Configure VMware Identity Manager SaaS tenant with VMware Horizon Cloud

Short write up on configuring vIDM SaaS tenant and integrating with Horizon cloud

Since it’s a SaaS based, VMware will setup the IDM teanant and you will have a URL to connect & configure your resources. Currently vIDM SaaS doesn’t support custom fqdn, that is it will always be https://*.vmwareidentity.com. If you need a custom fqdn, go for on-prem implementation.

Connector Configuration

Let’s start with IDM connector installation, skipping standard installer prompts, terms screens 

  • Change the installation directory if you want it to be in a different location
  • Provide a hostname for the connector, by default it’ll pick the system hostname
  • If you plan to use IWA to bind to domain, run the connector service using a AD service account, else you can run with system account. I’m going to use IWA here
  • Finish the installer and it’ll give you an option to open the admin console. If you say no, you can always open it at https://<hostname>:8443
  • Before you continue configuring the connector, we need to generate an activation code for the connector in the IDM SaaS tenant.
  • Navigate to your IDM SaaS teanant https://*.vmwareidentity.com administration console > Identitiy & Access Management > Setup >Add Connector
  • Give it a name and click on Generate Activation Code
  • Copy the activation code and have it handy to configure the connector.
  • Jump back to the connector admin UI and setup a password.
  • In the Activate Connector tab, paste the Activation code generated in the SaaS UI.
  • Initial Setup of connector complete and as a next step we need to upload the root CA which is used for Horizon Cloud. You could skip this step for now and setup Directories, but i prefer to configure the Trusted CAs in the connector and be done with it.
  • Login to the connector UI https://localhost:8443/cfg and navigate to trusted CA. Add the CA cert and when you add it will automatically restart the service.
  • This step is needed to add Virtual apps under Catalog. If there’s no trusted CAs adding Virtual apps would fail.
  • We’re done with Connector installation configuration.

Configure Directories

  • Login to SaaS UI and navigate to Identity & Access Management > Directories
  • Select Add Directory and i chose IWA and as a pre-req i ran the connector service using a Domain Service account
  • Configure the required parameters and choose sAMAccountName as the search attribute and use the appropriate bind credentials.
  • Select the Domain to add
  • Select the user attributes, note it cant be changed after the directory is created
  • If you wish to choose other parameters, navigate to Identity & Access Management > Setup > User Attributes and change as you need it.
  • Sync required groups, i’m gonna do just a test group. Sync time will vary based on the size of the sync
  • Configure sync frequency as needed
  • Refer to Sync logs for any errors and success messages.
  • Once Directory is created, let’s jump to configure the IdP

Configure IdP

  • There would be a WorkspaceIdP as type Identity Manager and Directory to the one we just added.
  • We will need to configure the Built-In IdP to use the directory and appropriate auth method as shown below
  • If you dont have a Built-In IdP, create one

Configure Access Policies

  • Setup appropriate Access policies, I’m setting up some basic policy. You can customize it as you need.
  • I’m configuring the Password (Cloud deployment) Auth method in the default access policy.

Configuring Virtual Apps

  • Configure Virtual apps, here i’m going to use Horizon Cloud
  • Tenant Host will be Horizon cloud user portal address
  • Domain will be Netbios name of your domain.
  • Assertion Consumer Service URL will be http://<user portal URL>
  • If the UPN is different from a domain name you can chose custom Name ID Value
  • Select the sync frequency and you’re done

Configure Horizon Cloud

  • Login to Horizon Cloud admin portal > Settings > Identity Management
  • Use the IdP URL from identity 

  • IdP metadata URL can be taken from IDM SaaS portal
  • Sync the catalog or let it sync as per the schedule configured.
  • Try connecting as a user to vIDM, you should see the applications/desktops entitled and launch it.

Hope this helps!! 

Leave a Reply

Your email address will not be published. Required fields are marked *