We have now arrived at the final conclusion of this blog series—integration with Workspace ONE Access. Although not a requirement for a Horizon Cloud on Azure deployment, it does provide a way to aggregate all on-prem and cloud-based Horizon environments, SaaS applications, and even Citrix Virtual Apps and Desktops into a single, user friendly app catalog.

If you missed the first three blogs in the series, you can access them below:

• Part 1 – Introduction and Design
• Part 2 – Preparing the Azure Tenant
• Part 3 – Horizon Pod to Multi-session Win 10 Desktop

Before continuing with the steps below, please be sure you have met all prerequisites:

1. Workspace ONE Access tenant setup and integrated with Active Directory
2. Make sure to deploy a Connector which has access to your Horizon Cloud Azure tenant and Manager Nodes.
3. Determine FQDN for Horizon Cloud Manager Access
4. Certificate for Horizon Cloud Pod

Configure Horizon Cloud Manager Fully Qualified Domain Name

1. The Horizon Cloud Managers must be accessible by the Workspace ONE Access Connector via fully qualified domain name (FQDN). In a highly available deployment, we must obtain the LB IP to configure DNS. Login to your Azure admin portal, locate Virtual Networks, then select the Virtual Network which you deployed your Horizon Cloud Pod to.

2. Locate the Device name that ends with pod-lb. Note the IP Address for the Load balancer.

3. Now we need to configure DNS with an A record that corresponds to the pod-lb Load balanced IP Address. This will likely be configured on your internal DNS server. I named my Horizon Cloud manager pair hcaztenant1 but any available name will suffice.

Upload Certificate to Horizon Cloud Pod

A certificate must be uploaded to the Horizon managers so that the Workspace ONE Access Connector trusts the Pod managers.

1. Navigate to Settings and click on Capacity. Select the applicable Pod, click on the ellipses, then select Upload Certificate.

2. Browse to the applicable CA Certificate File, SSL Certificate File, and SSL Key File. Certificates and Keys must be in PEM format.

3. Under Summary you will now see the Pod has a valid CA Certificate and SSL Certificate.

Create a Horizon Cloud Virtual Apps Collection

1. Login to Workspace ONE Access tenant as Tenant Admin. Navigate to Catalog, then select Virtual Apps Collection.

2. Select New.

3. Select Horizon Cloud as the Source Type. 

4. Provide a Name for the Horizon Cloud collection. Select the Connector associated with your Horizon Cloud Active Directory and click Next.

5. Click to Add a Tenant.

6. In the Host field, type in the fully qualified domain name created above. Provide the Admin User and Password. Provide the Admin Domain and Domains to Sync. Must be the NETBIOS Domain.

7. Type in the Unified Access Gateway URL provided in the Horizon Cloud Pod setup. To enable Single Sign-On from Workspace ONE Access to Horizon Cloud desktops, TrueSSO can be configured here as well. The configuration of TrueSSO is outside the scope of this blog, though it is recommended for an enhanced user logon experience. I will leave TrueSSO Click Add.

8. Return to the New Horizon Cloud Collection wizard and click Next.

9. Configure the Sync, Activation, and Launch Client

The options for Sync are Manual, Weekly, Daily, and Hourly. This setting specifies when changes to pools and entitlements are replicated to Workspace ONE Access.

Select whether the collection will appear to all users automatically or if users should select it from the catalog.

Choose between Browser, Native, or None as the Default Launch Client.

10. Review the settings provided for the new Horizon Cloud Collection. If correct, click Save.

11. The new Horizon Cloud Collection is now available in Workspace ONE Access.

Horizon Cloud Service and Workspace ONE Access SAML Integration

1. Before configuring the Horizon Cloud Service and Workspace ONE Access integration, the WS1 Access Metadata URL must be obtained. While logged into WS1 Access as Tenant Admin, navigate to Catalog the select Web Apps.

2. Click on Settings.

3. Select SAML Metadata then click Copy URL to copy the Metadata URL to your clipboard.

4. Return to the Horizon Cloud Service admin console. Select Settings, then Identity Management to bring up the Workspace ONE Access integration configuration. Click on New to integrate with your Workspace ONE Access environment.

5. Paste in the Metadata URL obtained from Step 3 Select the appropriate Location, Pod, and Data Centersettings. Type in the Client Access FQDN, which is the DNS name provided for the external Unified Access Gateway. To ensure users can only access the Horizon Pod through Workspace ONE, click to enable Workspace ONE Redirection (you may leave this disabled if users will access the Pod directly through the Horizon Client). Click Save.

6. Back at the Identity Management page, the Workspace ONE Access Configuration will show a Status of green if successful. Click Configure to further enable WS1 Access user redirection.

7. Configure the desired settings to force Remote and/or Internal Users to WS1 Access for logon. This is key for advanced authentication policy enforcement as well as providing the ability to leverage more advanced identity providers, such as Ping and Okta.

8. Now the Horizon Cloud desktop is ready to be launched from Workspace ONE. Access the Workspace ONE tenant and login as a user. You may have to sync the Virtual Apps Collection, and be sure the users and groups associated with the entitlement are synced as well.

9. On the next screen type in your Username and Password. You will be logged into Workspace ONE. Navigate to Apps and see that the new Windows 10 Multi-session Virtual Desktop pools are available!

10. When launching a desktop, Workspace ONE prompts for a password. This is because TrueSSO was not configured in this run through. To avoid the prompt and allow direct launch of the desktop, configure TrueSSO. See here for more details: Setting Up True SSO.

11. And voila, a Windows 10 Enterprise Multi-session desktop with Microsoft Office pre-installed!

For those who made it through all 4 blog posts, thank you for following along. With the automation included within the deployment of many of the Horizon Cloud management and access components, the level of effort in build outs is definitely much reduced. Of course, there are a few gotchas and caveats to look out for, especially in the pre-build work in Azure, and integration work found in this blog around Workspace ONE Access. 

There is another exciting development I’d like to share. At the time I began this blog, the newest version of Horizon Cloud on Azure did not include support for App Volumes or the Universal Broker. I am excited to share that version 3.1 does support both in greenfield deployments. See here for more details.

And finally, if you would like to walk through the steps outlined in the blog series live, please check out the recording of the webinar here.