Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, go to Settings > Features in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console and turn on Workspace1 Device Trust for your mobile platform(s).
Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.
This use case also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.
A device trust flow for iOS and Android devices using the Salesforce application would follow this sequence:
- End user attempts to access the Salesforce tenant.
- Salesforce redirects to Okta as the configured identity provider.
- Okta processes the incoming request and routes the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. to the Workspace ONE identity provider based on configured routing rules.
- Workspace ONE challenges the user for authentication using Mobile SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. for iOS or Mobile SSO for Android.
- Workspace ONE redirects back to Okta with device trust status.
- Okta issues the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. assertion for Salesforce if the device trust rule is satisfied based on the SAML assertion response received from Workspace ONE.
To configure this use case:
|Parent topic:||Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices|
|Other use case:||Configure streamlined Device Enrollment and Workspace ONE login using Okta|