STEP 1: Configure VMware Identity Manager as an Identity Provider in Okta

This is an Early Access feature. To enable it, go to Settings > Features in the Okta Admin Console and turn on Workspace1 Device Trust for your mobile platform(s).

This section describes how to configure VMware Identity Manager as an identity provider (IdP) in Okta. This configuration is required to configure a unified catalog as well as mobile SSO and device trust.

For additional information, see Configure Inbound SAML section of the Okta Identity Providers documentation.


Get VMware Identity Manager SAML Metadata Information

Retrieve the SAML metadata information from VMware Identity Manager that is required to set up an identity provider in Okta.

  1. Log in to the VMware Identity Manager console as the System administrator.
  2. Select the Catalog > Web Apps tab.
  3. Click Settings.
  4. Click SAML Metadata in the left pane.
  5. The Download Metadata tab is displayed.

  6. Download the Signing Certificate.
    1. In the Signing Certificate section, click Download.
    2. Make a note of where the certificate files is downloaded (signingCertificate.cer).
  7. Retrieve the SAML metadata.
    1. In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window.
    2. In the identity provider metadata file, find and make a note of the following values:
      • entityID
      • For example: https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml

      • SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      • For example: https://tenant.vmwareidentity.com/SAAS/auth/federation/sso

 

What's next?

Add an Identity Provider in Okta

 

Add an Identity Provider in Okta

For additional information about how Okta handles external identity providers, see Identity Providers.

  1. Sign in to the Okta Admin Console.
  2. Go to Security > Identity Providers.
  3. Click Add Identity Provider and select Add SAML 2.0 IdP.
  4. Enter a name for the identity provider. For example, Workspace ONE.
  5. Enter the following information:

  6. Option Description
    IdP Username idpuser.subjectNameId

    If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see Okta Expression Language.

    Filter Leave this option unselected.
    Match against

    Okta Username

    Adjust the selection as required for your environment and the values that you plan to send.

    If no match is found

    Redirect to Okta sign-in page

    IdP Issuer URI

    Enter the entityID.

    This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml

    IdP Single Sign-On URL

    Enter the SingleSignOnService Location URL.

    This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/auth/federation/sso

    IdP Signature Certificate

    Browse and select the Signing Certificate file you downloaded from Workspace ONE in Get VMware Identity Manager SAML Metadata Information. Tip


  7. Click Show Advanced Settings, scroll to the Request Authentication Context option, and select Device Trust.
  8. Info

    Note

    If the Request Authentication Context option is not available, go to Settings > Features and enable Workspace1 Device Trust for your mobile platform(s).

    This setting specifies the context of the authentication request.

  9. Click Add Identity Provider.
  10. Verify that the following information appears:
    • SAML Metadata
    • Assertion Consumer Service URL
    • Audience URI
  11. Download and save the metadata file.
    1. Click the Download Metadata link.

    2. Save the metadata file locally.

    3. Open the metadata file and copy its contents for use in Get VMware Identity Manager SAML Metadata Information.