Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Category: Workspace One Access (Aka Identity Manager)

Get Horizon Cloud Managed desktop and apps on WS1 Access

Here a recent behavior I met at a customer and on my own labs, :

Normally and that was the case few months ago, when you entitled VMs or Apps (whatever it was on Azure or On-Premise but “Cloud Managed”) they were automatically available on the configured WS1 Tenant, and especially if you asked to create one from the Horizon Universal Console rather to attach an existing one.

Look like there a recent change, and some pre-requisites are required (mentioned in the documentation but to be honest the documentation is a little bit abstruse). So, if entitlements are not any more synchronized, or you don’t see any entitlement on WS1 you need to check 2 things :

1 – Ensure you gather appropriate User Attributes for WS1 :

In Identity & Access Management  \ Setup \ User Attributes make sure you have the 3 following attributes (none of them are by default):

  • objectGUID
  • sid
  • netBios

2 – Ensure you mapped these attributes with the right Active Directory Attribute

In Identity & Access Management \ Manage \ Directories, edit the Sync parameters of your AD and go to Mapped Attributes, make sure you mapped them as this :

Workspace ONE Access AttributeActive Directory Attribute
userPrincipalNameuserPrincipalName
objectGuidobjectGUID
sidobjectSid
netBiosmsDS-PrincipalName

Once done, just synchronize your directory and it works.

Adding Static Route to WS1 Access

I had a request from Spanish colleagues about adding static routes to Workspace One Access (in their case it was because of database in a different network).

I first had a look on our internal channel on Slack and find a first way to do it … but with Identity Manager version 3.3. However, when I try to test it in my Home Lab using my on-premise WS1 Access 20.10 it was totally different. vIDM 3.3 is based on Suse Linux when WS1 Access 20.10 is based on Photon 3. After some exchange by mail with my colleagues, they sent me the procedure they used for their deployment… different for the first two !!!
Yes they deployed Workspace One Access 20.01…

Basically both method work with vIDM 3.3 and Workspace One v20.01 as both are running Suse Linux

AD FS as IdP for Workspace ONE Access and UAG

I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the configuration is not the same 🙂

So here the common part who consist to the creation of the Relying Party Trusts:

Open you AD FS Manager, select “Relying Party Truts” and with the select “Add Relying Party Trust…

Azure AD as IdP for Workspace One Access

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access.

Note : In my case, the default Azure AD domain is alfadir.onmicrosoft.com but in order to match with my on-premise Active Directory I had to use not the email address or UPN but the “Alternate email”

So the first thing to do is to create a “New Application” in Azure, once logged on Azure Portal as Admin, select “Azure Active Directory“, then on the left pane, select “Enteprise applications” and click “New Application“:

Shibboleth as IdP for Workspace ONE Access

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace One Access as a 3rd party IdP.

One of the major issue with Shibboleth (in my case) is it only provides a samAccountName but not a UserPrincipalName (upn), so basically the User name without the domain name (eg. e.monjoin but not e.monjoin@mydomain.dom). It works in many situation excepted in a multi domain configuration where you can potentially have the same username in two different domain and you have a trust relationship between them (eg. e.monjoin@finance.domain.com and e.monjoin@technical.domain.com). In this case WS1 Access will not be able to choose a account you will see the following error :

Moving Workspace One Access database to a new MS SQL Server

I had to validate how to migrate WS1 Access database to another SQL Server.

This test concerns a dual-site configuration with 3 active nodes (R/W) on Site-A et 3 passive nodes on site B (R/O).

The first thing I did, was to set all nodes to passive (so read-only for all) so no more update will be done on the database.

After that I made a SQL backup of my database and copied it the new MS SQL Server.