Integrating Workspace ONE UEM and Access with Okta

At Oktane in May 2018, VMware and Okta announced a strategic partnership to deliver advanced identity capabilities for the Digital Workspace. By integrating VMware Workspace ONE and the Okta Identity Cloud, our customers can easily and securely move to the cloud, adopt best-of-breed technologies and simplify IT management.

Since this announcement, VMware and Okta have worked closely to build a proven integration between both solutions.

The integration between both solutions allows the end user to enrol their device into Workspace ONE UEM using an Okta account. The user is then able to access their enterprise catalog of applications published from Okta. Conditional access can also be configured such that a user must enrol their device into Workspace ONE UEM to access critical applications.

conditional-access

Pete Lindley’s blog details the integration of Workspace ONE UEM and Okta, including a number of videos of the user experience.

There are a number of guides available which detail the integration of both solutions.

  • Configure Conditional Access Policies in Workspace ONE with Okta – link.
  • Integrating Okta: VMware Workspace ONE Operational Tutorial (Techzone) – link
  • Advanced integrations with Okta: VMware Workspace ONE – link
  • Okta – Provisioning Users Into Workspace ONE by Charlie Hodge – link

Recently, I’ve been working with clients who did not  have any on-premises Active Directory.  Their corporate directory was the Okta Identity Cloud.  The purpose of this article is to detail the configuration settings I used to enable this integration.

The latest integration guide is titled Integrating VMware Workspace ONE with Okta (Beta)link  (You’ll need a My VMware Account. You can sign-up for a free ID from here).  I followed this guide and was able to integrate both solutions, however I needed to perform some additional specific configuration to make the conditional access work in an Active Directory free environment.

I’ve detailed the additional steps as well as screen captures from the integration detailed below.  For my customers, we Just-In-Time (JIT) the users from Okta into Workspace ONE UEM and Workspace ONE Access (previously VMware Identity Manager) as outlined below:

jit-users

Federate Workspace ONE UEM with Okta

Following the integration guide outlined above, follow the steps outlined in Section “Okta as Federation Provider to Airwatch” from page 20 – 27. Below are some of the settings from my lab.

The Okta application settings are as follows:

airwatch-saml

 

okta-saml

Note the Audience Restriction is specified as AirWatch, which matches the Service Provider name in Workspace ONE UEM.

okta-saml2

The Workspace ONE UEM (Airwatch settings) for my lab are as follows. Of course you’ll have specific tenant URLs to suit your environment.

airwatch-ds1

airwatch-ds2

When this integration is completed, you can now enrol your device into Workspace ONE UEM using your Okta credentials.  You’ll note that your Okta userid is JIT’ed into Workspace ONE UEM too.

testuser1.png

 

Federate Workspace ONE Access with Okta

Now we’ll federate Workspace ONE Access with Okta. This time I used the Integrating VMware Workspace ONE with Okta (Beta) guide and complete the steps in Chapters 4 and 5.

The Workspace ONE Access settings from my lab are as follows:

ws1access-identityproviders1

ws1access-builtin2

ws1access-okta3.png

ws1access-okta4

The Okta Workpace ONE settings are as follows:

okta-ws1saml-1

okta-ws1saml-2.png

The attributes are particularly important to configure correctly:

okta-ws1saml-3

Setup Single Sign-on with Workspace ONE UEM and Access.

Next follow the instructions in my previous blog article to setup SSO within Workspace ONE Access for your devices of choice.  In my lab, I tested iOS, Windows 10 and macOS.

For mobile SSO to work with iOS we need to have UPN prefix (without @domain.com) as the Kerberos Principle name.  The attribute might be provided to Workspace ONE UEM as username@companyname.org.  However this profile will fail to get installed on iOS (as the Kerberos attribute is incorrectly formatted.  ie. username@companyname.org@vmwareidentity.com).  The best way to resolve the issue is to create a custom attribute for Lookup Value in Workspace ONE UEM and use that as the Lookup value in SSO profile for Kerberos Principle name. Thanks to Renan Medina (VMware) for providing this solution, of which the settings are shown below:

  1. Navigate to Groups & Settings – All settings
  2. Navigate to Device and Users – General
  3. Click on Lookup Fields
  4. Click on Add Custom Field.  Enter details as follows:

    lookup-fields

  5. Now for the iOS SSO settings, change the Kerberos Principal Name to {KerberosSPN}

    iOS-SSO.png

Workspace ONE Access Policies

Now you can create an access policy so that by default users can login to the Workspace ONE Access Catalog by using their Okta credentials.  For critical applications (such as Salesforce in my example below) they need a device to be managed (ie. enrolled into Workspace ONE UEM) and have a certificate provisioned to the device.

ws1access-policies1.png

The default access polices are detailed as follows:

ws1access-default2

The managed devices policy is detailed as follows:

ws1access-managed3

Note now only the certificate based authentication methods are available with no fallback method. Therefore a user can only access these applications if their device is enrolled into Workspace ONE UEM.

ws1access-managed4.png

ws1access-managed5.png

That’s it !  You’ve integrated both solutions.  Good news that in the coming months, an adapter will be available which will synchronise users from Okta to Workspace ONE via a SCIM adapter.  This integration will be detailed here.

Darryl

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s