Integrating Okta: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.3 and later VMware Identity Manager 3.2 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure Workspace ONE as a third-party identity provider in Okta and create routing rules in Okta. You then add applications federated with Okta to the Workspace ONE app catalog and configure Okta as a third-party identity provider in Workspace ONE.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Integrating Okta with VMware Workspace ONE

Introduction

This tutorial helps you to integrate VMware Workspace ONE® with Okta. Procedures include:

  • Configuring Workspace ONE as a Third-Party Identity Provider in Okta
  • Creating Routing Rules in Okta
  • Adding Applications Federated with Okta into the Workspace ONE App Catalog
  • Configuring Okta as a Third-Party Identity Provider in Workspace ONE

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured:

  • Admin access to VMware Identity Manager tenant and Okta tenant
  • Test application federated with Okta (to follow the steps in this exercise, use Salesforce and Office365)
  • VMware Identity Manager tenant and Okta tenant connected to the same Active Directory domain
  • Optional: Mobile device to test redirection to Workspace ONE

Configuring Workspace ONE as a Third-Party Identity Provider in Okta

This exercise helps you test access to a SaaS application (Salesforce) that is federated with Okta while using Workspace ONE as a third-party identity provider. The process of federating Salesforce with Okta is outside the scope of this exercise.

1. Retrieve SAML Metadata from Workspace ONE Admin Console

First, you must retrieve the appropriate SAML metadata file from the Workspace ONE tenant.

1.2. Navigate to Catalog Settings

  1. Click Catalog.
  2. Click Web Apps.
  3. Click Settings.

1.3. Open SAML IDP Metadata

  1. Click SAML Metadata.
  2. Click Identity Provider (IdP) Metadata to open the metadata file in a new browser tab. You will reference this in a later step.

1.4. Download Signing Certificate

  1. Scroll down
  2. Click on Download to download the Signing Certificate file.

1.5. Save Signing Certificate

Click Save to save the certificate file locally on your computer.

2. Add Identity Provider in Okta

Next, add Workspace ONE as a trusted identity provider in Okta. Log in to your Okta admin console.

2.1. Add Identity Provider

 

  1. Click Security.
  2. Click Identity Providers.
  3. Click Add Identity Provider.

2.2. Identity Provider Configuration

  1. Enter the IdP Username, for example, Workspace ONE.
  2. Select idpuser.subjectNameId from the IdP Username drop-down menu.
  3. Select Okta Username from the Match Against drop-down menu.

2.3. Active Directory User Profile in Okta

Note that users in this Okta tenant use their Active Directory userPrincipalName as the Okta Username. This is value you need to send from Workspace ONE in the SAML assertion.

2.4. Copy IdP Information from Metadata

  1. Copy the entityID  URL from the SAML metadata file into the IdP Issuer URI box (for example, https://tenant.vwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml).
  2. Copy the SingleSignOnService URL for HTTP-Redirect into the IdP Single Sign-On URL box (for example, https://tenant.vmwareidentity.com/SAAS/auth/federation/sso).
  3. Click Browse File to upload the IdP Signature Certificate.

2.5. Upload Signing Certificate

  1. Select the signingCertificate file downloaded from the Workspace ONE tenant.
  2. Select Open.

2.6. Finish Adding Identity Provider

Click Add Identity Provider.

3. Download and Copy Okta SAML Metadata

The next steps help you download and copy the Okta SAML metadata for the newly created identity provider in Okta.

3.1. Download Okta SAML Metadata

Click Download Metadata.

3.2. Save Okta Metadata Locally

Save the metadata file locally on your computer. Click Save.

3.3. Copy Contents of Okta Metadata File

Open the metadata file on a text editor and copy the contents of the file to your clipboard.

4. Configure Okta as an Application Source in Workspace ONE

Next, configure Okta as an Application Source in Workspace ONE.

Return to your Workspace ONE admin console.

  1. Click Application Sources.
  2. Click OKTA.

5. Configure Application Source Definition

Click Next.

5.1. Paste Okta Metadata into Application Source Configuration

  1. Paste the contents of the metadata file into the URL/XML text box.
  2. Click Next.

5.2. Configure Application Source Access Policy

  1. Select an authentication policy from the drop-down menu.
  2. Click Next.

5.3. Save Application Source

Click SAVE.

5.5. Change Username Value to userPrincipalName

  1. Click Configuration.
  2. Change the Username Value field to ${user.userPrincipalName}. This sends the user's userPrincipalName as the NameID value which matches the user Okta username.
  3. Click Summary.

5.6. Save Application Source

Click Save.

The federation trust between Okta and Workspace ONE has been successfully created. Before you can test authentication to Okta using Workspace ONE, you must create the appropriate routing rules in Okta to route authentication requests coming into Okta to Workspace ONE.  

Creating Routing Rules in Okta

This exercise helps you to create routing rules in Okta to redirect authentication traffic to Workspace ONE.

For more information, see Identity Provider Discovery in the Okta Product Documentation.

Note: Identity Provider Discover is an early access feature and might require you to contact Okta Support to enable it in your tenant.

1. Add Routing Rule in Okta

Navigate back to the Identity Providers page in your Okta Admin console.

  1. Click Routing Rules.
  2. Click Add Routing Rule.

Note that a default rule is already added in the tenant to authenticate all traffic with Okta. This serves as a catch-all rule for all traffic that does not meet the criteria specified within the new routing rule being created.

2. Configure Workspace ONE Routing Rule

For this setup, you create a rule to route only mobile traffic (iOS or Android) for your test application. Anything else is authenticated with Okta.

  1. Enter a friendly name for the Rule Name, for example, Workspace ONE.
  2. Select Any of these devices.
  3. Select iOS.
  4. Select Android.

3. Finish Routing Rule Configuration

  1. Scroll down.
  2. Select Any of the following applications.
  3. Search for and select your test application in the search bar.
  4. Select Workspace ONE (previously configured IDP connection) from the Use the identity Provider drop-down menu.
  5. Click Create Rule.

4. Activate Rule

Click Activate to active the newly created Routing Rule.

5. Log In to Test Application

You can now test logging into your test application using one of the mobile device platforms (iOS or Android) selected as a routing rule.

Click Okta.

6. Authenticate with Workspace ONE

Even though you selected Okta as the federation provider for the test application, you are automatically redirected to Workspace ONE for authentication.

Click Sign in.

7. Confirm Successful Login

After you successfully authenticate with Workspace ONE, you are granted access to your test application. The following steps occur seamlessly without impacting the end-user login experience:

  1. After successful authentication, Workspace ONE issues a SAML assertion for Okta with the authentication user's Name ID.
  2. Okta validates the SAML assertion issued by Workspace ONE and checks if the authenticated user is authorized to access the target application. If authorized, Okta issues a second SAML assertion for the target application with the corresponding Name ID.
  3. Client device passes SAML assertion from Okta to the target application to gain access.

Adding Applications Federated with Okta to the Workspace ONE Application Catalog

This exercise helps you to add applications that are federated with Okta into the Workspace ONE catalog for seamless access. This enables the end user to authenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the target application federated with Okta.

1. Retrieve Salesforce Application Identifier

First, you must retrieve the application identifier for your test application in Okta. This allows Workspace ONE to indicate what the target application is when it issues a SAML assertion to Okta.

1.3. Copy Application Embed Link

Scroll-down to find the Embed Link value for your test application. Copy this value to your clipboard.

2. Add Salesforce to Workspace ONE

Next, add a new SaaS application (Salesforce) to Workspace ONE.

2.2. Configure SaaS Application Definition

  1. Enter a friendly name for your SaaS application, for example, Salesforce OKTA.
  2. Click Next.

2.3. Select Okta Application Source as Authentication Type

  1. Select Okta Application Source from the Authentication Type drop-down. This application will inherit the SAML configuration that was already done for the Okta application source.
  2. Paste the application embed link that was copied from the application configuration in the Okta tenant.
  3. Click Next.

2.4. Configure SaaS Application Access Policy

  1. Select an access policy for your SaaS application from the Access Policy drop-down.
  2. Click Next.

2.5. Save SaaS Application

Click Save & Assign.

3. Assign SaaS Application

  1. Search for the test user or group to assign this application.
  2. Select Automatic from the Deployment Type drop-down menu.
  3. Click Save.

4. Log In to Workspace ONE Catalog

Log in to the Workspace ONE catalog with your test user.

5. Open Test Okta Application

  1. Click Catalog.
  2. Click Open to launch the test application that was added to the catalog.

6. Confirm Successful Authentication Into Test Application

You should be logged in directly to the test application. Even though the client device is redirected to Okta in the interim, this redirection happens seamlessly without impacting end user sign-in experience.

Configuring Okta as a Third-Party Identity Provider in Workspace ONE

This exercise helps you to add Okta as a third-party identity provider within Workspace ONE. This allows end users to authenticate using Okta credentials when accessing the Workspace ONE catalog.

1. Retrieve Workspace ONE SP Metadata

This configuration will be an inverse from configurations in the previous exercises. In the previous configuration, Workspace ONE was acting as an identity provider and Okta as a service provider. In this case, Workspace ONE will be the service provider and Okta the identity provider.

First, you must retrieve the appropriate metadata file from the Workspace ONE admin console. Navigate to the SAML Metadata settings menu.

Click Service Provider (SP) metadata to open the SP metadata file on a new browser file. You will use this metadata in a later step.

 

2. Add Application in Okta

Return to the Okta admin console to add a new application.

  1. Click Applications.
  2. Click Applications.
  3. Click Add Application.

2.1. Create New Application

You must create a new SAML SP configuration in Okta to accept authentication requests from Workspace ONE.

Click Create New App.

2.2. Create SAML 2.0 Application

  1. Select Web from the platform drop-down menu.
  2. Select SAML 2.0 as the sign-in method.
  3. Click Create.

2.3. Configure Application General Settings

  1. Enter a friendly name for App name, for example, Workspace ONE.
  2. Click Next.

2.4. Copy SP Endpoints from Metadata

Copy the required SP endpoints from the Workspace ONE SP metadata file.

  1. Copy the AssertionConsumerService URL for HTTP-POST binding from the SP metadata file and paste it into the Single sign on URL text box.
  2. Copy the Entity ID URL from the SP metadata file and paste it into the Audience URI (SP Entity ID) text box.

2.5. Confirm Name ID and Value

Note that for this setup, you will use the default selection for the Name ID Format (Unspecified) and Application Username values. Okta sends the user's userPrincipalName from Active Directory which will be matched to the user's userPrincipalName in Workspace ONE.

 

2.7. Configure as Internal Application

  1. Select I'm an Okta customer adding an internal app.
  2. Click Finish.

3. Assign Workspace One Application

Assign this new application to your test user or group in Okta.

  1. Click Assignments.
  2. Click Assign. Select a specific user or user group.

3.1. Confirm User or Group Assignment

Confirm the application has been assigned to your test user or group.

4. Download Okta IDP Metadata

Download the IDP metadata file created for this new application in Okta.

  1. Click the Sign-On tab.
  2. RIght-click the Identity Provider Metadata link.
  3. Click Save Link As...

4.1. Save Metadata File Locally

  1. Enter a unique name for the metadata file.
  2. Click Save to save the file locally.

4.2. Copy Contents of Okta Metadata File

Open and copy the contents of the recently downloaded metadata file.

5. Create Third-Party IDP in Workspace ONE

Next, add Okta as a trusted third-party identity provider in Workspace ONE. Navigate to your Workspace ONE admin console.

  1. Click Identity & Access Management.
  2. Click Identity Providers.
  3. Click Add Identity Provider.
  4. Click Create Third-Party IDP.

5.1. Process Okta IDP Metadata

  1. Enter a friendly name for Identity Provider Name, for example, Okta.
  2. Paste the contents of the metadata file downloaded from the Okta tenant.
  3. Click Process IdP Metadata.

5.2. Change Name ID Value to userPrincipalName

Select userPrincipalName from the Name ID Value on the first row. This will match the value being used for the unspecified Name ID format in Okta.

5.3. Assign User Directory, Network Range and Authentication Method to IDP

  1. Select your Active Directory as the user source for this third-party identity provider. This should be the same Active Directory  used in Okta.
  2. Select All Ranges as the Network Range for this identity provider.
  3. Create a new authentication method for this identity provider to be used as part of the authentication policies. Enter a friendly name for Authentication Methods, for example, OktaPassword.
  4. Select urn:oassis:names:tc:SAML:2.0:ac:classes:Passsword from the SAML Context drop-down menu.

5.4. Add Third-Party IDP

Click Add to add the new IDP configuration.

6. Edit Default Access Policy Set

Before we can test authentication with the Okta IDP we will need to modify the default access policy to use the authentication method associated with that IDP.

  1. Click Identity & Access Management.
  2. Click default_access_policy_set.

7. Edit Default Access Policy Set

Click Edit.

8. Edit Test Device Policy

  1. Click Configuration.
  2. Click to modify the policy for the device type you are testing with.

9. Add Okta IDP Authentication Method

  1. Select the authentication method associated with Okta IDP, for example, OktaPassword, from the authenticate using... drop-down menu.
  2. Click Save.

9.1. Confirm Changes to Policy

Click Next.

9.2. Save Default Policy Set

Click Save.

10. Test Authentication into Workspace ONE Catalog

Now, test authenticating into the Workspace ONE catalog using a device platform for which the authentication policy changes where applied to.

You should be redirected directly to authenticate with Okta credentials.

11. Confirm Successful Authentication into Workspace ONE Catalog

Upon successful authentication with Okta you are granted access to the Workspace ONE catalog.

Summary and Additional Resources

Conclusion

This tutorial provided steps to configure Workspace ONE as a third-party identity provider in Okta, create routing rules in Okta, add applications federated with Okta to the Workspace ONE app catalog, and configure Okta as a third-party identity provider in Workspace ONE.

Additional Resources

About the Author

This exercise was written by:

  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.