Enforce Device Trust and SSO for mobile devices with Okta + VMware Workspace ONE
Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.
This use case also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.
A device trust flow for iOS and Android devices using the Salesforce application would follow this sequence:
- End user attempts to access the Salesforce tenant.
- Salesforce redirects to Okta as the configured identity provider.
- Okta processes the incoming request and routes the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. to the Workspace ONE identity provider based on configured routing rules.
- Workspace ONE challenges the user for authentication using Mobile SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. for iOS or Mobile SSO for Android.
- Workspace ONE redirects back to Okta with device trust status.
- Okta issues the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. assertion for Salesforce if the device trust rule is satisfied based on the SAML assertion response received from Workspace ONE.
To configure this use case:
|Parent topic:||Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices|
|Other use case:||Configure streamlined Device Enrollment and Workspace ONE login using Okta|