STEP 2: Configure Okta application source in VMware Identity Manager
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, go to Settings > Features in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console and turn on Workspace1 Device Trust for your mobile platform(s).
This step configures VMware Identity Manager to send device posture information in the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. response to Okta after the user is authenticated.
This is a one-time, initial configuration task.
You have configured VMware Identity Manager as an identity provider in Okta as described in STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta.
- In the VMware Identity Manager console, select the Catalog > Web Apps tab.
- Click Settings.
- Click Application Sources in the left pane.
- Click OKTA.
- In the OKTA Application Source wizard Definition page, enter a description if needed, then click Next.
In the Configuration page:
- For Configuration, select URL/XML.
- In the URL/XML text box, copy and paste the SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process. metadata that you downloaded from Okta as described in Add an Identity Provider in Okta
- If you plan to configure device trust for iOS and Android mobile devices, click Advanced Properties and set the following options to Yes.
- Click Next.
- In the Access Policies page, select the default access policy set.
- Click Next, review your selections, and then click Save.
- Click the OKTA Application Source again.
- In the Configuration page, modify the Username Value to match the value that Okta is matching against, such as Okta Username.
- Click Next twice and then Save to save your changes.
Note: These properties are mandatory for the device trust solution for iOS and Android devices.
|Device SSO Response||Sends device posture information in the SAML response to Okta after the user is authenticated.|
|Enable Force Authn Request||Enable Force Authn request. The service provider can send the forceAuthn=true flag in the SAML request, which forces the user to be reauthenticated.|
|Enable AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. Failure Notification||Receive SAML response error messages when authentication fails.|
Authentication requests from Okta applications will be authenticated using this policy set.
Assign Okta application source to all users
After you configure the Okta application source, assign it to all users in VMware Identity Manager.
You have configured the Okta application source in VMware Identity Manager as described in Configure Okta application source in VMware Identity Manager.
- In the VMware Identity Manager console, click the Users & GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. > Groups tab.
- Click the ALL USERS group.
- Click the Apps tab, then click Add Entitlements.
- Select the OKTA application and select Automatic as the Deployment type.
- Click Save.
Optional: You can allow end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. You can configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager.
For details, see (Optional) Publish Okta apps to the Workspace ONE catalog
|Next:||STEP 3: Configure Routing Rules, Device Trust, and Client Access Policies in Okta for iOS and Android Devices|
|Use case:||Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE|