Workspace ONE Access – Hook up virtual desktops

I will continue by adding more application sources into our unified application portal. In the last post, we successfully added our first SaaS application (the SAML integration of Salesforce app), now it’s time to bring in virtual application and desktop. Specifically, I will work on the VMware Horizon platform, but keep in mind that Workspace ONE Access can integrate with Citrix platform too.

The important thing to clarify right away is that Workspace ONE Access will be replacing only the authentication part of the connection flow. BLAST/PCoIP flow will still be handled by Horizon (or Unified Access Gateway for external access). No changes there.


I am assuming that, you have access to a Workspace ONE Access environment and that you have successfully installed a VMware Horizon – if you need help with installing Horizon, there is an excellent post about it at Carl Stalhood’s blog.

Modify Horizon configuration

We will need to start with our connection server (all of them if you have multiple) and make sure that they are ready for SAML authentication. Start by navigating to Settings > Servers > Connection Server. Click on the connection server name and hit edit.

Go to the Authentication tab and switch the delegation mode to Allowed. This means that it will not impact your current environment as users will still be able to use passwords for auth. If you go with the required mode, it will unlock the “Workspace ONE mode” which means that every single logon will have to go through Workspace ONE Access and all the good conditional access stuff will be applied. I will describe this option in a different article.

Click on the newly visible “Manage SAML Authenticators” button.

Click add, as we will need to add our Workspace ONE Access.

Fill the form, Label and Description fields are not as important, you can put there whatever you like. What is important is the URL to our IdP metadata, which must point to our Workspace ONE Access Server. You just need to provide the FQDN the rest is prefilled for you.

If you want to be 100% sure, that the URL is correct you can validate it with the URL listed in Workspace ONE Access:

Then just hit Save and OK.

And another OK.

And that’s it Horizon is ready for integration. If you have multiple connection servers, repeat this for each of them.

Access Configuration

Now the second part. In Workspace ONE Access go to Catalog > Virtual Apps Collection.

A wizard should start, if not you are running some old version of Access and I would recommend upgrading first.

We will be doing on-prem Horizon, so choose that option.

Give the integration a name (it can be anything) and pick a connector, which will communicate with the Horizon. At the time of writing this article, the latest connector supporting Horizon integration is 19.03 (20.01 support neither Horizon, Citrix or ThinApps).

Then we will need to add a Horizon pod.

Specify a connection server or load-balanced name, account that can access Horizon administration and a password for this account. I will cover the TrueSSO option in another article so let’s keep it disabled for now. Click Save.

Hit Next.

You can keep the defaults, but I usually switch the default client to native and push the Horizon resources to users automatically, this is up to you. Click Next.

On the recap page click “Save & Configure Network Range”.

Network range configuration is very important as it basically defines where will be the Horizon entry point (connection server / UAG) for a given network. You might set it differently for LAN / Internet connection in my setup I will simply modify the ALL RANGES config.

Client access FQDN is the key here. This should be the FQDN of either connection server or UAG, which will be accessible from that network range. Once you are done hit save.

You should see a new Virtual Apps Collection, but most probably it will not be synced, so select it and click Sync.

You will be presented with a summary of what will happen. Two important things to mention:

First – Access will synchronize only entitlement for users, which are already synchronized for AD to Access.
Second – Access does not control entitlement (unlike web apps), you still have to do those in Horizon administration and this will just sync those.

Wait for the sync to complete.

Just to verify everything worked according to the plan open a user, you know should have some Horizon resource and you should be able to see it in Access.

If you log in as that user, sure enough, you can launch the Horizon desktops and apps. Note: They will not be in favorites – look for it in the apps tab.

That’s it. Let’s set up an MFA with VMware Verify in the next post.