This is an Early Access feature. To enable it, in the Okta Admin Console, go to Workspace1 Device Trust for your mobile platform(s)., and then turn on
This section describes how to configure VMware Identity Manager as an identity provider (IdP) in Okta. This configuration is required to configure a unified catalog as well as mobile SSO and device trust.
For additional information, see Typical workflow for configuring inbound SAML.
Retrieve the SAML metadata information from VMware Identity Manager that is required to set up an identity provider in Okta.
- Log in to the VMware Identity Manager console as the System administrator.
- Select the tab.
- Click Settings.
- Click SAML Metadata in the left pane.
- Download the Signing Certificate.
- In the Signing Certificate section, click Download.
- Make a note of where the certificate files is downloaded (signingCertificate.cer).
- Retrieve the SAML metadata.
- In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window.
- In the identity provider metadata file, find and make a note of the following values:
- SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
For example: https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml
For example: https://tenant.vmwareidentity.com/SAAS/auth/federation/sso
The Download Metadata tab is displayed.
For additional information about how Okta handles external identity providers, see Identity Providers.
- In the Okta Admin Console, go to Security > Identity Providers.
- Click Add Identity Provider and select SAML 2.0 IdP.
- Click Next.
- Enter a name for the identity provider. For example, Workspace ONE.
- Configure the following:
- IdP Username: Enter idpuser.subjectNameId.
- Filter: Do not select this checkbox.
- Match against: Select Okta Username.
- If no match is found: Select Redirect to Okta sign-in page.
- IdP Issuer URI: Enter the entityID.
- IdP Single Sign-On URL: Enter the SingleSignOnService Location URL.
- IdP Signature Certificate: Browse and select the Signing Certificate file you downloaded from Workspace ONE in Get VMware Identity Manager SAML Metadata Information.
- Request Authentication Context: Select Device Trust.
If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see Okta Expression Language.
Adjust the selection as required for your environment and the values that you plan to send.
This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml
This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/auth/federation/sso
This setting specifies the context of the authentication request.
If the Request Authentication Context option is not available, go to Settings > Features and enable Workspace1 Device Trust for your mobile platform(s).
- Click Finish.
- Verify that the following information appears:
- SAML Metadata
- Assertion Consumer Service URL
- Audience URI
Click the Download Metadata link.
Save the metadata file locally.
Open the metadata file and copy its contents for use in Get VMware Identity Manager SAML Metadata Information.