Configure Okta as an Identity Provider for Omnissa Workspace ONE Access

This blog article describes how to configure Okta as the identity provider to Workspace ONE Access. You can use this configuration to provide a streamlined device enrolment experience for devices with Workspace ONE UEM and access to Horizon delivered applications.

You can leverage Okta’s extensible Multi-factor authentication and provide a consistent and familiar login experience for end users and administrators.

Prerequisites

• Okta Identity Engine (OIE) tenant
• Workspace ONE Access tenant
• On-premises Active Directory with users/groups synchronised to both Okta and Access via their respective connectors

Creating an Okta Application for Workspace ONE Access

Login to the Okta Admin console, select Applications and select Browse App Catalog

Search for Workspace ONE as shown.

Select this application the select Add Integration

Update the Application label if required. I changed mine to VMware Workspace ONE Access. Then enter your Access tenant’s URL (my tenant URL is shown as an example)

Click Done.

Click on the Assignments tab and add an appropriate group and/or users to this application.

Click on the Sign On tab as shown:

On the right hand side of the screen you can select View SAML setup instructions as shown:

This will open a new web page with specific instructions and SAML code you can use in the steps below.

Creating an Okta Idp in Workspace ONE Access

1. Login to VMWare Workspace ONE Access administrative console.
2. Navigate to Integrations > Identity Providers. Click Add then select SAML IDP
3. With the specific instructions provided from your Okta tenant, enter an Identity Provider name of Okta
4. Copy and paste your specific SAML Metadata from the Okta instructions into the Identity Provider Metadata field and click the Process IDP Metadata button

5. Accept the default Name ID format mapping from SAML as shown. Change the first item urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from userName to userPrincipalName

Note: If you are already synchronising users and groups to Access from an on-premises Active Directory, you can skip the requirement for Just-In-Time provisioning.

7. Select users from your synchronised AD domain (in my lab it’s called LAB) as shown. Select the ALL RANGES checkbox as shown.

8. For the Authentication Method, enter OktaPassword as a name and for the SAML Context select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

9. Now scroll to the bottom of the page and click Save

10. The new IDP is created as shown:

11. Click on the Resources – Policy, and select Edit next to the default Policy as shown:

12. Click Next, then select the policy of the preferred device type for which you want enable SSO (ie. Web Browser)

13. Change the setting for then the user may authenticate using OktaPassword. Click Save. The Authentication method will change to Okta as shown:

13. Click Next and Save.

If Applicable: If you’re in the process of changing from the old Access URL format such as xxx.vmwareidentity.com to xxx.cn.workspaceone.com, make sure you also enable the checkbox Use New URL as shown:

Testing user authentication using Okta

1. Open a web browser with incognito mode
2. Browse to your Workspace ONE Access tenant URL
3. You should then be redirected to Okta to complete your authentication.
4. When authentication is successful, you’ll be redirected back to your Access user portal as shown.

That’s it! You’ve now successfully integrated Okta with Workspace ONE Access.

References

• Configure Okta as an Identity Provider for VMware Identity Manager (older instructions) – link

Updates

• 28th November 2025 – Revalidated process and updated screen captures with refreshed Omnissa Access UI and with new Access URLs and Migration option.