDP metadata URL by pressing the Copy URL hyperlink.
Go to your Horizon DaaS 9.0 tenant admin portal. Go to Settings and chose Identity Management.
Paste the Identity Provider iDP metadata URL you copied in the previous step. Fill in the Horizon DaaS tenant URL (without https://) in the Client Access FQDN. I’m not redirecting the Horizon DaaS tenant portal to the Workspace ONE Access user portal at this stage, so I’m leaving this disabled.
When you see a green icon, this means the connection is successfully established!
Workspace ONE Access portal
We are now able to log on to the Workspace ONE Access user portal! Of course, we must be member of one of the synced AD groups we configured in the AD sync settings chapter. Once logged in, we see all our Horizon DaaS 9.0 tenant published resources are ready for use!
Want to enable MFA? Workspace ONE Access comes with a built-in solution; VMware Verify.