Publish Okta apps to the Workspace ONE catalog
End users can continue to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. This section describes how to configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager. This allows admins to manage federated applications and user entitlements completely from the Okta Admin console.
If you decide to integrate Okta applications into the Workspace ONE catalog:
- Configure Okta as an application source in VMware Identity Manager (See Step 2: Configure Okta application source in VMware Identity Manager).
- Enter your Okta tenant details in the VMware Identity Manager console as described in the procedure below. You do not need to add individual applications to the VMware Identity Manager catalog.
When end users log into the Workspace ONE, the Okta apps to which they are entitled appear automatically in the catalog, along with their other apps.
VMware Identity Manager uses the Okta tenant information you configure to connect to the Okta tenant and retrieve apps and user entitlements whenever a user logs into Workspace ONE. When a user clicks an Okta app in Workspace ONE, VMware Identity Manager uses the application source configuration to launch the app.
You manage apps and user entitlements in the Okta Admin console, not in the VMware Identity Manager console. When you add or delete apps or entitlements in the Okta Admin console, the changes are replicated in end users' catalogs directly. Okta apps do not appear in the VMware Identity Manager administration console.
This integration supports the following types of Okta apps:
- SAML 2.0
- OpenID Connect
Add your Okta tenant information and API token in the VMware Identity Manager console to enable VMware Identity Manager to connect to the Okta tenant to retrieve Okta apps and user entitlements. This is a one-time, initial configuration task.
Before you configure the tenant information in VMware Identity Manager, obtain an API token from the Okta Admin console.
VMware Identity Manager requires the Okta API token to connect with the Okta tenant and retrieve apps.
The token expires 30 days after it is last used. Each time the token is used, the expiry date is extended by
In the Admin Console, click Security > API.
Click the Tokens tab.
Click Create Token.
Enter a name for the token.
- Click Create Token.
- Copy and save the token in a text file.
In the VMware Identity Manager console, enter your Okta tenant information, which is required for VMware Identity Manager to connect to the Okta tenant and retrieve apps. You need to specify the Okta Cloud URL, API token, and user search attribute.
You have obtained an API token from the Okta Admin console.
- In the VMware Identity Manager console, click the Identity & Access Management tab, then click Setup.
- Click the Okta tab.
- Enter the Okta tenant information.
- Click Save.
|Okta Cloud URL||Enter your Okta tenant URL. For example, https://mytenant.example.com.|
|Okta API Token||Enter the Okta API Token you created in Obtain an API token.|
|User Search Parameter||Select the user attribute to be used to search for users in the Okta directory. You can search by userName, email, or userPrincipalName.|
Integrating Okta applications with VMware Identity Manager also automatically enables Okta password management for Workspace ONE users. No configuration is required in the VMware Identity Manager console.
In the Workspace ONE Intelligent Hub app, Workspace ONE app, and web portal, end users can change their passwords by going to Settings and clicking the Change Password link. When Okta applications are integrated with VMware Identity Manager, this password change is automatically handled by Okta, not by VMware Identity Manager.
When users change their passwords, password policies configured in the Okta Admin console are enforced. The password policy is not displayed by default on the Change Password page but appears when users enter a password that does not match the policy.