VMware Workspace ONE Cloud-Based Reference Architecture

Platform Integration

After the various VMware Workspace ONE® and VMware Horizon® Cloud Service products and components have been designed and deployed, there are one-time integration tasks that should be completed to realize the full power of the Workspace ONE platform.

  • Integrate VMware Workspace ONE® UEM with VMware Identity Manager™.
  • Integrate Horizon Cloud Service with VMware Identity Manager.

Workspace ONE UEM and VMware Identity Manager Integration

VMware Identity Manager and Workspace ONE UEM (powered by AirWatch) are built to provide tight integration between identity and device management. This integration has been simplified in recent versions to ensure that configuration of each product is relatively straightforward. For information about the latest release, see Integrating Workspace ONE UEM With VMware Identity Manager in the Guide to Deploying VMware Workspace ONE with VMware Identity Manager.

Although VMware Identity Manager and Workspace ONE UEM are the core components in a Workspace ONE deployment, you can also deploy a variety of other components, depending on your business use cases. As the following figure shows, you can use VMware Workspace ONE® UEM Secure Email Gateway (SEG) for access to an on-premises exchange server or use VMware Unified Access Gateway to provide VMware Workspace ONE® Tunnel or VPN-based access to internal resources. Refer to INTEGRATIONS in the VMware Workspace ONE UEM Online Help for documentation of the full range of components that apply to a deployment.

Figure: Sample Workspace ONE Architecture

Many other enterprise components can be integrated into a Workspace ONE deployment. These components include technologies such as a Certificate Authority, Active Directory, file services, email systems, SharePoint servers, external access servers, or reverse proxies. We assume that these enterprise systems are in place and are functional if necessary.

To successfully integrate Workspace ONE UEM with VMware Identity Manager, you can use the Workspace ONE Getting Started wizards. The Identity and Access Management wizard walks you through setting up the AirWatch Cloud Connector to allow the components of Workspace ONE, Workspace ONE UEM, and VMware Identity Manager to communicate with your Active Directory. Documentation for this process is available in the Guide to Deploying VMware Workspace ONE.

AirWatch Cloud Connector and Directory Integration Configuration Wizard

You can use the Workspace ONE wizards to set up the AirWatch Cloud Connector, Active Directory integration, and VMware Identity Manager integration.

Figure: Identity and Access Management Wizard

The first step in the wizard is to connect the Workspace ONE UEM tenant to the VMware Identity Manager tenant.

Figure: Connect to VMware Identity Manager

After you enter the fully qualified domain name and supply authentication credentials for the VMware Identity Manager tenant, the connection can be made.

  • The Workspace ONE UEM Administration Console servers must be able to reach the VMware Identity Manager tenant through port 443.
  • The VMware Identity Manager tenant must be able reach the AirWatch API service through port 443.

After the connection is made, the first step in the Identity and Access Management wizard is marked as complete.

Figure: Identity and Access Management Wizard – Connection to VMware Identity Manager Completed

The next step in the Identity and Access Management wizard is to install the AirWatch Cloud Connector and connect Workspace ONE UEM to Active Directory.

Figure: AirWatch Cloud Connector and VMware Identity Manager Connector

The AirWatch Cloud Connector provides the ability to integrate Workspace ONE UEM with an organization’s backend enterprise systems. It is enabled in the Workspace ONE UEM Console and is downloaded to a Windows Server in the enterprise to enable communication between Active Directory and the Workspace ONE service.

Figure: Download the AirWatch Cloud Connector

The wizard prompts you to set up a password before downloading the AirWatch Cloud Connector installer. Use this password while running the installer.

Previous versions of Workspace ONE UEM provided access to the AirWatch Cloud Connector by the use of the Enterprise Systems Connector installer, a bundled installer of the AirWatch Cloud Connector and VMware Identity Manager. With current versions of Workspace ONE UEM, the VMware Identity Manager connector is downloaded as a separate installer. 

Active Directory Integration

The next step, after setting up the AirWatch Cloud Connector, is to enter your Active Directory and bind authentication information to integrate AD with Workspace ONE UEM. Because you are making connections from the AirWatch Cloud Connector, ensure that networking and server IPs and hostnames can be resolved.

Figure: Connect to Active Directory

VMware Identity Manager Connector Configuration

The VMware Identity Manager Connector provides connectivity to sync with the user directory, such as Active Directory. The VMware Identity Manager Connector also provides user authentication and integration with Horizon Cloud, along with following capabilities:

  • Many authentication methods for external users, including password, RSA Adaptive Authentication, RSA SecurID, and RADIUS
  • Kerberos authentication for internal users
  • Access to VMware Horizon® Cloud Service™ resources
  • Access to VMware Horizon® 7 resources
  • Access to Citrix-published resources

To set up the VMware Identity Manager Connector along with directory integration, see Deploying the VMware Identity Manager Connector and Integrating Your Enterprise Directory with VMware Identity Manager in VMware Identity Manager Cloud Deployment.

Catalog Population

The unified Workspace ONE app catalog contains many types of applications. SaaS-based SAML apps and Horizon Cloud apps and desktops are delivered through the VMware Identity Manager catalog, and native mobile apps are delivered through the Workspace ONE catalog.

Table: Configuration Considerations for Populating the VMware Identity Manager Catalog

Resource

Configuration Considerations

SaaS apps

  • To add a new SaaS application, go to the Catalog tab, select Web Apps from the drop-down list, and select New.
  • Applications can be defined manually, or a predefined application template can be customized. See Adding a Web Application to Your Catalog in Setting Up Resources in VMware Identity Manager (Cloud) or Guide to Deploying VMware Workspace ONE.
  • You can manually create SaaS apps that do not have a template in the cloud catalog by using the appropriate parameters.
  • Assign the appropriate users or groups to the applications being published and choose whether the entitlement is user-activated or automatic.

Horizon Cloud

  • For the Mobile Application Workspace service, because Horizon Cloud resources are published, the application pools must be published. Entitlements are synced from the Horizon Cloud environment to VMware Identity Manager. For more information, see Horizon Cloud Service and VMware Identity Manager Integration in this guide.
  • Horizon Cloud tenants are added into the VMware Identity Manager catalog.
  • For external publishing, Unified Access Gateway allows access to the Horizon Cloud desktops and applications.

Table: Configuration Considerations for Populating the Workspace ONE UEM Catalog

Resource

Configuration Considerations

Native mobile apps

  • In the Workspace ONE UEM Console, you use the Apps and Books node to assign apps from the public app stores to their respective device platforms. Apps are defined by platform (iOS, Android, Windows, and more) and located in the app store for that platform.
  • The apps are then assigned to Smart Groups as appropriate.
  • Application configuration key values are provided to point the Workspace ONE app to the appropriate VMware Identity Manager tenant.
  • Recommended apps to deploy include the Workspace ONE mobile app and popular Workspace ONE apps such as VMware Workspace ONE® Boxer, VMware Workspace ONE® Content, and VMware Workspace ONE® Browser.

Device Profile Configuration and Single Sign-On

Device profiles provide key settings that are applied to devices as part of enrollment in Workspace ONE UEM. The settings include payloads, such as credentials, passcode requirements, and other parameters used to configure and secure devices. Different payloads are configured in different services for this document, but SSO is a common requirement across all devices and use cases.

Table: Configuration Considerations for Device Profiles in Workspace ONE UEM

Device Profiles

Configuration Considerations

iOS SSO

  • The iOS platform uses the mobile SSO authentication adapter. The authentication adapter is enabled in VMware Identity Manager and added to an access policy.
    A profile is deployed that provides the appropriate certificate payloads to support trust between the user, the iOS device, Workspace ONE UEM, and VMware Identity Manager. For more information, see Horizon Cloud Service and VMware Identity Manager Integration in this guide.
  • Use the Mobile SSO Getting Started wizard to enable mobile SSO in your environment.
  • The Mobile SSO wizard creates an SSO profile that uses a certificate issued by the AirWatch Certificate Authority.

Android SSO

  • Android uses the mobile SSO authentication adapter. It is enabled in VMware Identity Manager and added to an access policy. A profile is deployed to support SSO.
  • Use the Mobile SSO Getting Started wizard to enable mobile SSO in your environment. For more information, see the Guide to Deploying VMware Workspace ONE.
  • The Mobile SSO wizard creates the necessary Workspace ONE Tunnel device profile, publishes the Workspace ONE Tunnel application, and creates the required network rules.

Windows 10 SSO

  • Windows 10 SSO uses certificate authentication. A certificate is generated from the AirWatch CA through a SCEP (Simple Certificate Enrollment Protocol ) profile.

    When a device profile is deployed, the appropriate certificates are generated for the user and are installed on the user’s device. The certificate (cloud deployment) authentication adapter is enabled to use Windows 10 SSO. For more information, see the Guide to Deploying VMware Workspace ONE.
  • The user is prompted to select a certificate at Workspace ONE app launch.
  • For device-compliance checking to function, part of the certificate request template for Workspace ONE UEM must include a SAN type of DNS Name with a value of UDID={DeviceUid}.

The VMware Identity Manager directory synchronizes user account information from Active Directory and uses it for entitling applications to users through the Workspace ONE app or browser page. For SSO and True SSO to work when integrating with VMware Identity Manager and Horizon Cloud, a number of configuration considerations must be considered.

Table: Configuration Considerations for Features in VMware Identity Manager

Component

Configuration Considerations

VMware Identity Manager catalog

This catalog is the launch point for applications through the Workspace ONE portal. Applications in the following categories are expected to be configured:

  • SaaS apps
  • VMware ThinApp® packages
  • Horizon Cloud desktop assignments
  • VMware Horizon apps
  • Horizon Cloud RDSH-published apps

True SSO

True SSO support is configured in VMware Identity Manager to ensure simple end-user access to desktops and apps without multiple login prompts and without requiring AD credentials.

Identity Manager Connectors

VMware Identity Manager Connectors are placed in the internal network in order to ensure that users external to the organization can access the resources that have been configured in the Workspace ONE catalog.

ThinApp packages

A ThinApp repository with ThinApp packages can allow use of ThinApp packages through the VMware Identity Manager catalog. ThinApp 4.7.2 and later packages are supported. You must install the VMware Identity Manager desktop application in order to use ThinApp packages in your environment. For more information, see Providing Access to VMware ThinApp Packages in Setting Up Resources in VMware Identity Manager (Cloud).

SaaS-based web apps

SaaS-based applications that use SAML as an authentication method can be accessed through VMware Identity Manager. Configuration of applications is done through the templates in the cloud application catalog. See Setting Up Resources in VMware Identity Manager (Cloud).

Horizon Cloud desktop assignments

Perform these tasks:

  •  In the VMware Identity Manager administration console, create one or more virtual apps collections for the Horizon Cloud tenants. See Setting Up Resources in VMware Identity Manager (Cloud).
  • Configure SAML authentication between VMware Identity Manager and the Horizon Cloud tenants.

Horizon Cloud published applications

RDSH-published applications and their entitlements populate the VMware Identify Manager catalog when Horizon Cloud tenants are configured as described for virtual desktop assignments.

Kerberos authentication

Perform these tasks:

  • To provide SSO to the VMware Identity Manager catalog, the appropriate authentication methods must be enabled.
  • The default authentication method is password, which prompts for the user’s Active Directory user ID and password.
  • If Kerberos is enabled as the default authentication method, the user’s Windows credentials are passed to VMware Identity Manager when the user opens the catalog.
  • Kerberos authentication must be enabled under the Connectors section in the administration console. See Implementing Kerberos for Desktops with Integrated Windows Authentication in the VMware Identity Manager Administration Guide (Cloud).

Access policies for Kerberos authentication

Access policies are configured to establish how users will authenticate to an operating system, network, or application.

  • Use the Identity and Access Management tab to manage policies and edit the default access policy, as described in the Managing Access Policies section in the VMware Identity Manager Administration Guide (Cloud). For the web browser, choose Kerberos as the first authentication method, and Password (cloud deployment) as the second.
  • You might want to use different policies for different network ranges so that Kerberos is used for internal connections but other authentication methods are used for external connections.

Horizon Cloud Service and VMware Identity Manager Integration

Horizon Cloud can be integrated into Workspace ONE through VMware Identity Manager. You can set up SSO for Horizon Cloud apps and desktops, ensure security with multi-factor authentication, and control conditional access.

The Horizon Cloud license includes the cloud-hosted version of VMware Identity Manager, which supports access to Horizon Cloud apps and desktops only. Horizon Cloud can be used with other license types and deployment models of VMware Identity Manager (such as on-premises) if access to other apps such as Horizon 7 apps and desktops, SaaS apps, or mobile apps, is also required.

Figure: VMware Identity Manager and VMware Horizon Cloud Synchronization

With Horizon Cloud Service on Microsoft Azure, you can specify creation of a cloud-based VMware Identity Manager tenant during the node deployment process. The VMware Identity Manager tenant is associated with your Horizon Cloud customer record. Nodes that already exist for the same Horizon Cloud customer record can then be integrated with that tenant.

Integrating Horizon Cloud Service with a cloud-hosted VMware Identity Manager tenant consists of three high-level steps:

  1. Complete the prerequisite steps of deploying a VMware Identity Manager Connector and configuring Active Directory synchronization, as outlined in AirWatch Cloud Connector and Directory Integration Configuration Wizard.
  2. Create one or more virtual apps collections.
  3. Configure SAML authentication in your Horizon Cloud tenant.

Virtual Apps Collection Creation

You can integrate Horizon Cloud desktops and applications into VMware Identity Manager by using virtual apps collections.

Figure: Add a Virtual Apps Collection to the Catalog in VMware Identity Manager

You create a Horizon Cloud virtual apps collection for each Horizon Cloud node that will host desktop or application capacity.

Figure: Add Horizon Cloud Virtual Apps to the Collection

The virtual apps collection contains configuration information about your Horizon Cloud tenant, VMware Identity Manager Connectors, and settings to sync resources and entitlements to VMware Identity Manager.

Figure: Complete the Add Horizon Cloud Tenant Wizard

For more information on configuring virtual apps collections, see Using Virtual Apps Collections for Desktop Integrations in Setting Up Resources in VMware Identity Manager (Cloud).

SAML Authentication Configuration

After you create a virtual apps collection for the Horizon Cloud tenant in the VMware Identity Manager console, configure SAML authentication in the Horizon Cloud tenant.

You can create a new Identity Management entry for each node in your Horizon Cloud tenant.

Figure: Configure SAML Authentication on the Horizon Cloud Node

For more information, see Configure SAML Authentication in the Horizon Cloud Tenant in the Setting Up Resources in VMware Identity Manager (Cloud).

Communication Flow When Opening a Horizon Cloud Resource

After Horizon Cloud has been integrated with VMware Identity Manager, a user can select a Horizon resource, such as desktop or a published application, from the Workspace ONE browser page or mobile app.

The following figure depicts the flow of communication that takes place when a user selects and launches an entitled Horizon desktop or application.

Figure: Traffic Flow on Launch of a Horizon Cloud Resource from Workspace ONE

  1. After the user is authenticated to VMware Identity Manager, either in a browser or using the Workspace ONE app, the user selects and launches a Horizon resource.
  2. VMware Identity Manager generates a SAML assertion and an artifact that contains the vmware-view URL. It returns this URL to the browser on the client device (vmware-view://URL SAMLArt=<saml-artifact>).
  3. The default URL handler for vmware-view types (normally the VMware Horizon® Client) is launched using the URL that was returned in the artifact (XML-API request do-submit-authentication <saml-artifact>).
  4. If in-line, VMware Unified Access Gateway (UAG) proxies the authentication to the Horizon Cloud node.
  5. The Horizon Cloud node performs a SAML resolve against VMware Identity Manager (<saml-artifact>).
  6. VMware Identity Manager validates the artifact and returns an assertion to the Horizon Cloud node (<saml-assertion>).
  7. The Horizon Cloud node returns successful authentication (XML-API OK response submit-authentication).
  8. If in-line, Unified Access Gateway returns the successful authentication to the Horizon Client.
  9. The remote protocol client launches the session with the parameters returned.
  10. If in-line, Unified Access Gateway proxies the protocol session to the Horizon Agent in the virtual desktop or RDSH server (if the resource is a published application or desktop).