This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .


Parent topic: Integrate Okta Device Trust with VMware Workspace ONE for Windows and macOS computers

Use case: Configure streamlined Device Enrollment and Workspace ONE login for desktop devices using Okta

Platform: Desktop

 

Configure Okta as an Identity Provider for VMware Identity Manager

This section describes how to configure Okta as the identity provider to Workspace™ ONE™. You can use this configuration to provide a streamlined device enrollment experience, provide Okta's extensible Multi Factor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (MF) to applications in Workspace ONE and provide a consistent and familiar login experience for end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. and administrators.

You perform this procedure in VMware Identity Manager, the identity component of Workspace ONE.

 

Content

 

Start creating a new Identity Provider in VMware Identity Manager

Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information.

Tip: To perform this procedure, have VMware Identity Manager and the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console open simultaneously.

  1. Log in to the VMware Identity Manager console as the System administrator.
  2. Click the Identity & Access Management tab, then click Identity Providers.
  3. Click Add Identity Provider and then select Create Third Party IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta..

  4. Scroll to the bottom of the page to the SAML Signing Certificate section.
  5. Right click the Service Provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.) Metadata link and open it in a new tab.
  6. In the SAML metadata file, find the values for the following:
    • entityID – For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
    • AssertionConsumerService Location for HTTP-POST binding – For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response

    You will use these values in the procedure Create a new SAML app in Okta.

What's next?

Create a new SAML app in Okta

 

Create a new SAML app in Okta

Note: If you are using the Okta developer dashboard, switch to the Classic UI first. If you see a <> Developer prompt in the top left, click it and select Classic UI to switch to the Classic UI. Use the Classic UI for all the Okta tasks in this document.
  1. Sign in to your Okta orgThe Okta container that represents a real-world organization..
  2. Go to Applications > Applications.
  3. Click Add Application.
  4. Click Add New App.
  5. In the Create a New Application Integration dialog box:
    • Platform: Web
    • Sign on method: SAML 2.0
  1. Click Create.
  2. In General settings, enter a name for the app (for example, Workspace ONE SAML)
  3. Click Next.
  4. In SAML Settings, configure the following:

    OptionDescription
    Single sign on URLCopy and paste the HTTP-POST AssertionConsumerService Location URL that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response.
    Audience URI (SP Entity ID)Copy and paste the entityID that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml.
    Name ID formatSelect Unspecified.
    Application username

    Select Okta username. This maps to User Principal Name(UPN) in Workspace ONE.

  1. Click Next.
  2. In the Feedback section, configure the following:

    Are you an Okta customer – Select I'm an Okta customer adding an internal app

    App type – Select This is an internal app that we have created

  3. Click Finish.
  4. In the Settings section of the Sign On tab, locate and copy the URL for Identity Provider metadata.

 

What's next?

Complete creating a new Identity Provider in VMware Identity Manager

 

Complete creating a new Identity Provider in VMware Identity Manager

  1. In the new identity provider page, enter the following information:

    OptionDescription
    Identity Provider NameEnter a name for the new identity provider, such as Okta SAML IdP
    identityProvider.idpForm.samlSelect HTTP Post

     

    Note: This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata.
    SAML Metadata
    1. In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example, https://yourOktaTenant/app/appId/ssoAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones./saml/metadata.
    2. Click Process IdP Metadata.
    3. In the Name ID format mapping from SAML Response section, click the + icon, then select the following values:

      4. Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      Name ID ValueuserPrincipalName

      Note: Select the User Attribute that will match the application value defined in Okta.
    Users

    Select the directories you want to authenticate using this identity provider.

    NetworkSelect the networks that can access this identity provider.
    Authentication Methods

    Enter the following:

    Authentication Methods Enter a name for the Okta authentication method, such as Okta Auth Method

    SAML Contexturn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

     

  2. Click Add.

 

What's next?

Add Okta Authentication Method to Access Policies in VMware Identity Manager

 

Add Okta Authentication Method to Access Policies in VMware Identity Manager

After you set up Okta as the identity provider to VMware Identity Manager, add the newly-created authentication method to access policies in VMware Identity Manager. Update the default access policy, and other policies as needed.

You need to add the Okta authentication method to the default access policy so that Okta is used as the sign in provider for the Workspace ONE catalog. The default access policy governs login to the catalog and any apps configured in VMware Identity Manager that do not have another policy definition already.

  1. In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies.
  2. Click Edit Default Access Policy.
  3. In the Edit Policy wizard, click Configuration.
  4. Click the policy rule for Web browsers.
    1. Set Okta authentication as the authentication method.

      2. If an end user's network range is: ALL RANGES

      and the end user is accessing content from: Web Browser

      and the end user belongs to group(s): Empty (all users)

      Then perform this action: Authenticate using . . .

      then the end user may authenticate using: Okta Auth Method.

      Note: For Okta Auth Method, select the authentication method you created for the IDP in Complete creating a new Identity Provider in VMware Identity Manager
    2. Click Save.
  5. Edit other policies as needed to add the Okta authentication method.

 

What's next?

Assign the app to end users in Okta

 

Assign the app to end users in Okta

After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to end users. Assign the application to a few end users at first and then test the integration. For details, see Assign applications.

Top

© 2020 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.