REVISED 6 NOVEMBER 2018

PLATFORM INTEGRATION

PLATFORM INTEGRATION

GUIDE | 2

Table of Contents

Platform Integration

– Workspace ONE UEM and VMware Identity Manager Integration

– Horizon Cloud Service and VMware Identity Manager Integration

– Communication Flow When Opening a Horizon Cloud Resource

PLATFORM INTEGRATION

GUIDE | 3

VMware Workspace ONE Cloud-Based ReferenceArchitecture - Platform Integration

Platform Integration

After the various VMware Workspace ONE® and VMware Horizon® Cloud Service™ products andcomponents have been designed and deployed, there are one-time integration tasks that should becompleted to realize the full power of the Workspace ONE platform.

Integrate VMware Workspace ONE® UEM with VMware Identity Manager™.

Integrate Horizon Cloud Service with VMware Identity Manager.

Workspace ONE UEM and VMware Identity Manager Integration

VMware Identity Manager and Workspace ONE UEM (powered by AirWatch) are built to providetight integration between identity and device management. This integration has been simplified inrecent versions to ensure that configuration of each product is relatively straightforward. Forinformation about the latest release, see Integrating Workspace ONE UEM With VMware IdentityManager in the Guide to Deploying VMware Workspace ONE with VMware Identity Manager.

Although VMware Identity Manager and Workspace ONE UEM are the core components in aWorkspace ONE deployment, you can also deploy a variety of other components, depending on your

business use cases. As the following figure shows, you can use VMware Workspace ONE® UEMSecure Email Gateway (SEG) for access to an on-premises exchange server or use VMware Unified

Access Gateway™ to provide VMware Workspace ONE® Tunnel or VPN-based access to internalresources. Refer to INTEGRATIONS in the VMware Workspace ONE UEM Online Help for documentation ofthe full range of components that apply to a deployment.

PLATFORM INTEGRATION

GUIDE | 4

Figure: Sample Workspace ONE Architecture

Many other enterprise components can be integrated into a Workspace ONE deployment. Thesecomponents include technologies such as a Certificate Authority, Active Directory, file services,email systems, SharePoint servers, external access servers, or reverse proxies. We assume thatthese enterprise systems are in place and are functional if necessary.

To successfully integrate Workspace ONE UEM with VMware Identity Manager, you can use theWorkspace ONE Getting Started wizards. The Identity and Access Management wizard walks youthrough setting up the AirWatch Cloud Connector to allow the components of Workspace ONE,Workspace ONE UEM, and VMware Identity Manager to communicate with your Active Directory.Documentation for this process is available in the Guide to Deploying VMware Workspace ONE.

AirWatch Cloud Connector and Directory Integration Configuration Wizard

You can use the Workspace ONE wizards to set up the AirWatch Cloud Connector, Active Directoryintegration, and VMware Identity Manager integration.

PLATFORM INTEGRATION

GUIDE | 5

Figure: Identity and Access Management Wizard

The first step in the wizard is to connect the Workspace ONE UEM tenant to the VMware IdentityManager tenant.

Figure: Connect to VMware Identity Manager

After you enter the fully qualified domain name and supply authentication credentials for the VMware

PLATFORM INTEGRATION

GUIDE | 6

Identity Manager tenant, the connection can be made.

The Workspace ONE UEM Administration Console servers must be able to reach the VMwareIdentity Manager tenant through port 443.

The VMware Identity Manager tenant must be able reach the AirWatch API service throughport 443.

After the connection is made, the first step in the Identity and Access Management wizard is markedas complete.

Figure: Identity and Access Management Wizard – Connection to VMware Identity Manager Completed

The next step in the Identity and Access Management wizard is to install the AirWatch CloudConnector and connect Workspace ONE UEM to Active Directory.

PLATFORM INTEGRATION

GUIDE | 7

Figure: AirWatch Cloud Connector and VMware Identity Manager Connector

The AirWatch Cloud Connector provides the ability to integrate Workspace ONE UEM with anorganization’s backend enterprise systems. It is enabled in the Workspace ONE UEM Console andis downloaded to a Windows Server in the enterprise to enable communication between ActiveDirectory and the Workspace ONE service.

Figure: Download the AirWatch Cloud Connector

PLATFORM INTEGRATION

GUIDE | 8

The wizard prompts you to set up a password before downloading the AirWatch Cloud Connectorinstaller. Use this password while running the installer.

Previous versions of Workspace ONE UEM provided access to the AirWatch Cloud Connector bythe use of the Enterprise Systems Connector installer, a bundled installer of the AirWatch CloudConnector and VMware Identity Manager. With current versions of Workspace ONE UEM, theVMware Identity Manager connector is downloaded as a separate installer.

Active Directory Integration

The next step, after setting up the AirWatch Cloud Connector, is to enter your Active Directory andbind authentication information to integrate AD with Workspace ONE UEM. Because you are makingconnections from the AirWatch Cloud Connector, ensure that networking and server IPs andhostnames can be resolved.

Figure: Connect to Active Directory

VMware Identity Manager Connector Configuration

The VMware Identity Manager Connector provides connectivity to sync with the user directory, suchas Active Directory. The VMware Identity Manager Connector also provides user authentication andintegration with Horizon Cloud, along with following capabilities:

Many authentication methods for external users, including password, RSA AdaptiveAuthentication, RSA SecurID, and RADIUSKerberos authentication for internal users

PLATFORM INTEGRATION

GUIDE | 9

Access to VMware Horizon® Cloud Service™ resources

Access to VMware Horizon® 7 resourcesAccess to Citrix-published resources

To set up the VMware Identity Manager Connector along with directory integration, see Deployingthe VMware Identity Manager Connector and Integrating Your Enterprise Directory with VMwareIdentity Manager in VMware Identity Manager Cloud Deployment.

Catalog Population

The unified Workspace ONE app catalog contains many types of applications. SaaS-based SAMLapps and Horizon Cloud apps and desktops are delivered through the VMware Identity Managercatalog, and native mobile apps are delivered through the Workspace ONE catalog.

Table: Configuration Considerations for Populating the VMware Identity Manager CatalogResource Configuration ConsiderationsSaaS apps - To add a new SaaS application, go to the Catalog tab, select Web

Apps from the drop-down list, and select New.- Applications can be defined manually, or a predefined applicationtemplate can be customized. See Adding a Web Application to YourCatalog in Setting Up Resources in VMware Identity Manager (Cloud) or Guide to

Deploying VMware Workspace ONE.- You can manually create SaaS apps that do not have a template in thecloud catalog by using the appropriate parameters.- Assign the appropriate users or groups to the applications beingpublished and choose whether the entitlement is user-activated orautomatic.

Horizon Cloud - For the Mobile Application Workspace service, because Horizon Cloudresources are published, the application pools must be published.Entitlements are synced from the Horizon Cloud environment toVMware Identity Manager. For more information, see Horizon Cloud Service

and VMware Identity Manager Integration in this guide.- Horizon Cloud tenants are added into the VMware Identity Managercatalog.- For external publishing, Unified Access Gateway allows access to theHorizon Cloud desktops and applications.

Table: Configuration Considerations for Populating the Workspace ONE UEM CatalogResource Configuration ConsiderationsNative mobile apps - In the Workspace ONE UEM Console, you use the Apps and Books node to assign apps from

the public app stores to their respective device platforms. Apps are defined by platform (iOS,Android, Windows, and more) and located in the app store for that platform.- The apps are then assigned to Smart Groups as appropriate.- Application configuration key values are provided to point the Workspace ONE app to theappropriate VMware Identity Manager tenant.- Recommended apps to deploy include the Workspace ONE mobile app and popular

Workspace ONE apps such as VMware Workspace ONE® Boxer, VMware Workspace ONE®

Content, and VMware Workspace ONE® Browser.

PLATFORM INTEGRATION

GUIDE | 10

Device Profile Configuration and Single Sign-On

Device profiles provide key settings that are applied to devices as part of enrollment in WorkspaceONE UEM. The settings include payloads, such as credentials, passcode requirements, and otherparameters used to configure and secure devices. Different payloads are configured in differentservices for this document, but SSO is a common requirement across all devices and use cases.

Table: Configuration Considerations for Device Profiles in Workspace ONE UEMDevice Profiles Configuration ConsiderationsiOS SSO - The iOS platform uses the mobile SSO authentication adapter. The

authentication adapter is enabled in VMware Identity Manager andadded to an access policy.A profile is deployed that provides the appropriate certificate payloads tosupport trust between the user, the iOS device, Workspace ONE UEM,and VMware Identity Manager. For more information, see Horizon Cloud

Service and VMware Identity Manager Integration in this guide.- Use the Mobile SSO Getting Started wizard to enable mobile SSO inyour environment.- The Mobile SSO wizard creates an SSO profile that uses a certificateissued by the AirWatch Certificate Authority.

Android SSO - Android uses the mobile SSO authentication adapter. It is enabled inVMware Identity Manager and added to an access policy. A profile isdeployed to support SSO.- Use the Mobile SSO Getting Started wizard to enable mobile SSO inyour environment. For more information, see the Guide to Deploying VMware

Workspace ONE.- The Mobile SSO wizard creates the necessary Workspace ONETunnel device profile, publishes the Workspace ONE Tunnelapplication, and creates the required network rules.

Windows 10 SSO - Windows 10 SSO uses certificate authentication. A certificate isgenerated from the AirWatch CA through a SCEP (Simple CertificateEnrollment Protocol ) profile.

When a device profile is deployed, the appropriate certificates aregenerated for the user and are installed on the user’s device. Thecertificate (cloud deployment) authentication adapter is enabled to useWindows 10 SSO. For more information, see the Guide to Deploying VMware

Workspace ONE.- The user is prompted to select a certificate at Workspace ONE applaunch.- For device-compliance checking to function, part of the certificaterequest template for Workspace ONE UEM must include a SAN type ofDNS Name with a value of UDID={DeviceUid}.

The VMware Identity Manager directory synchronizes user account information from Active Directoryand uses it for entitling applications to users through the Workspace ONE app or browser page. ForSSO and True SSO to work when integrating with VMware Identity Manager and Horizon Cloud, a

PLATFORM INTEGRATION

GUIDE | 11

number of configuration considerations must be considered.

Table: Configuration Considerations for Features in VMware Identity ManagerComponent Configuration ConsiderationsVMware IdentityManager catalog

This catalog is the launch point for applications through the Workspace ONE portal.Applications in the following categories are expected to be configured:- SaaS apps- VMware ThinApp® packages- Horizon Cloud desktop assignments- VMware Horizon apps- Horizon Cloud RDSH-published apps

True SSO True SSO support is configured in VMware Identity Manager to ensure simple end-user accessto desktops and apps without multiple login prompts and without requiring AD credentials.

Identity ManagerConnectors

VMware Identity Manager Connectors are placed in the internal network in order to ensure thatusers external to the organization can access the resources that have been configured in theWorkspace ONE catalog.

ThinApp packages A ThinApp repository with ThinApp packages can allow use of ThinApp packages through theVMware Identity Manager catalog. ThinApp 4.7.2 and later packages are supported. You mustinstall the VMware Identity Manager desktop application in order to use ThinApp packages inyour environment. For more information, see Providing Access to VMware ThinApp Packages inSetting Up Resources in VMware Identity Manager (Cloud).

SaaS-based web apps SaaS-based applications that use SAML as an authentication method can be accessed throughVMware Identity Manager. Configuration of applications is done through the templates in thecloud application catalog. See Setting Up Resources in VMware Identity Manager (Cloud).

Horizon Cloud desktopassignments

Perform these tasks:- In the VMware Identity Manager administration console, create one or more virtual appscollections for the Horizon Cloud tenants. See Setting Up Resources in VMware Identity Manager (Cloud).- Configure SAML authentication between VMware Identity Manager and the Horizon Cloudtenants.

Horizon Cloudpublished applications

RDSH-published applications and their entitlements populate the VMware Identify Managercatalog when Horizon Cloud tenants are configured as described for virtual desktopassignments.

Kerberos authentication Perform these tasks:- To provide SSO to the VMware Identity Manager catalog, the appropriate authenticationmethods must be enabled.- The default authentication method is password, which prompts for the user’s Active Directoryuser ID and password.- If Kerberos is enabled as the default authentication method, the user’s Windows credentialsare passed to VMware Identity Manager when the user opens the catalog.- Kerberos authentication must be enabled under the Connectors section in the administrationconsole. See Implementing Kerberos for Desktops with Integrated Windows Authentication inthe VMware Identity Manager Administration Guide (Cloud).

Access policies forKerberos authentication

Access policies are configured to establish how users will authenticate to an operating system,network, or application.- Use the Identity and Access Management tab to manage policies and edit the default accesspolicy, as described in the Managing Access Policies section in the VMware Identity Manager

Administration Guide (Cloud). For the web browser, choose Kerberos as the first authenticationmethod, and Password (cloud deployment) as the second.- You might want to use different policies for different network ranges so that Kerberos is usedfor internal connections but other authentication methods are used for external connections.

Horizon Cloud Service and VMware Identity Manager Integration

Horizon Cloud can be integrated into Workspace ONE through VMware Identity Manager. You canset up SSO for Horizon Cloud apps and desktops, ensure security with multi-factor authentication,and control conditional access.

PLATFORM INTEGRATION

GUIDE | 12

The Horizon Cloud license includes the cloud-hosted version of VMware Identity Manager, whichsupports access to Horizon Cloud apps and desktops only. Horizon Cloud can be used with otherlicense types and deployment models of VMware Identity Manager (such as on-premises) if accessto other apps such as Horizon 7 apps and desktops, SaaS apps, or mobile apps, is also required.

Figure: VMware Identity Manager and VMware Horizon Cloud Synchronization

With Horizon Cloud Service on Microsoft Azure, you can specify creation of a cloud-based VMwareIdentity Manager tenant during the node deployment process. The VMware Identity Manager tenantis associated with your Horizon Cloud customer record. Nodes that already exist for the sameHorizon Cloud customer record can then be integrated with that tenant.

Integrating Horizon Cloud Service with a cloud-hosted VMware Identity Manager tenant consists ofthree high-level steps:

Complete the prerequisite steps of deploying a VMware Identity Manager Connector and1.

configuring Active Directory synchronization, as outlined in AirWatch Cloud Connector and DirectoryIntegration Configuration Wizard.

Create one or more virtual apps collections.2.

Configure SAML authentication in your Horizon Cloud tenant.3.

Virtual Apps Collection Creation

You can integrate Horizon Cloud desktops and applications into VMware Identity Manager by usingvirtual apps collections.

PLATFORM INTEGRATION

GUIDE | 13

Figure: Add a Virtual Apps Collection to the Catalog in VMware Identity Manager

You create a Horizon Cloud virtual apps collection for each Horizon Cloud node that will hostdesktop or application capacity.

Figure: Add Horizon Cloud Virtual Apps to the Collection

The virtual apps collection contains configuration information about your Horizon Cloud tenant,VMware Identity Manager Connectors, and settings to sync resources and entitlements to VMwareIdentity Manager.

PLATFORM INTEGRATION

GUIDE | 14

Figure: Complete the Add Horizon Cloud Tenant Wizard

For more information on configuring virtual apps collections, see Using Virtual Apps Collections forDesktop Integrations in Setting Up Resources in VMware Identity Manager (Cloud).

SAML Authentication Configuration

After you create a virtual apps collection for the Horizon Cloud tenant in the VMware IdentityManager console, configure SAML authentication in the Horizon Cloud tenant.

You can create a new Identity Management entry for each node in your Horizon Cloud tenant.

PLATFORM INTEGRATION

GUIDE | 15

Figure: Configure SAML Authentication on the Horizon Cloud Node

For more information, see Configure SAML Authentication in the Horizon Cloud Tenant in the Setting

Up Resources in VMware Identity Manager (Cloud).

Communication Flow When Opening a Horizon Cloud Resource

After Horizon Cloud has been integrated with VMware Identity Manager, a user can select a Horizonresource, such as desktop or a published application, from the Workspace ONE browser page ormobile app.

The following figure depicts the flow of communication that takes place when a user selects andlaunches an entitled Horizon desktop or application.

PLATFORM INTEGRATION

GUIDE | 16

Figure: Traffic Flow on Launch of a Horizon Cloud Resource from Workspace ONE

After the user is authenticated to VMware Identity Manager, either in a browser or using the1.

Workspace ONE app, the user selects and launches a Horizon resource.

VMware Identity Manager generates a SAML assertion and an artifact that contains the2.

vmware-view URL. It returns this URL to the browser on the client device (vmware-view://URL SAMLArt=<saml-artifact>).

The default URL handler for vmware-view types (normally the VMware Horizon® Client™) is3.

launched using the URL that was returned in the artifact (XML-API request do-submit-authentication <saml-artifact>).

If in-line, VMware Unified Access Gateway™ (UAG) proxies the authentication to the Horizon4.

Cloud node.

The Horizon Cloud node performs a SAML resolve against VMware Identity Manager (<saml-5.

artifact>).

VMware Identity Manager validates the artifact and returns an assertion to the Horizon Cloud6.

node (<saml-assertion>).

The Horizon Cloud node returns successful authentication (XML-API OK response7.

submit-authentication).

If in-line, Unified Access Gateway returns the successful authentication to the Horizon Client.8.

The remote protocol client launches the session with the parameters returned.9.

If in-line, Unified Access Gateway proxies the protocol session to the Horizon Agent in the10.

virtual desktop or RDSH server (if the resource is a published application or desktop).

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.