This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features .
This section describes how to configure VMware Identity Manager as an identity provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) in Okta. This configuration is required to configure a unified catalog as well as mobile SSO and device trust.
Retrieve the SAML metadata information from VMware Identity Manager that is required to set up an identity provider in Okta.
- Log in to the VMware Identity Manager console as the System administrator.
- Select the Catalog > Web Apps tab.
- Click Settings.
- Click SAML Metadata in the left pane.
- Download the Signing Certificate.
- In the Signing Certificate section, click Download.
- Make a note of where the certificate files is downloaded (signingCertificate.cer).
- Retrieve the SAML metadata.
- In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window.
- In the identity provider metadata file, find and make a note of the following values:
- SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
For example: https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml
For example: https://tenant.vmwareidentity.com/SAAS/auth/federation/sso
The Download Metadata tab is displayed.
Add an Identity Provider in Okta
For additional information about how Okta handles external identity providers, see Identity Providers.
- Sign in to the Okta Admin Console.
- Go to Security > Identity Providers.
- Click Add Identity Provider and select Add SAML 2.0 IdP.
- Enter a name for the identity provider. For example, Workspace ONE.
- Enter the following information:
- Click Show Advanced Settings, scroll to the Request Authentication Context option, and select Device Trust.
- Click Add Identity Provider.
- Verify that the following information appears:
If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see Okta Expression Language.
|Filter||Leave this option unselected.|
Adjust the selection as required for your environment and the values that you plan to send.
|If no match is found||
Redirect to Okta sign-in page
|IdP Issuer URI||
Enter the entityID.
This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml
|IdP Single Sign-On URL||
Enter the SingleSignOnService Location URL.
This is the value you obtained from the identity provider metadata file from Workspace ONE. For example, https://tenant.vmwareidentity.com/SAAS/auth/federation/sso
|IdP Signature Certificate||
Browse and select the Signing Certificate file you downloaded from Workspace ONE in Get VMware Identity Manager SAML Metadata Information. TipYou may need to change the file extension or default browser filter to look for *.crt and *.pem files.
This setting specifies the context of the authentication request.
- SAML Metadata
- Assertion Consumer Service URL
- Audience URI
Click the Download Metadata link.
Save the metadata file locally.
Open the metadata file and copy its contents for use in Get VMware Identity Manager SAML Metadata Information.
|Next:||STEP 2: Configure Okta application source in VMware Identity Manager|
This step is mandatory.
|Use case:||Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE|