This blog article describes how to configure Okta as the identity provider to Workspace ONE Access. You can use this configuration to provide a streamlined device enrolment experience for devices with Workspace ONE UEM and access to Horizon delivered applications.
You can leverage Okta’s extensible Multi-factor authentication and provide a consistent and familiar login experience for end users and administrators.
- Okta Identity Engine (OIE) tenant
- Workspace ONE Access tenant
- On-premises Active Directory with users/groups synchronised to both Okta and Access via their respective connectors
Creating an Okta Application for Workspace ONE Access
Login to the Okta Admin console, select Applications and select Browse App Catalog
Search for Workspace ONE as shown.
Select this application the select Add Integration
Update the Application label if required. I changed mine to VMware Workspace ONE Access. Then enter your Access tenant’s URL (my tenant URL is shown as an example)
Click on the Assignments tab and add an appropriate group and/or users to this application.
Click on the Sign On tab as shown:
On the right hand side of the screen you can select View SAML setup instructions as shown:
This will open a new web page with specific instructions and SAML code you can use in the steps below.
Creating an Okta Idp in Workspace ONE Access
- Login to VMWare Workspace ONE Access administrative console.
- Navigate to Integrations > Identity Providers. Click Add then select SAML IDP
- With the specific instructions provided from your Okta tenant, enter an Identity Provider name of Okta
- Copy and paste your specific SAML Metadata from the Okta instructions into the Identity Provider Metadata field and click the Process IDP Metadata button
5. Accept the default Name ID format mapping from SAML as shown. Change the first item urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from userName to userPrincipalName
Note: If you are already synchronising users and groups to Access from an on-premises Active Directory, you can skip the requirement for Just-In-Time provisioning.
7. Select users from your synchronised AD domain (in my lab it’s called LAB) as shown. Select the ALL RANGES checkbox as shown.
8. For the Authentication Method, enter OktaPassword as a name and for the SAML Context select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
9. Now scroll to the top of the page and click Save
10. The new IDP is created as shown:
11. Click on the Resources tab, select default_access_policy_set, then click EDIT
12. Select Configuration, then select the policy of the preferred device type for which you want enable SSO (ie. Web Browser)
13. Change the setting for then the user may authenticate using OktaPassword as shown:
13. Click Save, click Next and Save.
Testing user authentication using Okta
- Open a web browser with incognito mode
- Browse to your Workspace ONE Access tenant URL
- You should then be redirected to Okta to complete your authentication.
- When authentication is successful, you’ll be redirected back to your Access user portal as shown.
That’s it! You’ve now successfully integrated Okta with Workspace ONE Access.
- Configure Okta as an Identity Provider for VMware Identity Manager (older instructions) – link