After you create a federation artifact in the VMware Identity Manager administration console, configure SAML authentication in the Horizon Air tenant.

Note

Do not configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider.

Note

The Horizon Air tenant appliance and VMware Identity Manager must be in time sync. If they are not in time sync, when you try to launch Horizon Air desktops and applications, an invalid SAML message appears.

1

In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select Settings.

2

In the left pane, click SAML Metadata.

3

Click the Identity Provider (IdP) metadata link.

metadata link

4

Make a note of the URL from the browser's address bar, such as https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml.

5

Run the following REST API calls against the primary Horizon Air tenant.

a

POST https://DaaSPrimaryTenant/dt-rest/v100/system/login?domain=domain-name&user=tenantadminusername&pw=password

For example:

POST https://10.10.10.10/dt-rest/v100/system/login?domain=AIR-TENANTA&user=tenantadmin&pw=mypassword

Get the values from the header Authorization and x-dt-csrf-header to use for the next API call.

b

PUT https://DaaSPrimaryTenantAppliance/dt-rest/v100/security/manager/create/modify/identityprovider

For example:

PUT https://10.10.10.10/dt-rest/v100/security/manager/create/modify/identityprovider

Header Authorization: Use the value from the previous login API response header.

Header x-dt-csrf-header: Use the value from the previous login API response header.

Header Content-Type: Use text/xml.

Body:

 <DtIdentityProviderConfig>
    <workspaceAddress>https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml<workspaceAddress>
    <timeout>0</timeout>
    <tenantAddress>HorizonAirTenantFloatingAddressOrAccessPoint</tenantAddress>
    <dataCenterId>HorizonAirTenantDatacenterID</dataCenterId>
</DtIdentityProviderConfig>

where

<workspaceAddress>: Specify the VMware Identity Manager IdP metadata URL you copied in step 4 above.

<tenantaddress>: Specify the floating address or Access Point of the Horizon Air tenant appliance. For example, horizonair-tenant.example.com.

<dataCenterId>: Specify the datacenter ID of the Horizon Air tenant. You can find the ID in the datacenter table of the primary Horizon Air tenant by using this command: Select * from datacenter;

c

Restart the tenant appliances.

Your integration is complete. You can now view Horizon Air desktop and application pools in the VMware Identity Manager administration console and end users can launch the resources to which they are entitled.