Configure Okta as an Identity Provider for VMware Identity Manager

This is an Early Access feature. To enable it, in the Okta Admin Console, go to Settings > Features, and then turn on Workspace1 Device Trust for your mobile platform(s).

This section describes how to configure Okta as the identity provider to Workspace™ ONE™. You can use this configuration to provide a streamlined device enrollment experience, provide Okta's extensible Multi-factor authentication to applications in Workspace ONE and provide a consistent and familiar login experience for end users and administrators.

You perform this procedure in VMware Identity Manager, the identity component of Workspace ONE.

Start creating a new Identity Provider in VMware Identity Manager

Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information.

  1. Log in to the VMware Identity Manager console as the System administrator.
  2. Click the Identity & Access Management tab, then click Identity Providers.
  3. Click Add Identity Provider and then select Create Third Party IDP.
  4. Scroll to the bottom of the page to the SAML Signing Certificate section.
  5. Right click the Service Provider (SP) Metadata link and open it in a new tab.
  6. In the SAML metadata file, find the values for the following:
    • entityID – For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
    • AssertionConsumerService Location for HTTP-POST binding – For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response

    You will use these values in the procedure Create a new SAML app in Okta.

Create a new SAML app in Okta

If you are using the Okta developer dashboard, switch to the Classic UI first. If you see a <> Developer prompt in the top left, click it and select Classic UI to switch to the Classic UI. Use the Classic UI for all the Okta tasks in this document.
  1. In the Admin Console, go to Applications > Applications.
  2. Click Create App Integration.
  3. Select SAML 2.0.
  4. Click Next.
  1. In General settings, enter an App name (for example, Workspace ONE SAML).
  2. Click Next.
  3. In SAML Settings, configure the following:
    OptionDescription
    Single sign on URLCopy and paste the HTTP-POST AssertionConsumerService Location URL that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response.
    Audience URI (SP Entity ID)Copy and paste the entityID that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml.
    Name ID formatSelect Unspecified.
    Application username

    Select Okta username. This maps to User Principal Name(UPN) in Workspace ONE.

  1. Click Next.
  2. Select I'm an Okta customer adding an internal app.
  3. Select This is an internal app that we have created.
  4. Click Finish.
  5. In the Settings section of the Sign On tab, locate and copy the URL for Identity Provider metadata.

Complete creating a new Identity Provider in VMware Identity Manager

  1. In the new identity provider page, enter the following information:
    OptionDescription
    Identity Provider NameEnter a name for the new identity provider, such as Okta SAML IdP
    identityProvider.idpForm.samlSelect HTTP Post
    This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata.
    SAML Metadata
    1. In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example, https://yourOktaTenant/app/appId/sso/saml/metadata.
    2. Click Process IdP Metadata.
    3. In the Name ID format mapping from SAML Response section, click the + icon, then select the following values:
    4. Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      Name ID ValueuserPrincipalName

      Select the User Attribute that will match the application value defined in Okta.
    Users

    Select the directories you want to authenticate using this identity provider.

    NetworkSelect the networks that can access this identity provider.
    Authentication Methods

    Enter the following:

    Authentication Methods Enter a name for the Okta authentication method, such as Okta Auth Method

    SAML Contexturn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  2. Click Add.

Add Okta Authentication Method to Access Policies in VMware Identity Manager

After you set up Okta as the identity provider to VMware Identity Manager, add the newly-created authentication method to access policies in VMware Identity Manager. Update the default access policy, and other policies as needed.

You need to add the Okta authentication method to the default access policy so that Okta is used as the sign in provider for the Workspace ONE catalog. The default access policy governs login to the catalog and any apps configured in VMware Identity Manager that do not have another policy definition already.

  1. In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies.
  2. Click Edit Default Access Policy.
  3. In the Edit Policy wizard, click Configuration.
  4. Click the policy rule for Web browsers.
  5. Edit other policies as needed to add the Okta authentication method.

Assign the app to end users in Okta

After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to end users. Assign the application to a few end users at first and then test the integration. For details, see Assign app integrations.