Step 1: Configure VMware Identity Manager as an Identity Provider in Okta

This is an Early Access feature. To enable it, in the Okta Admin Console, go to Settings > Features, and then turn on Workspace1 Device Trust for your mobile platform(s).

This section describes how to configure VMware Identity Manager as an identity provider (IdP) in Okta. This configuration is required to configure a unified catalog as well as mobile SSO and device trust.

For additional information, see Typical workflow for configuring inbound SAML.

Get VMware Identity Manager SAML Metadata Information

Retrieve the SAML metadata information from VMware Identity Manager that is required to set up an identity provider in Okta.

  1. Log in to the VMware Identity Manager console as the System administrator.
  2. Select the Catalog > Web Apps tab.
  3. Click Settings.
  4. Click SAML Metadata in the left pane.
  5. The Download Metadata tab is displayed.

  6. Download the Signing Certificate.
    1. In the Signing Certificate section, click Download.
    2. Make a note of where the certificate files is downloaded (signingCertificate.cer).
  7. Retrieve the SAML metadata.
    1. In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window.
    2. In the identity provider metadata file, find and make a note of the following values:
      • entityID
      • For example: https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml

      • SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      • For example: https://tenant.vmwareidentity.com/SAAS/auth/federation/sso

Add an Identity Provider in Okta

For additional information about how Okta handles external identity providers, see Identity Providers.

  1. In the Okta Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider and select SAML 2.0 IdP.
  3. Click Next.
  4. Enter a name for the identity provider. For example, Workspace ONE.
  5. Configure the following:
    • IdP Username: Enter idpuser.subjectNameId.
    • If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see Okta Expression Language.

    • Filter: Do not select this checkbox.
    • Match against: Select Okta Username.
    • Adjust the selection as required for your environment and the values that you plan to send.

    • If no match is found: Select Redirect to Okta sign-in page.
    • IdP Issuer URI: Enter the entityID.
    • This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml

    • IdP Single Sign-On URL: Enter the SingleSignOnService Location URL.
    • This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/auth/federation/sso

    • IdP Signature Certificate: Browse and select the Signing Certificate file you downloaded from Workspace ONE in Get VMware Identity Manager SAML Metadata Information.
    • Request Authentication Context: Select Device Trust.
    • This setting specifies the context of the authentication request.

      If the Request Authentication Context option is not available, go to SettingsFeatures and enable Workspace1 Device Trust for your mobile platform(s).

  6. Click Finish.
  7. Verify that the following information appears:
    • SAML Metadata
    • Assertion Consumer Service URL
    • Audience URI
  8. Download and save the metadata file.
    1. Click the Download Metadata link.

    2. Save the metadata file locally.

    3. Open the metadata file and copy its contents for use in Get VMware Identity Manager SAML Metadata Information.