This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .
(Optional) Publish Okta apps to the Workspace ONE catalog
End users can continue to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. This section describes how to configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager. This allows admins to manage federated applications and user entitlements completely from the Okta Admin console.
If you decide to integrate Okta applications into the Workspace ONE catalog:
- Configure Okta as an application source in VMware Identity Manager (you should have done this already in STEP 2: Configure Okta application source in VMware Identity Manager).
- Enter your Okta tenant details in the VMware Identity Manager console as described in the procedure below. You do not need to add individual applications to the VMware Identity Manager catalog.
When end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. log into the Workspace ONE, the Okta apps to which they are entitled appear automatically in the catalog, along with their other apps.
VMware Identity Manager uses the Okta tenant information you configure to connect to the Okta tenant and retrieve apps and user entitlements whenever a user logs into Workspace ONE. When a user clicks an Okta app in Workspace ONE, VMware Identity Manager uses the application source configuration to launch the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
You manage apps and user entitlements in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, not in the VMware Identity Manager console. When you add or delete apps or entitlements in the Okta Admin console, the changes are replicated in end users' catalogs directly. Okta apps do not appear in the VMware Identity Manager administration console.
This integration supports the following types of Okta apps:
- SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0
- OpenID Connect
Add your Okta tenant information and API token in the VMware Identity Manager console to enable VMware Identity Manager to connect to the Okta tenant to retrieve Okta apps and user entitlements. This is a one-time, initial configuration task.
Before you configure the tenant information in VMware Identity Manager, obtain an API token from the Okta Admin console.
Obtain an Okta API Token
VMware Identity Manager requires the Okta API token to connect with the Okta tenant and retrieve apps.
The token expires 30 days after it is last used. Each time the token is used, the expiry date is extended by
In the Okta Admin console, click Security > API.
Click Create Token.
Enter a name for the token, then click Create Token.
- Copy and save the token in a text file.
Configure Okta Tenant Information in VMware Identity Manager
In the VMware Identity Manager console, enter your Okta tenant information, which is required for VMware Identity Manager to connect to the Okta tenant and retrieve apps. You need to specify the Okta Cloud URL, API token, and user search attribute.
You have obtained an API token from the Okta Admin console.
- In the VMware Identity Manager console, click the Identity & Access Management tab, then click Setup.
- Click the Okta tab.
- Enter the Okta tenant information.
- Click Save.
|Okta Cloud URL||Enter your Okta tenant URL. For example, https://mytenant.example.com.|
|Okta API Token||Enter the Okta API Token you created in (Optional) Publish Okta apps to the Workspace ONE catalog.|
|User Search Parameter||Select the user attribute to be used to search for users in the Okta directory. You can search by userName, email, or userPrincipalName.|
Okta handles password management
Integrating Okta applications with VMware Identity Manager also automatically enables Okta password management for Workspace ONE users. No configuration is required in the VMware Identity Manager console.
In the Workspace ONE Intelligent Hub app, Workspace ONE app, and web portal, end users can change their passwords by going to Settings and clicking the Change Password link. When Okta applications are integrated with VMware Identity Manager, this password change is automatically handled by Okta, not by VMware Identity Manager.
When users change their passwords, password policies configured in the Okta Admin console are enforced. The password policy is not displayed by default on the Change Password page but appears when users enter a password that does not match the policy.
For how to configure password policies in Okta, see Security Policies.