Short write up on configuring vIDM SaaS tenant and integrating with Horizon cloud
Since it’s a SaaS based, VMware will setup the IDM teanant and you will have a URL to connect & configure your resources. Currently vIDM SaaS doesn’t support custom fqdn, that is it will always be https://*.vmwareidentity.com. If you need a custom fqdn, go for on-prem implementation.
Connector Configuration
Let’s start with IDM connector installation, skipping standard installer prompts, terms screens
- Change the installation directory if you want it to be in a different location
- Provide a hostname for the connector, by default it’ll pick the system hostname
- If you plan to use IWA to bind to domain, run the connector service using a AD service account, else you can run with system account. I’m going to use IWA here
- Finish the installer and it’ll give you an option to open the admin console. If you say no, you can always open it at https://<hostname>:8443
- Before you continue configuring the connector, we need to generate an activation code for the connector in the IDM SaaS tenant.
- Navigate to your IDM SaaS teanant https://*.vmwareidentity.com administration console > Identitiy & Access Management > Setup >Add Connector
- Give it a name and click on Generate Activation Code
- Copy the activation code and have it handy to configure the connector.
- Jump back to the connector admin UI and setup a password.
- In the Activate Connector tab, paste the Activation code generated in the SaaS UI.
- Initial Setup of connector complete and as a next step we need to upload the root CA which is used for Horizon Cloud. You could skip this step for now and setup Directories, but i prefer to configure the Trusted CAs in the connector and be done with it.
- Login to the connector UI https://localhost:8443/cfg and navigate to trusted CA. Add the CA cert and when you add it will automatically restart the service.
- This step is needed to add Virtual apps under Catalog. If there’s no trusted CAs adding Virtual apps would fail.
- We’re done with Connector installation configuration.
Configure Directories
- Login to SaaS UI and navigate to Identity & Access Management > Directories
- Select Add Directory and i chose IWA and as a pre-req i ran the connector service using a Domain Service account
- Configure the required parameters and choose sAMAccountName as the search attribute and use the appropriate bind credentials.
- Select the Domain to add
- Select the user attributes, note it cant be changed after the directory is created
- If you wish to choose other parameters, navigate to Identity & Access Management > Setup > User Attributes and change as you need it.
- Sync required groups, i’m gonna do just a test group. Sync time will vary based on the size of the sync
- Configure sync frequency as needed
- Refer to Sync logs for any errors and success messages.
- Once Directory is created, let’s jump to configure the IdP
Configure IdP
- There would be a WorkspaceIdP as type Identity Manager and Directory to the one we just added.
- We will need to configure the Built-In IdP to use the directory and appropriate auth method as shown below
- If you dont have a Built-In IdP, create one
Configure Access Policies
- Setup appropriate Access policies, I’m setting up some basic policy. You can customize it as you need.
- I’m configuring the Password (Cloud deployment) Auth method in the default access policy.
Configuring Virtual Apps
- Configure Virtual apps, here i’m going to use Horizon Cloud
- Tenant Host will be Horizon cloud user portal address
- Domain will be Netbios name of your domain.
- Assertion Consumer Service URL will be http://<user portal URL>
- If the UPN is different from a domain name you can chose custom Name ID Value
- Select the sync frequency and you’re done
Configure Horizon Cloud
- Login to Horizon Cloud admin portal > Settings > Identity Management
- Use the IdP URL from identity
- IdP metadata URL can be taken from IDM SaaS portal
- Sync the catalog or let it sync as per the schedule configured.
- Try connecting as a user to vIDM, you should see the applications/desktops entitled and launch it.
Hope this helps!!