This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .
This section describes how to configure Okta as the identity provider to Workspace™ ONE™. You can use this configuration to provide a streamlined device enrollment experience, provide Okta's extensible Multi Factor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (MF) to applications in Workspace ONE and provide a consistent and familiar login experience for end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. and administrators.
You perform this procedure in VMware Identity Manager, the identity component of Workspace ONE.
Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information.
Tip: To perform this procedure, have VMware Identity Manager and the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console open simultaneously.
- Log in to the VMware Identity Manager console as the System administrator.
- Click the Identity & Access Management tab, then click Identity Providers.
- Click Add Identity Provider and then select Create Third Party IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta..
- Scroll to the bottom of the page to the SAML Signing Certificate section.
- Right click the Service Provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.) Metadata link and open it in a new tab.
- In the SAML metadata file, find the values for the following:
- entityID – For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
- AssertionConsumerService Location for HTTP-POST binding – For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response
You will use these values in the procedure Create a new SAML app in Okta.
Create a new SAML app in Okta
- Sign in to your Okta orgThe Okta container that represents a real-world organization..
- Go to Applications > Applications.
- Click Add Application.
- Click Add New App.
- In the Create a New Application Integration dialog box:
- Platform: Web
- Sign on method: SAML 2.0
- Click Create.
- In General settings, enter a name for the app (for example, Workspace ONE SAML)
- Click Next.
- In SAML Settings, configure the following:
Option Description Single sign on URL Copy and paste the HTTP-POST AssertionConsumerService Location URL that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response. Audience URI (SP Entity ID) Copy and paste the entityID that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml. Name ID format Select Unspecified. Application username
Select Okta username. This maps to User Principal Name(UPN) in Workspace ONE.
- Click Next.
- In the Feedback section, configure the following:
Are you an Okta customer – Select I'm an Okta customer adding an internal app
App type – Select This is an internal app that we have created
- Click Finish.
- In the Settings section of the Sign On tab, locate and copy the URL for Identity Provider metadata.
Complete creating a new Identity Provider in VMware Identity Manager
- In the new identity provider page, enter the following information:
Option Description Identity Provider Name Enter a name for the new identity provider, such as Okta SAML IdP identityProvider.idpForm.saml Select HTTP PostNote: This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata. SAML Metadata
- In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example, https://yourOktaTenant/app/appId/ssoAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones./saml/metadata.
- Click Process IdP Metadata.
- In the Name ID format mapping from SAML Response section, click the + icon, then select the following values:
Name ID Format – urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Name ID Value – userPrincipalNameNote: Select the User Attribute that will match the application value defined in Okta.
Select the directories you want to authenticate using this identity provider.
Network Select the networks that can access this identity provider. Authentication Methods
Enter the following:
Authentication Methods Enter a name for the Okta authentication method, such as Okta Auth Method
SAML Context – urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
- Click Add.
Add Okta Authentication Method to Access Policies in VMware Identity Manager
After you set up Okta as the identity provider to VMware Identity Manager, add the newly-created authentication method to access policies in VMware Identity Manager. Update the default access policy, and other policies as needed.
You need to add the Okta authentication method to the default access policy so that Okta is used as the sign in provider for the Workspace ONE catalog. The default access policy governs login to the catalog and any apps configured in VMware Identity Manager that do not have another policy definition already.
- In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies.
- Click Edit Default Access Policy.
- In the Edit Policy wizard, click Configuration.
- Click the policy rule for Web browsers.
- Set Okta authentication as the authentication method.
- Click Save.
- Edit other policies as needed to add the Okta authentication method.
Assign the app to end users in Okta
After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to end users. Assign the application to a few end users at first and then test the integration. For details, see Assign applications.
If configuring both use cases, continue to:
|Parent topic:||Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices|