This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Workspace1 Device Trust for your mobile platform(s).
This section describes how to configure Okta as the identity provider to Workspace™ ONE™. You can use this configuration to provide a streamlined device enrollment experience, provide Okta's extensible Multi Factor Authentication (MF) to applications in Workspace ONE and provide a consistent and familiar login experience for end users and administrators.
You perform this procedure in VMware Identity Manager, the identity component of Workspace ONE.
Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information.
Tip: To perform this procedure, have VMware Identity Manager and the Okta Admin console open simultaneously.
- Log in to the VMware Identity Manager console as the System administrator.
- Click the Identity & Access Management tab, then click Identity Providers.
- Click Add Identity Provider and then select Create Third Party IDP.
- Scroll to the bottom of the page to the SAML Signing Certificate section.
- Right click the Service Provider (SP) Metadata link and open it in a new tab.
- In the SAML metadata file, find the values for the following:
- entityID – For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml
- AssertionConsumerService Location for HTTP-POST binding – For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response
You will use these values in the procedure Create a new SAML app in Okta.
Create a new SAML app in Okta
- Sign in to your Okta org.
- Go to Applications > Applications.
- Click Add Application.
- Click Add New App.
- In the Create a New Application Integration dialog box:
- Platform: Web
- Sign on method: SAML 2.0
- Click Create.
- In General settings, enter a name for the app (for example, Workspace ONE SAML)
- Click Next.
- In SAML Settings, configure the following:
Option Description Single sign on URL Copy and paste the HTTP-POST AssertionConsumerService Location URL that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/auth/saml/response. Audience URI (SP Entity ID) Copy and paste the entityID that you entered in Start creating a new Identity Provider in VMware Identity Manager. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/sp.xml. Name ID format Select Unspecified. Application username
Select Okta username. This maps to User Principal Name(UPN) in Workspace ONE.
- Click Next.
- In the Feedback section, configure the following:
Are you an Okta customer – Select I'm an Okta customer adding an internal app
App type – Select This is an internal app that we have created
- Click Finish.
- In the Settings section of the Sign On tab, locate and copy the URL for Identity Provider metadata.
Complete creating a new Identity Provider in VMware Identity Manager
- In the new identity provider page, enter the following information:
Option Description Identity Provider Name Enter a name for the new identity provider, such as Okta SAML IdP identityProvider.idpForm.saml Select HTTP PostNote: This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata. SAML Metadata
- In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example, https://yourOktaTenant/app/appId/sso/saml/metadata.
- Click Process IdP Metadata.
- In the Name ID format mapping from SAML Response section, click the + icon, then select the following values:
Name ID Format – urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Name ID Value – userPrincipalNameNote: Select the User Attribute that will match the application value defined in Okta.
Select the directories you want to authenticate using this identity provider.
Network Select the networks that can access this identity provider. Authentication Methods
Enter the following:
Authentication Methods Enter a name for the Okta authentication method, such as Okta Auth Method
SAML Context – urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
- Click Add.
Add Okta Authentication Method to Access Policies in VMware Identity Manager
After you set up Okta as the identity provider to VMware Identity Manager, add the newly-created authentication method to access policies in VMware Identity Manager. Update the default access policy, and other policies as needed.
You need to add the Okta authentication method to the default access policy so that Okta is used as the sign in provider for the Workspace ONE catalog. The default access policy governs login to the catalog and any apps configured in VMware Identity Manager that do not have another policy definition already.
- In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies.
- Click Edit Default Access Policy.
- In the Edit Policy wizard, click Configuration.
- Click the policy rule for Web browsers.
- Set Okta authentication as the authentication method.
- Click Save.
- Edit other policies as needed to add the Okta authentication method.
Assign the app to end users in Okta
After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to end users. Assign the application to a few end users at first and then test the integration. For details, see Assign applications.
If configuring both use cases, continue to:
|Parent topic:||Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices|