Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE

This is an Early Access feature. To enable it, in the Okta Admin Console, go to Settings Features, and then turn on Workspace1 Device Trust for your mobile platform(s).

Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end users to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.

This use case also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE app, Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.

Authentication flow for iOS and Android devices

A device trust flow for iOS and Android devices using the Salesforce application would follow this sequence:

  1. End user attempts to access the Salesforce tenant.
  2. Salesforce redirects to Okta as the configured identity provider.
  3. Okta processes the incoming request and routes the client to the Workspace ONE identity provider based on configured routing rules.
  4. Workspace ONE challenges the user for authentication using Mobile SSO for iOS or Mobile SSO for Android.
  5. Workspace ONE redirects back to Okta with device trust status.
  6. Okta issues the SAML assertion for Salesforce if the device trust rule is satisfied based on the SAML assertion response received from Workspace ONE.

To configure this use case: