Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, go to Settings > Features in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console and turn on Workspace1 Device Trust for your mobile platform(s).
This integration is based primarily on SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. trust connections. It combines the power of Okta’s Contextual Access Management policy framework with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. Allowing Workspace ONE to add the Device Context to the SAML Assertion lets enterprises leverage Okta’s policy framework to require users to enroll their unmanaged device or satisfy an MFA challenge.
You can also configure this integration to provide end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. a streamlined device enrollment experience, leverage Okta's extensible Multi Factor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.
This guide provides step-by-step instructions to configure and test use cases supported by the Okta + Workspace ONE. To integrate Okta with Workspace ONE, you integrate VMware Identity Manager with Okta. VMware Identity Manager is the identity component of Workspace ONE.
This information is written for experienced administrators who are familiar with Okta and VMware Identity Manager.
The main use cases supported by the Okta + Workspace ONE integration include:
USE CASE 1 – Enforce Device Trust and SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. for mobile devices with Okta + VMware Workspace ONE
USE CASE 2 – Configure streamlined Device Enrollment and Workspace ONE login using Okta
Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end users to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.
This use case also establishes Okta as a trusted identity provider to Workspace ONE, allowing end users to log in to the Workspace ONE appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., Workspace ONE Intelligent Hub app, and web portal using Okta authentication policies.
A device trust flow for iOS and Android devices using the Salesforce application would follow this sequence:
- End user attempts to access the Salesforce tenant.
- Salesforce redirects to Okta as the configured identity provider.
- Okta processes the incoming request and routes the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. to the Workspace ONE identity provider based on configured routing rules.
- Workspace ONE challenges the user for authentication using Mobile SSO for iOS or Mobile SSO for Android.
- Workspace ONE redirects back to Okta with device trust status.
- Okta issues the SAML assertion for Salesforce if the device trust rule is satisfied based on the SAML assertion response received from Workspace ONE.
To configure this use case:
You can configure this use case to provide end users a streamlined device enrollment experience, leverage Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators.
This configuration is configured in VMware Identity Manager, the identity component of Workspace ONE.
To configure this use case:
Optional: You can allow end users to access apps from either the Okta dashboard or the Workspace ONE dashboard. Both experiences are fully supported. You can configure the Workspace ONE catalog to publish applications federated through Okta without the need to first import them into VMware Identity Manager.
For details, see (Optional) Publish Okta apps to the Workspace ONE catalog
Ensure that your environment meets the following requirements before you begin the Workspace ONEand Okta integration.
- A VMware Identity Manager tenant with System Administrator role
- A Workspace ONE Unified Endpoint Management(UEM) tenant
- VMware Identity Manager Connector
- VMware Identity Manager AirWatch Cloud Connector (ACC)
ACC is required only if you use Workspace ONE UEM.
- An Okta orgThe Okta container that represents a real-world organization. (tenant) with Super or Org Administrator role
- Device Trust for Workspace ONE enabled by Okta Support
- Identity Provider Routing Rules (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Discovery) enabled by Okta Support
- Active Directory integrated with the Okta Active Directory (AD) agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.
Supported apps and devices
- Any iOS or Android SAML or WS-Fed cloud app
- Devices running Okta-supported versions of iOS and Android operating systems
Integrate Workspace ONE and VMware Identity Manager
Integrate your Workspace ONE UEM and VMware Identity Manager tenants and configure the mobile SSO authentication methods that you intend to use for device trust.
Integrate Active Directory
Before integrating Workspace ONE and Okta, integrate your Active Directory and sync users. You must integrate Active Directory with:
- Workspace ONE UEM using AirWatch Cloud Connector (ACC)
- VMware Identity Manager using VMware Identity Manager connector
- Your Okta org using the Okta Active Directory (AD) agent
- Make sure you sync the same users to all the environments.
- Device Trust does not apply to apps accessed via chiclets within Okta Mobile.
- Enroll devices in Workspace ONE for best end user experience – Your end users will have a better experience when accessing your corporate resources if their Android or iOS device is already enrolled in Workspace ONE UEM. Otherwise, end users with un-enrolled iOS and Android devices are guided through the Workspace ONE UEM enrollment process before they can access device trust-secured apps.
- Do not secure Workspace ONE with this Device Trust solution – Doing so will prevent new users from enrolling their device in Workspace ONE and accessing other device trust-secured apps.
- Timeout issue can cause an SSO error – End users signing in to device trust-secured apps from an untrusted iOS or Android device are prompted to enroll their device with Workspace ONE. (This is expected behavior.) But if the apps are native apps and Workspace ONE enrollment takes longer than 10 minutes, or if the end user waits longer than 10 minutes after enrollment before trying again to access the app, an SSO error occurs because the app session has timed out. Advise affected end users to try to access the app again.
Device Trust-secured apps are shown as locked on end-user Okta Home pages — End-user Okta Home pages viewed on desktop and mobile browsers (but not in Okta Mobile) display a lock icon on all Device Trust-secured app icons if :
(1) Device Trust is enabled for the org, and . . .
(2) The device is not trusted, and . . .
(3) The end user tried to access any Device Trust-secured app from their Home page.
The lock icon remains for the duration of the session.
- G Suite Apps on Android are not supported with this solution – When a user with a managed device (UEM-enrolled) tries to access a G Suite work app, the device is not recognized as Trusted even though it is managed. This is a known limitation of VMware's Tunnel-based SSO. Instead of redirecting the user to the app as expected, Okta must present the Okta Sign In page to the user and then prompt them to enroll in Workspace ONE.
App sign-on policies that apply to macOS devices will also apply to iPadOS+Safari requests —Apple has changed the way that Safari reports the device user agent on iPads running on iPadOS. Due to this change, Okta cannot differentiate between app requests coming from macOS devices and app requests coming from Safari on iPadOS devices. To mitigate the effects of this change, Okta urges admins to take the following actions:
- To prevent iPadOS devices from bypassing iOS app sign-on policies configured in Okta (if any), configure a Deny/Catch-All app sign-on policy rule that applies to macOS and iPadOS devices. Place this rule last among the rules you create, just above the Default rule (Applications > Applications > app > Sign On tab).
- To prevent iPadOS device users from being affected by macOS policies app sign-on policies configured in Okta (if any), advise users to perform one of the following options:
- Option 1. All websites accessed from Safari (iPadOS 13 and higher) – In iPad settings, go to Safari settings > Request Desktop Website and then turn off the All Websites setting.
- Option 2. Per-website basis – Open Safari, tap Aa on the left side of the search field, and then tap Request Mobile Website.
- Option 3. Access the target app through its Native App version or through Okta Mobile instead of through Safari.