The first public bits of VMware Horizon are revealed via the new (actually now they're just called "Box") held a press event last week where they detailed the new version of their cloud-based collaboration suite they'll be rolling out over the next month. (actually now they're just called "Box") held a press event last week where they detailed the new version of their cloud-based collaboration suite they'll be rolling out over the next month. What's interesting about this is that VMware's Noah Wasmer was on stage as part of the event. (Remember that we shot a video interview with Noah from VMworld 2010 where he explained Project Horizon to us.)

So anyway, Box had their new release event when Noah comes out and talks about how Box will be partnering with VMware using Horizon to extend the Box platform into the enterprise.

(Apparently our YouTube embedding code doesn't allow me to specify a specific location in the video. Noah's part starts at 32:18, which you can jump to directly via this link.)

I think this is the first public mention of a specific Horizon use case?

I was able to catch up with Noah for a few minutes on the phone. He wouldn't go into detail about the specific timeframes and pricing models, but he did explain that VMware would release an Enterprise Connector in the form of a virtual appliance. You basically drop that into your in-house environment and hook it into your domain, and that's what exposes your internal users, groups, and organizational units to the SaaS vendor (Box, in this case) to let you do the provisioning and to facilitate the single sign-on. This solution will also enable single sign-on to the SaaS app without exposing your domain passwords to the SaaS vendor.

I asked Noah why they needed this and didn't use something like ADFS. Noah explained that ADFS--like many other SSO and identity federation solutions--are pretty complex. They require lots of specific configuration and tweaking and testing and they're just generally a huge pain. The VMware Horizon approach on the other hand will have this virtual appliance that's preconfigured and ready to go. If you want to start integrating Box with your current domain users, it's literally just a few steps that can be done in under ten minutes, and you have your enterprise extended to the cloud.

Pretty cool!

I still haven't put my hands on VMware Horizon. (I'm not sure whether anyone has yet.) But I can tell you that I'm really excited about it. I think it's a great concept, I like the simple implementation, and I actually want to use this in my everyday life. (I wonder if I can convince the TechTarget IT dudes that we should put it in place?)

Noah stressed that the Box announcement is just the first step for them. (Although still a small step since we don't yet know timing or pricing.) He wouldn't say exactly who else they were targeting other than to say it's all the "expected" providers, (which I assume will mean Google, Salesforce.. ?) Probably not Office365.

Bottom line is Horizon is their first step to get a secure enterprise user account policy mechanism out of the enterprise and into the cloud. From there they can take it to ThinApps, View desktops, and even Citrix apps.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment. maybe it is "all about the data" after all?  (Sorry, couldn't resist that one):;

I have a related concern that this brings up.  Back when I worked in the communications equipment industry, we had "standards", or "interoperability agreement" groups.  Individual companies would innovate new ideas, but eventually one of these groups would work multi-vendor to get everyone to agree on a base standard.  This  helped to keep (but did not prevent)   the enterprise from buying dead-ended ,or incompatible solutions, from different vendors.

As the Cloud evolves, enterprises are being asked today to consider vendor specific APIs being proposed by the Hypervisor crowd.  (In VMware's case, there is a consortium, but it appears to be a close knit group with different aspirations).  With the lack of any standards in place, this is exactly what we need - industry innovating to produce new solutions.  

But eventually, we need vender neutral standards in place for the enterprise-cloud API.  One standard API,  designed to accommodate extensions to continue innovation,  to talk to any cloud using any vendors equipment.

We have seen in the past that vendors can lay down their arms long enough to work together on such agreements.  It is also to their advantage to have such agreements in place, once the technology gets into the mass adoption phase.  

The past has shown that whether we are talking about physical interfaces or routing protocols, everyone wins if we have a basis for interoperability that allows for continued innovation.

My concern is that the System IT has very little history of such work.  While your cousins on the com/wan side of the house expect such an effort and actively look for such agreements, this side of IT does not.   We adopt and hope it doesn't get obsoleted too soon.  Sometimes we win, sometimes we pick the wrong horse.

Surely the cloud providers must want this, as they are being asked to implement what everyone wants or pick a potential winner and say no to the others.

Admittedly, standards are slow to create and often are achieved only after the fact, but unless they are worked on during the innovation phase,  they do not happen at all.  Where will the outrage come from to drive everyone to work together?


I think VMware can't ignore Microsoft when it comes to Microsoft apps, especially Office365. I would imagine that there is some sort of integration there when the product is finally released. It might be indirect, since both sides don't really like each other, but it will be there.  

VMware and Microsoft can afford to turn their backs on each other when it comes to the hypervisor, but for apps, Microsoft still rules, even if VMware doesn't see the future that way.


Guys, great comments + extra kudos for @Tim Mangan’s comments. Come to think of it, the comments are way better than the article in this case :)

For my comments below, it’s purely from a Windows/Desktop standpoint, ok.

As I remember, back in the days the NT, AS/400, VAX, Mainframe, Lotus Notes, DB2, SQL (various), misc. apps and what not each had their own user/pass mechanics.

Of course we dreamed about some SSO and Federation back then, and of course there were "solutions" (when there is a need...), yet the "solutions" failed to be any real solutions. It was too complex and the systems way too disperse. Simplistic hacks. No chain of trust. Or rather neither trust nor chain ;)

Enter early 2000 era and SSO solutions were everywhere, maybe most familiar in this audience was the Citrix Password Manager thing?

I never entertained the Citrix PM thing or the others. Yet again, simplistic hacks (wow, recognize user/pass window & auto fill + {sendkey} etc..(figuratively speaking) .and hey baby, let's save this in a DB, flat file or even bang it into the AD)

See, the apps throwing up these user/pass dialogs were as disperse as ever. There was this security thing and there was this regulation thing, and besides, it was just a closed system and a poor excuse for hacking (and pretty lousy at that). I mean, look at your late 2000:ish business laptop and it’s included SSO/fill in the forms stuff.

Anyway, as regarding the Citrix PM I was quite honestly baffled that it was nowhere to see when years later I came upon different Citrix environments. I mean, I consulted against, but surely I expected at least some implementations here and there? Nope, none to find. Odd.

I kinda took a liking for ADFS. It was crude and annoying but allowed for some basic federation in Windows environments. For a lot of geek play see the current Microsoft BPOS (2b Office 365) – aside this I’ve never seen any off-lab actual usage. For the Citrix Web Interface ADFS support has been there for quite some while, never heard of any production though.

As a side note. The Microsoft Passport (now Windows Live ID) has quite an interesting story from the back years. See this wikipiki for some:

Now then, about VMWare Horizon and Citrix OpenCloud, what about it?

There’s a lot of talk about OpenID and SAML, but what are these and how widely are they used? Don’t give me the 59 billion web apps are using these interfaces as we pretty much know that the diverse Windows user/pass prompters most certainly aren’t using these.

But wait, we may even get ADFS, Kereberos and even NTLM thrown in among others.

Look, I’m all for integrating, federating and removing the extra hurdles. I just don’t see locked-in “products” as any part of an answer.

I really don’t care whetether it’s OpenID, SAML or something else. The industry needs to agree on something and make it mature and hey! Maybe it’s not that much of a problem then.

So I’ll just go ahead and flush my toilet with Horizon and OpenCloud for now :)


@Kimmo - We use ADFS and WI ADFS sites extensively in production for federating authentication between domains.


@Ron Kuper

Thanks. I would be very interested to hear more. How do you handle the user data? Do you have a central hub for your applications and keep all the productivity data within or do you have the users to via client mapping bring their drives? Or are the apps pretty self-contained without the need to import or export anything?

Also interesting is if you use multi-multi as in exception of single-many as is the common place?

As regarding federating (ADFS over WI) instead of using the regular AD trusts I can think of some scenarios, but these are really just fantasies for me as I've been unfortunate enough to never have the chance to geek out this for real.

Look, we are talking about launching actual Windows sessions in a (by definition) foreign environment where the one accessing and the one providing access are basically just agreeing on providing and consuming a service. With the Windows session in that environment, capable consuming what’s there as the Windows session it is.

I wonder what safeguards there are taken to isolate the Windows session to the mere services offered and provided? Here I do not have to use my imagination as I’ve been there, seen that and the patchwork is never quite enough. By any measure it’s a trust thing and I really wouldn’t trust a foreigner whom I already distanced myself by the very ADFS proxy or intermediate.

Then again, a group of companies, subsidiaries, freaking Symantec of sorts. A loose gathering of balls by some governing force may want to shovel out their own *** or for that matter sick-sack *** across the balls. It could happen but I haven’t seen that, usually these types of mixed bowls at the least have a common mail for starters, then the HQ bam, bam, bam down the usual other core IT systems.  A wholly owned separate subsidiary quite seldom shares along a Windows session intrusion.

Ok, this might have come out as bad, but I’m truly curious. So what if I cannot fathom, tell anyway.


@Kimmo -

I agree with everything you said completely, when you talk about foreigner entities... But for the sake of sanity you would probably be relieved to know that this is not the case here..

With all the talk about federation *between* companies people missed some of the opportunities and potential use cases this brings within big enterprise corporations.  

For instance - Banks here have to adhere to security regulations such as separating networks for internal and external uses.

So this effectively gives us two unconnected domains - classic use for ADFS authentication except that both domains belong to the same company!

We replicate UPNs using identity management tools and the web servers in the external domain "ADFS Trust" the internal user store (which is backed by a smart-card PKI infrastructure).

Another example is merges or buyout when you don't want to rip and replace the bought company IT infrastructure.

I also find ADFS technically useful as a base platform for custom SSO solutions, saves us a lot of coding and we already have the infrastructure in place. (For exapmle we had an appliance that could only use user+pass LDAP auth, so we gave him its own domain and built an authentication wrapper for it based on ADFS)


@Ron Kuper

Thanks. Valid scenarious. Yeah, I mostly just saw the obvious B2B implementations with ADFS.


Am I the only one noticing really low audio levels on the video? I have my volume at maximum, and can barely hear the presentation, which is a shame, because it seems interesting from the posting.