Why VMware “Project Horizon” (formerly “Origami”) is super awesome

We've talked a bit about VMware's "Project Horizon" over the past few weeks, but it's worth having a full and dedicated conversation. Why?

We've talked a bit about VMware's "Project Horizon" over the past few weeks, but it's worth having a full and dedicated conversation. Why? Because Project Horizon has the potential to answer the fundamental "What will IT be in ten years"? question, and if VMware can get this right, they'll be in a stellar position in the desktop and application space. And if they fail? Make room ACE, CVP, View hype....

We first talked about Project Horizon on BrianMadden.com last month when it was known by the codename "Project Origami." Then at VMworld we learned (via a press release) that the Origami efforts have evolved into Horizon. VMware demoed Horizon in their VMworld opening keynote (live blog transcript). I also recorded a 15-minute video interview with VMware's Noah Wasmer--Horizon's creator.

The background

At the most basic level, Horizon is VMware’s attempt to bridge the old-school Windows apps and new style web/SaaS apps gap. This is something we've talked about quite a bit in the past--actually going as far back as 2003! As everyone knows, you can talk cloud or SaaS or web all you want--the basic reality is that the vast majority of today's business apps are Windows apps. Sure, web-based SaaS apps are making inroads, but I don't think there's any company with more than a few dozen employees that's 100% SaaS-based. Even if a CIO was gung-ho on SaaS, there's still a Windows long tail legacy to deal with.

So in some ways, web-based SaaS apps are actually making things WORSE for companies, since they add additional complexity. At least we know how to deal with Windows apps. We know how to provision and deliver them. We know how to control access to them and how to integrate them into our AD and domain structure. But web-based SaaS apps add new complexity outside of that. Sure, it's great that we're moving to an enterprise web-based corporate expense app, but now the IT department has to manage user accounts and passwords with their account with that SaaS vendor in addition to managing the internal AD. Want to use Salesforce? Great! Except now that's ANOTHER vendor's product which requires discrete management. And of course none since all of these SaaS apps come from different suppliers, they're all managed separately. When a new employee comes on board it could take a week to get all the accounts and access configured properly in all the various SaaS systems. Same goes for when an employee leaves.

Figuring out how to efficiently deal with SaaS apps is critical for a company, because if the company doesn't embrace them, the users will just buy access on their own. Does your company only provide an old-school network share which is only accessible when users are VPNed in? Guess what? Half your employees are using Dropbox then, whether you like it (or know it) or not. Most folks agree that dealing, integrating, managing, and securing web-based SaaS apps is become more critical to companies every year. But what's been done so far?

One of the earliest efforts to "bridge" web and Windows apps actually came from Citrix in the late 1990s. In addition to publishing seamless Windows apps, Citrix MetaFrame (and XenApp today) allows admins to publish content links to users. While this seems cool at first (since you can dynamically drop a Salesforce icon in an app list based on group memberships), at the end of the day it's little more than a shortcut--it doesn't take into consideration single sign-on or application provisioning.

This is where VMware's Horizon plans come in.

What is VMware Project Horizon?

Horizon is fundamentally an app store. The initial demos we saw last week came in web, desktop, and native iOS (iPad, iPhone, etc.) flavors, with talk of native apps for Blackberry, Android, etc. Like most app portals / app stores, a user logs in and sees links to his or her applications. In Horizon's case, the "native" Windows apps could be ThinApp streamed or VMware View desktops. VMware is also planning to embrace competing Windows native app delivery systems, for example allowing Horizon to integrate and publish Citrix XenApp seamless & streamed apps, as well as Microsoft RemoteApp and App-V applications.

The real power (and potential) of Horizon, however, is how it ties into web-based SaaS apps. Last week we learned that VMware bought Tricipher, a company whose identity management platform is used to provide single sign-on to over 4,000 SaaS apps via integration with enterprise directories and desktops. Tricipher also has a service provider program which allows SaaS vendors to tie their authentication into corporate directories via SAML, ADFS, or OpenID. In other words, Tricipher (and by extension, VMware Horizon) allows corporations to tie authentication of SaaS apps into their own corporate directories. This is more than password management--it's real split-key multi-party single sign-on.

The idea is that an IT admin can use the Horizon interface as the primary user interface for providing access to applications--regardless of whether they're Windows apps from VMware, Citrix, Microsoft, or SaaS apps from the cloud. All app types--client-based, Windows, and SaaS, will be one-click integrated via the SSO process and presented to the user via one single app list. (Again via web, local desktop icons, smart phone apps, etc.)

VMware is also integrating Zimbra into Horizon which while hopefully provide some base collaboration and data sync capabilities across multiple devices and integrated apps.

So that's the vision. VMware's Noah Wasmer stressed that the v1 product (due in 2011) won't quite have everything initially, but that they'll release this as a SaaS platform which will enable them to rapidly roll out additional features and capabilities. (I highly recommend watching my video interview with Noah from last week if you haven't yet.)

The success of Horizon is far from assured. While VMware is saying all the right things today, the ultimate test will be whether they're able to get the critical mass of full integration (for both SSO and provisioning/deprovisioning) from all the SaaS vendors. But if they can make it as easy to deploy Salesforce as it is to deploy a Windows app, then they're really on to something.

What do you think? Will they pull it off? Does it matter? How will Citrix and Microsoft respond?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

While I like the concept of Horizon and the fact that VMware’s marketing puppets haven’t tainted it to much yet, I can’t help but think this is nothing that can’t be achieved today (with a bit of effort). Its value is that it “is” an out of the box solution so no need to link multiple solutions together.

Will organizations that use interfaces like the vWorkspace or Citrix web interface invest in another solution? A lot of organisations have single sign on solutions (Novell Access Manager for example) already, which are capable of dealing with federated access.

We’ve already tested single sign on with the vWorkspace web interface using a mixture of authentication methods. The same setup would work for pretty much any web portal, Citrix, SharePoint, etc. We’ve been doing this kind of thing within SharePoint for a number of years now to SaaS type solutions and other resources.

Of course if Horizon does end up being a working product and its cheap then I’m sure it will have some part to play. This will be the natural evolution of these products/portals. I don't think it's revolutionary though


I agree with Daniel.

I can't see the innovation in project Horizon.

And in the end, Horizon simply seems to combine two solutions that you formerly had to buy and use independently:

1. enterprise app store / user-driven app deployment (Citrix, SCCM v.Next, SalesForce)

2. identity management (IBM, Oracle, Novell, Ping, ....)

It would be innovative if VMware would target Horizon towards SMB/SME customers, which they obviously don't as Noah mentioned in the interview.

Because currently, Identity Management is extremely complex and costly to implement. So mainly large enterprises invest in those solutions.

Enterprise App Stores are not widely available yet anyway, so VMware could build a really good Enterprise App Store and woo many customers. But from what Noah has been telling in the interview, Horizon sounds more like a technology R&D project instead of a solution that is build based on what customers demand.


And if you are moving into the "Web Services" business, Application Delivery Controllers (NetScaler, F5, ...) will become a must-have technology.

Agree with all, nothing new under the sun except that VMWare seems to have understood that the user is the center of the IT...


For myself, I really like the concept of Horizon very much, especially the SSO/Identity Federation part (Tricipher).

We are already seeing Cloud/SaaS offerings coming with an extended API set allowing for both federation and provisioning for customers on premise environment - Salesforce and Google Apps being a couple of examples. Microsoft with its BPOS will add identity federation in the next release (all the other bits are already there)

I also appreciate that Horizon also includes those parts that everyone else are having - such as App-V, RDS and Citrix support.

As I’ve already sad. I like the concept very much. Now let’s see some competition, creativity and innovation among the other vendors and it will be very interesting times.


Sorry, but I failed to see the super awesomness of Horizon.


SAML is out for a while and Federation is for a long time possible...


In my opinion it is the concept of the technologies that are very inspiring, but what still plagues the VMware view of the world is that they are dictating the infrastructure which leads to lock-in that depending how deep you are in can be too hard to get out of if the infrastructure merits a migration.

Horizon is going the be the VMware workhorse to push vSphere much like what View failed to do because of being inferior to XenDesktop. VMware needs something superior to push their vSphere use cases, hence the development of Horizon.

Given that competition will exist for VMware. The question then becomes, in 10 years will you go with an open approach or a proprietary locked-in approach which does the same thing? If you lock-in now you might be screwing yourself for the future.

It's not like it's your mortgage where you lock-in your rates for security. Stay safe, stay open.

Just my opinion.


I think it's important to recognize the strategy here. Horizon is a way to bridge the old Windows world to the new world in a new simple easy to use way. That's want they want you to believe anyway and many are coming back with stars in the their eyes from VMworld that will like the message as it could hurt MS and help them create pricing leverage.

Clearly a smart way to build on top of Zimbra and build a stronger eco system around that. If they can get more people to move to non MS SaaS based apps, it's hurts the MS bottom line. Sharepoint is another MS cash cow, and I will predict right now that VMW and others will go and buy something like DropBox or Box to add richer SaaS capabilities that directly hurt MS. I think it's telling from the Video that Noah is no longer part of the desktop BU so clearly SaaS is a big focus area for VMW.

It also helps vmw change the desktop conversation over time, because as we all know they suck on the desktop that is today, so the strategy is to talk about something in the future and deflect attention. Hence why they will not debate Citrix in public ever until they feel they stand a chance of winning.

The SSO is good. I do not for one second believe that others are not working on the same thing and I am sure we will hear more and I sure the Tricipher competitors will be picked up soon.

This wil not appeal to the enterprise buyer as they are still very Windows centric, so I think VMW would be smarter to go bottoms up here and start with the SMB as they are more likely to move off Windows apps. Use the MS good enough mind set and get mass adoption and over time evolve in to the enterprise.

So I agree with Kimmo. there will be innovation around this space over the coming years, but to me it's a new type of model that will sit with what we do. Trouble VMW have is they are $hit on the current model, so trust is not there, so they will have to keep chipping away there. Of course MS with Windows 8, and Citrix with Dazzle.next (what ever that will be) will be sure to react to this and then of course we have a real market.

Cool yes, relevant in the next 5 years (marginal IMO) too much legacy baggage, hence why it's F'ing frustrating that VMW can't do jack about Citrix running away with desktop virtualization which I think is bad as Citrix will stop innovating. If we are left with just Citrix and MS, the world goes nowhere except back to where we are today in the desktop.....


'Super Awesome',  I think Brian must have sent Big Gay Al from Southpark to review this particular session :-)


Just adding my two cents  

There are plenty of other vendors in this space of aggregators of apps and content.  visionapp has been doing this with their vWM and SSO product for a while now.  This is nothing new and not innovative from a product perspective.  VMW is just playing catch up and I agree with Kata, "VMWare seems to have understood that the user is the center of the IT".


Well we are all glad that Brian has the correct code name now for the future product from VMware.  In talking with Noah and a few others I think we are only seeing the tip of the iceberg for what this will evolve into.  It provides a framework for not only applications but full web personality management in the future.  Who cares about windows profiles anymore, my entire personality is stored securely in the cloud along with all of my applications and content.  I leverage the technology from tricipher for a multi-level secure access into my environment and all passwords are managed for me beyond that.  I change jobs in the company and my role is updated and the next time I login I have new application options and access.  I do not think VMware showed the full deck to us yet, but I am excited to see where this will go and things that have dazzled in the past may not look so shiny in the future.  

Should have never walked away from OS2.....


For all those who suggest this is possible to do now... what products can do it? (Because I want it now?) What app store on the market integrates all my Windows apps with SaaS apps, including SSO and provisioning? What product can an admin use that allows him to deploy a SaaS app to a user as easily as a Windows app, and to revoke everything with a single click?


Interesting comments...

I am often puzzled by the talk of cloud computing without thought of how we will bridge the gap of applications and infrastructure.  Sure, anyone can build a virtual machine (Citrix, Oracle, VMware, etc…) and maybe even do so in a nice pretty portal with a service catalog tied to it.  That is far from "cloud" my friend!

Sure, everyone has talked for years about federated directory services but hardly anyone does it and if they do they don’t do so it a very meaningful way.

In my opinion, Project Horizon is yet another example of VMware leading the industry toward true cloud computing.  I have seen several demos of Project “Origami” or “Horizon”, not just the keynote at VMworld, and I am blown away at the vision and execution of this project.  

This project introduces an entirely new way of delivering applications to users across hybrid clouds and is a space where VMware will have no competition for a long time.


AppStore to publish Windows + SaaS apps:

- XenApp (with Dazzle)

SaaS management + SaaS provisioning:

- PingConnect (hosted) or PingFederate (onpremise)

- Conformity

"Magic Sauce":

- Citrix Workflow Studio

- Microsoft Opalis

- Any other orchestration solution that can serve as the User Portal to request provisioning of Windows and SaaS apps using the above components.


@Charlie you don’t work for VMware’s marketing team do you?

@everyone. This solution doesn’t (from what we have seen) offer anything that can’t be achieved now - as I’ve already said. The only thing in its favour is that it is “supposed” to make everything easily manageable through a single console. Other commenters are right, it will be perfect for SMB’s but larger organizations will think about utilizing their current investments in their identity and access management solutions.

Universities (in Europe) have been doing this stuff for a long time. The concept really is nothing new.

Novell could actually do well in this space if they chose to engage fully. Their IDM and SSO solutions are some of the best (technically) I’ve seen. By no means do they have a nice management console though ;) Saying that, they are now starting to offer cloud identity solutions with federated access support. Of course there are alternatives to Novell, I only raise them as they do very well in the public sector with these types of solutions.

It is however nice to see a product bringing all the elements into a single solution.

So answering Brian, there is nothing that can currently do it as a single solution but there are solutions that can achieve the same outcome. – if that makes sense. It just needs organisations to “think out of the box” and do a little bit of R&D.

I suspect Horizon will require some internal R&D to get up and running too.

We are currently using SharePoint as the webportal to provide SSO access to many online resources requiring federated access as well as internal and external SaaS services. In test and soon to be production, we will be integrating vWorkspace publish RDS/VDI resources too. Why SharePoo/Point? Because it's the only consistent interface that our 26,000 users use when they login (internally or externally) and we don't want to give our users yet another system to use.


Sorry, but I failed to see the super awesomness of Horizon


how does this differ from Citrix Merchandising Server? High level sounds the same. I did not read the whole article here. It's monday and I have a scattered brain right now.