This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .




STEP 3: Configure Routing Rules, Device Trust, and Client Access Policies in Okta for iOS and Android Devices

Prerequisites:

STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta

STEP 2: Configure Okta application source in VMware Identity Manager

 

The Okta Device Trust feature simplifies the administration of conditional access policies for iOS and Android devices in the Workspace™ ONE™+Okta integration. Device Trust and access policies for apps are configured only in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console.

When iOS or Android Device Trust is configured in Okta, users are redirected to VMware Identity Manager for authentication using the Mobile SSO (iOS) or Mobile SSO (Android) authentication method. VMware Identity Manager returns device posture information to Okta in the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. response.

The access policies you configure in Okta then determine whether the device must be trusted in order to access the application. If the device is untrusted, a device enrollment page is displayed.

For the purposes of this integration, you must perform the following tasks to configure the Device Trust feature in the Okta Admin console:

  1. Configure Okta identity provider routing rules for iOS and Android devices.
  2. Enable the global Device Trust setting in Okta.
  3. Configure appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. sign-on policy rules in Okta.
  4. Configure Default Access Policy in VMware Identity Manager.

Important: Verify that the Device SSO Response, Enable Force Authn Request, and Enable AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. Failure Notification properties in the Okta application source configuration in VMware Identity Manager are set to Yes. These properties are a requirement for the device trust solution for iOS and Android devices. For more information, see STEP 2: Configure Okta application source in VMware Identity Manager.

 


Configure Identity Provider Routing rules in Okta for mobile devices

Configure Okta IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. routing rules for iOS and Android specifically for this VMware Workspace ONEOkta integration. When configured, these routing rules works with application sign on policies to redirect authentication requests from iOS and/or Android devices to Workspace ONE.

Click the image to enlarge


  1. In the Okta Admin console, go to Security > Identity Providers.
  2. Click the Routing Rules tab and then click Add Routing Rule.
  3. Configure settings as follows:

Setting Action
Rule Name Enter a name for the rule you are creating.
IF User's IP is If appropriate for your implementation, you can specify network zones to which the routing does or does not apply. To specify a zone here, at least one network zone must be defined already in Okta. For more information, see Network Security.
AND User's device platform is

Select Any of these devices and then select iOS or Android, or both, depending on your implementation.

AND User is accessing

Select Any of the following applications and then enter the application(s) to which you want the routing rule to apply.

AND User matches

Select the appropriate action:

THEN Use this identity provider Select the Identity Provider you created in Okta for VMware Identity Manager as detailed in STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta.

  1. Click Create Rule.

 

What's next?

Enable Device Trust settings in Okta

 

Enable Device Trust settings in Okta

This section describes how to enable Device Trust specifically for this VMwareWorkspace ONEOkta integration. When configured, these settings work together with the IDP Routing Rules to redirect authentication requests from iOS and/or Android devices and target applications to Workspace ONE. Other authentication requests are processed through the default routing rule.

  1. From the Okta Admin Console, go to Security > Device Trust.
  2. Click Edit in either the iOS or Android Device Trust section.
  3. Select Enable [iOS or Android] Device Trust.
  4. In Trust is established by, select VMware.
  5. In Integration type, select SAML-based (Workspace ONE UEM+vIDM).
  6. Click Next.
  7. In Device Identity provider, select the Identity Provider you created in Okta for VMware Identity Manager as detailed in Configure Identity Provider Routing rules in Okta for mobile devices.
  8. (Optional) In the Mobile device management provider field, Workspace ONE is pre-populated by default. You can modify this if necessary. The MDM provider you enter here is displayed to end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. during device enrollment.
  9. In the Enrollment link field, enter a web address where end users with unmanaged devices will be redirected. For example, you may want to send these users to a page with enrollment instructions, or the Workspace ONE enrollment page.
  10. Click Save.

 

What's next?

Configure App Sign On Policy rules in Okta

 

Configure App Sign On Policy rules in Okta

Overview

By default, all ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. options in the App Sign On Rule dialog box are pre-selected. Notice that the Trusted and Not trusted options in the Device Trust section are not selectable unless you deselect the following options in the Client section ClosedScreenshot:

  • Exchange ActiveSync or Legacy Auth client
  • Other mobile (e.g. BlackBerry)
  • Other desktop (e.g. Linux)

To configure more granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:


Procedure

Note: The whitelist example below shows Device Trust rules for managing access to Office 365. For other apps, note that the section If the user's client is any of these is not present.

  1. In Okta, go to Applications and click the SAML or WS-Fed-enabled app that you want to protect with Device Trust.
  2. Click the Sign On tab, scroll down to the Sign On Policy, and click Add Rule.
  3. Configure one or more rules using the following example whitelist as a guide.

Example Whitelist

Users with untrusted devices are guided through Workspace ONE enrollment or redirected to the destination of the Enrollment link configured in Step ③.

 

What's next?

Configure Default Access Policy in VMware Identity Manager

 

Configure Default Access Policy in VMware Identity Manager

Update the default access policy in VMware Identity Manager to include policy rules for iOS and Android devices. The default access policy governs the behavior of the Workspace ONE catalog. Configuring mobile SSO policy rules is mandatory as it is part of passing device trust information to apps.

Create policy rules for iOS and Android with Mobile SSO as the authentication method and with Okta authentication as the fallback method. Also configure the rules for Workspace ONE app and Hub app, and Web browser. Make sure that the policy rules are in the correct order.

  1. Log in to the VMware Identity Manager console as the System administrator.
  2. Click the Identity & Access Management tab, then click the Policies tab.
  3. Click Edit Default Access Policy.
  4. In the Edit Policy wizard, click Configuration.
  5. Click Add Policy Rule and create a policy rule for iOS devices.
    1. Set Mobile SSO (iOS) as the first authentication method and Okta authentication as the fallback authentication method.
    2. If a user's network range is: ALL RANGES

      and the user is accessing content from: iOS

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (iOS)

      If the preceding method fails or is not applicable, then: Okta Auth Method

      Note: For Okta Auth Method, select the authentication method you created for the Okta IdP in Complete creating a new Identity Provider in VMware Identity Manager.

    3. Click Save.
  6. Click Add Policy Rule and create a similar policy rule for Android devices.
    1. Set Mobile SSO (Android) as the first authentication method and Okta authentication as the fallback authentication method.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Android

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (Android)

      If the preceding method fails or is not applicable, then: Okta Auth Method

    2. Click Save.
  7. Configure the policy rule for Workspace ONE app and Hub app.
    1. Click the policy rule for Workspace ONE app and Hub app to edit it.
    2. Configure the rule.

      If a user's network range is: ALL RANGES

      and the user is accessing content from: Workspace ONE app or Hub app

      Then perform this action: Authenticate using

      then the user may authenticate using: Mobile SSO (for iOS)

      If the preceding method fails or is not applicable, then: Mobile SSO (for Android)

      If the preceding method fails or is not applicable, then: Okta Auth Method

  8. Arrange the policy rules in the following order, listed from top to bottom:
    1. Workspace ONE app or Hub app
    2. iOS or Android
    3. iOS or Android
    4. Web browser

 

What's next?

Recommendations for configuring Native Android apps

 

Recommendations for configuring Native Android apps

To provide the best user experience for users on Android devices, you can configure certain settings for the Android mobile SSO flow.

Native Android apps require the VMware Tunnel to be downloaded and installed on end users' devices. As a best practice for a Workspace ONE+Okta integration environment, configure the Auto deployment setting for each native Android app so that the app and tunnel are automatically deployed on users' devices after they enroll. Also enable Managed Access for the apps.

You configure these settings in the VMware Workspace ONE UEM console.

  1. In Workspace ONE UEM, go to the Apps & Books > Applications > Native page.
  2. Click the app name.
  3. Click Assign.
  4. Click Add Assignment to add a new assignment or select the assignment to edit and click Edit.
  5. Configure the assignment according to your needs and include the following selections as a best practice:
    • App Delivery Method: AUTO
    • Managed Access: ENABLED
    • App Tunneling: ENABLED
  6. Note: When you enable App Tunneling, you also need to select the VPN configuration profile to use for the app.

    For example:

  7. Save the assignment.

After users enroll their devices, the app appears in the catalog. The app icon indicates that the tunnel is included. When users install the app, both the app and the tunnel are installed.

Top