This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .

Integrate Okta Device Trust with VMware Workspace ONE for Windows and macOS computers

This Okta + Workspace ONE integration for desktop devices is based primarily on SAML trust connections. It allows administrators to establish device trust by evaluating device posture before permitting end users to access sensitive applications. To determine whether devices are managed and compliant, device posture policies established in Workspace ONE are evaluated anytime a user tries to access a protected application.

You can also configure this integration to provide end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. a streamlined device enrollment experience, leverage Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.

This guide provides step-by-step instructions to configure and test use cases supported by the Okta + Workspace ONE. To integrate Okta with Workspace ONE, you integrate VMware Identity Manager with Okta. VMware Identity Manager is the identity component of Workspace ONE.


Intended audience

This information is written for experienced administrators who are familiar with Okta and VMware Identity Manager.

 

 


Use Cases

The main use cases supported by the Okta + Workspace ONE integration include;

USE CASE 1 – Enforce Device Trust and SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. for desktop devices with Okta + VMware Workspace ONE

USE CASE 2 – Configure streamlined Device Enrollment and Workspace ONE login for desktop devices using Okta

 


USE CASE 1 – Enforce Device Trust and SSO for desktop devices with Okta + VMware Workspace ONE

This use case allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end users to access sensitive applications. It also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.



To configure this use case:



USE CASE 2 – Configure streamlined Device Enrollment and Workspace ONE login for desktop devices using Okta

You can configure this use case to provide end users a streamlined device enrollment experience, leverage Okta's extensible Multi Factor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.

This configuration is configured in VMware Identity Manager, the identity component of Workspace ONE.


To configure this use case:


 

Note: If you want to combine both use cases, first configure this use case and then configure Enforce Device Trust and SSO for desktop devices with Okta + VMware Workspace ONE.

 


 

Optional: You can allow end users to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. You can configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager.

For details, see (Optional) Publish Okta apps to the Workspace ONE catalog


Requirements

Ensure that your environment meets the following requirements before you begin the Workspace ONEand Okta integration.

Components

VMware

Okta

Supported apps and devices

  • Any Windows or macOS SAML or WS-Fed cloud app
  • Devices running Okta-supported versions of Windows or macOS operating systems

Integrate Workspace ONE and VMware Identity Manager

Integrate your Workspace ONE UEM and VMware Identity Manager tenants and configure the mobile SSO authentication methods that you intend to use for device trust.

Integrate Active Directory

Before integrating Workspace ONE and Okta, integrate your Active Directory and sync users. You must integrate Active Directory with:

  • Workspace ONE UEM using AirWatch Cloud Connector (ACC)
  • VMware Identity Manager using VMware Identity Manager connector
  • Your Okta org using the Okta Active Directory (AD) agent
  • Make sure you sync the same users to all the environments.


Caveats

  • Do not secure Workspace ONE with this Device Trust solution – Doing so will prevent new users from enrolling their device in Workspace ONE and accessing other device trust-secured apps.
  • Timeout issue can cause an SSO error – End users signing in to device trust-secured apps from an untrusted device are prompted to enroll their device with Workspace ONE. (This is expected behavior.) But if the apps are native apps and Workspace ONE enrollment takes longer than 10 minutes, or if the end user waits longer than 10 minutes after enrollment before trying again to access the app, an SSO error occurs because the app session has timed out. Advise affected end users to try to access the app again.

Known Issue

App sign-on policies that apply to macOS devices will also apply to iPadOS+Safari requestsApple has changed the way that Safari reports the device user agent on iPads running on iPadOS. Due to this change, Okta cannot differentiate between app requests coming from macOS devices and app requests coming from Safari on iPadOS devices. To mitigate the effects of this change, Okta urges admins to take the following actions:

  • To prevent iPadOS devices from bypassing iOS app sign-on policies configured in Okta (if any), configure a Deny/Catch-All app sign-on policy rule that applies to macOS and iPadOS devices. Place this rule last among the rules you create, just above the Default rule (Applications > Applications > app > Sign On tab).
  • To prevent iPadOS device users from being affected by macOS policies app sign-on policies configured in Okta (if any), advise users to perform one of the following options:
    • Option 1. All websites accessed from Safari (iPadOS 13 and higher) – In iPad settings, go to Safari settings > Request Desktop Website and then turn off the All Websites setting.
    • Option 2. Per-website basis – Open Safari, tap Aa on the left side of the search field, and then tap Request Mobile Website.
    • Option 3. Access the target app through its Native App version or through Okta Mobile instead of through Safari.


Additional documentation

Okta

Okta Device Trust

Identity Provider Routing Rules

Identity Providers

Office 365 Client Access Policies

VMware

VMware Device Trust

VMware Identity Manager Documentation

VMwareWorkspace ONE UEM Documentation

Top