Configure Horizon Pods and Pod Federations in VMware Identity Manager

VMware Identity Manager is an Identity as a Service (IDaaS) offering, providing application provisioning, self-service catalog, conditional access controls and Single Sign-On (SSO) for SaaS, web, cloud and native mobile applications.

You can integrate the following types of resources with VMware Identity Manager:

  • Web applications
  • VMware Horizon Cloud Service applications and desktops
  • VMware Horizon 7, Horizon 6, and View desktop and application pools
  • Citrix-published resources
  • VMware ThinApp packaged applications

In this lesson you will configure Identity Manager for integration to an existing, on-premises VMware Horizon 7 pod.

Integrate Horizon Cloud Pod Architecture Pod Federations with Identity Manager

The Horizon Cloud Pod Architecture (CPA) feature links together multiple Horizon pods to form a single, large desktop and application brokering and management environment called a pod federation. A pod federation can span multiple sites and data centers.

While CPA is outside the scope of this lab, note that Identity Manager can be integrated with both single Horizon pods as well as CPA pod federations.

Integrate an Independent Horizon Pod with Identity Manager

To integrate Horizon pods in VMware Identity Manager, you create one or more virtual apps collections in the VMware Identity Manager administration console. The collections contain the configuration information for the Horizon Connection Servers as well as sync settings.

Open a New Tab in Chrome

  1. Open a New Tab in the Chrome browser.
  1. Select WS1 from the shortcut menu
  2. Select VIDM-01 Admin

Choose System Domain

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the VMware Identity Manager appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

Sign In to Workspace ONE as Admin

  1. username = admin
  2. password = VMware1!
  3. Select Sign in

Verify User Attributes

  1. Select Identity & Access Management
  2. Select Setup
  3. Select User Attributes
  4. Verify distinguishedName and userPrincipalName are selected

When configuring Identity Manager to sync user accounts from Active Directory or another directory service, specific user attributes are required for Horizon integration.

If the required attributes are not populated and synced, Horizon desktops and applications may not work properly.

Create Virtual Apps Collection

You can integrate Horizon desktops and applications, Horizon Cloud desktops and applications, Citrix published resources, and ThinApp applications with VMware Identity Manager.

Beginning with the 3.1 release, these resources are managed with the new Virtual Apps Collections feature.

  1. Select the Catalog tab, being sure to click on the down arrow
  2. Select Virtual Apps

Review Existing Virtual Apps Catalog

Identity Manager has already been integrated with one Horizon Pod containing a single Horizon Connection Server: Horizon-01.corp.local.

  1. Review the list of applications in the catalog, which are delivered from Horizon-01. Note there are individual application names such as Notepad++ as well as desktop pool names like Instant Clone Pool.
  2. Review the associated application types. Note there are two types currently configured: Horizon View Application (published application) and Horizon View Desktop (VDI Desktop).

Open Virtual App Configuration

  1. Select Virtual App Configuration

Add Virtual Apps for Horizon View On-Premises

  1. Note there is an existing Virtual Apps configuration item of source type Horizon View On-Premises
  2. Select Add Virtual Apps
  3. Select Horizon View On-Premises

Configure Horizon View Virtual Apps

There are a number of configurable options when configuring Horizon View Virtual Apps. Only some of these will be used for this lab. Any options not specified in the lab manual should be left as default.

Virtual Apps Name
  1. In the Name field, enter Horizon02
  2. Verify the Sync Connector selected is vidm-01.corp.local
Horizon Pods Configuration
  1. Connection Server = horizon-02.corp.local
  2. Username = administrator
    This is a domain account with administrative privileges in Horizon
  3. Password = VMware1!
  4. Check the box for Sync Local Entitlements

Local Entitlements refer to the desktop and application entitlements for a given Horizon pod. Global Entitlements refer to desktop and application entitlements across Horizon pods in a Cloud Pod Architecture (multiple pod) implementation.

In this lab you are working with a single Horizon pod so all entitlements are local.

The Connection Server field must use the FQDN of one of the Horizon Connection Servers.

In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers. Do not use the VIP for this configuration step. You will configure the Client Access URL with the load-balancer VIP in a later exercise.

Save the Virtual Apps Configuration
  1. Select Save
Success Message

It may take several minutes for the virtual apps saved successfully notification to appear, and it will only be displayed briefly.

Sync Horizon Resources to Identity Manager

  1. Select Sync to begin syncing Horizon desktops, apps, and user entitlements from Horizon to Identity Manager

Wait for Sync

It may take several minutes for the Calculating Sync Actions step to complete.

Begin Sync of Horizon Resources

  1. Notice the desktop and entitlement that will sync. This is the Manual desktop pool with entitlement Domain Users you reviewed in a previous exercise.
  2. Select Save to continue

Successful Sync

It may take a few minutes for the sync to start.

Wait for Sync to Complete

  1. Wait for the SYNC STATUS to report Started
  2. Select Refresh

You may need to click Refresh more than once. If the status does not change to Completed, wait a few seconds and click Refresh again.

Successful Sync of Horizon Resources

  1. Wait for the SYNC STATUS to report Completed

Virtual Apps Sync Complete

You have successfully synced Horizon applications, desktops, and user entitlements to Identity Manager.

Review Changes to Virtual Apps Catalog

Identity Manager is now syncing Horizon resources from two independent Horizon implementations. Identity Manager creates a single catalog of desktop and application resources that can be distributed to end users.

  1. Select the arrow next to Catalog
  2. Select Virtual Apps

New Application in Virtual Apps Catalog

  1. Note the manual Horizon desktop pool Man-Pool1 is now available

Leave the Workspace ONE Management Console Open

Leave the Workspace ONE Management Console tab open in Chrome, as you will use it in the next lesson.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.