IdP discovery matches users from specific IP addresses with their corresponding identity providers (Connector instances). For example, users with IP addresses outside the enterprise network might be directed to a Connector instance dedicated to RSA SecurID authentication, while internal users might be directed to a Connector instance dedicated to Kerberos authentication.

Though different users are directed to different Connector instances, you provide all users with a single Horizon Workspace URL since IdP discovery does the work behind the scenes to locate the appropriate Connector instance.

The default IdP discovery configuration applies to the default Horizon Workspace deployment, which uses username/password authentication with a single Connector instance. If you deploy Horizon Workspace in this manner, you do not need to change the IdP discovery configuration.

When you deploy multiple Connector instances using the addvm option of the hznAdminTool command for the purpose of maintaining multiple identity providers, you need to use the Horizon Workspace Administrator Web interface to access the Settings > Identity Providers page, where you must perform the following:

Locate each additional Connector instance name in the list of identity providers. When you use the addvm option of the hznAdminTool command to create a new Connector instance, that Connector instance name is added to this page.

Edit the order of the identity providers as necessary. The order in which the corresponding Connector instances are listed in Horizon Workspace is important if the IP ranges overlap. In such cases, the first Connector instance in the list to include an IP address is given precedence.


When you remove or reset a Connector instance, you must remove the corresponding Connector name from the Identity Providers page.

You can deploy Horizon Workspace with IdP Discovery in a variety of ways, one of which is summarized in the example that follows.

External RSA SecurID and Internal Kerberos Authentication Example of IdP Discovery

This is one possible way to configure IdP Discovery for Kerberos and SecurID in the same Horizon Workspace deployment.

Internal - First Connector instance: You configure Kerberos for this Connector instance. In the Horizon Workspace Administrator Web interface, on the Identity Providers page, you configure IP address ranges to include users within the enterprise network.

External - Second Connector instance: You configure SecurID for this Connector instance. In Horizon Workspace, you configure a single IP address range that includes all possible users. Therefore, you set the IP address range from to

The result of this configuration is that users attempting to access Horizon Workspace from inside the enterprise network are redirected to the first Connector instance and authenticated with Kerberos or username/password authentication while users outside the enterprise network are redirected to the second Connector instance and authenticated with SecurID authentication.


When Horizon Workspace users invite an external user, either a directory server user not synched to Horizon Workspace or someone outside of the enterprise, the invited user is created as a virtual user. The virtual users feature is an optional feature that applies solely to the Horizon Files service, the file storage and sharing service. Virtual users are not prompted for SecurID credentials even when the virtual users are external to your enterprise and are redirected to a Connector instance that enforces SecurID authentication.