Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Similar documents
INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Integrating AirWatch and VMware Identity Manager

VMware Identity Manager Administration

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

VMware Identity Manager Administration

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Table of Contents. Advanced integrations with Okta: VMWare WorkSpace ONE. What is this document 4 What is Okta 4 What is Workspace ONE 4

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Advanced integrations with Okta: VMware Workspace ONE

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

VMware Workspace Portal End User Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Horizon Workspace Administrator's Guide

Configure Unsanctioned Device Access Control

Using VMware Identity Manager Apps Portal

Advanced integrations with Okta: MobileIron

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Setting Up Resources in VMware Identity Manager

Cloud Secure Integration with ADFS. Deployment Guide

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Using Workspace ONE PIV-D Manager. VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager

Using vrealize Operations Tenant App as a Service Provider

INSTALLATION AND SETUP VMware Workspace ONE

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

SAML-Based SSO Solution

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Configuring Alfresco Cloud with ADFS 3.0

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

Configuring Single Sign-on from the VMware Identity Manager Service to Exterro E-Discovery

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Configuring Single Sign-on from the VMware Identity Manager Service to Vizru

Configuring Single Sign-on from the VMware Identity Manager Service to Bonusly

SAML-Based SSO Solution

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

Using the Horizon vrealize Orchestrator Plug-In

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Samsung Knox Mobile Enrollment. VMware Workspace ONE UEM 1902

Add OKTA as an Identity Provider in EAA

RSA SecurID Access SAML Configuration for Datadog

MyWorkDrive SAML v2.0 Okta Integration Guide

ComponentSpace SAML v2.0 Okta Integration Guide

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Configuring and Delivering Salesforce as a managed application to XenMobile Users with 3 rd Party SAML IDP (Identity Provider)

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Introduction to application management

USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Configuring Confluence

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Installing and Configuring vcloud Connector

Migrating vrealize Automation 6.2 to 7.2

VMware Workspace ONE UEM Integration with Apple School Manager

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Directory Integration with VMware Identity Manager

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Administering Cloud Pod Architecture in Horizon 7. Modified on 26 JUL 2017 VMware Horizon 7 7.2

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0

Five9 Plus Adapter for Agent Desktop Toolkit

Installing and Configuring vcloud Connector

AirWatch Container. VMware Workspace ONE UEM

INTEGRATING WITH DELL CLIENT COMMAND SUITE: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

All about SAML End-to-end Tableau and OKTA integration

Reconfiguring VMware vsphere Update Manager. Update 1 VMware vsphere 6.5 vsphere Update Manager 6.5

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

SafeNet Authentication Manager

Administering Cloud Pod Architecture in Horizon 7. Modified on 4 JAN 2018 VMware Horizon 7 7.4

Workspace ONE Web for ios User Guide. VMware Workspace ONE UEM

Workspace ONE Content for Android User Guide. VMware Workspace ONE UEM

Transcription:

Integrating VMware Workspace ONE with Okta VMware Workspace ONE

You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright 2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2

Contents Integrating VMware Workspace ONE with Okta 4 1 Overview of Workspace ONE and Okta Integration 5 Main Use Cases 5 2 Configure Okta as an Identity Provider for Workspace ONE 8 Start Creating a New Identity Provider in VMware Identity Manager 8 Create a New SAML App in Okta 9 Complete Creating the New Identity Provider in Workspace ONE 11 Add Okta Authentication Method to Access Policies in Workspace ONE 13 Assign the App to Users in Okta 14 3 Configure Workspace ONE as an Identity Provider in Okta 15 Get Workspace ONE Identity Provider Information 15 Add Identity Provider in Okta 16 Configure Okta Application Source in Workspace ONE 19 4 Configure Okta Identity Provider Routing Rules 22 5 Configure Conditional Access Policies in Workspace ONE 25 6 Add Okta Applications to Workspace ONE Catalog 29 VMware, Inc. 3

Integrating VMware Workspace ONE with Okta Integrating VMware Workspace ONE with Okta provides information about integrating Okta with VMware Workspace ONE. It describes specific use cases and provides instructions on how to configure Workspace ONE and Okta to support those use cases. Intended Audience This information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and data center operations. Additional Information VMware Documentation VMware Workspace ONE VMware Identity Manager VMware Workspace ONE UEM (AirWatch) Okta Documentation VMware, Inc. 4

Overview of Workspace ONE 1 and Okta Integration VMware Workspace ONE is a secure enterprise platform that delivers and manages applications on ios, Android, and Windows 10 and Mac OS devices. Identity, application, and enterprise mobility management are integrated into the Workspace ONE platform. VMware Identity Manager and VMware Workspace ONE UEM (AirWatch) are part of the Workspace ONE platform. As part of Workspace ONE, VMware Identity Manager provides enterprise identity integration and web and mobile single sign-on (SSO) services. VMware Identity Manager can be used as a standalone federation Identity Provider (IDP). It can also complement an existing IDP and SSO solution to provide additional services such as a unified app catalog portal and device posture-based conditional access. VMware Identity Manager can integrate with other SSO and IDP solutions as a federated IDP or Service Provider (SP). This integration is generally based on SAML trust connections. This guide provides step-by-step instructions to configure and test use cases supported by the Workspace ONE integration with Okta. Main Use Cases The main use cases supported by the Workspace ONE and Okta integration include enabling Workspace ONE login using Okta, adding Okta applications to the Workspace ONE catalog, and enabling device trust across native and web applications. Workspace ONE Login Using Okta The Workspace ONE app (native app or web app) can be configured to use Okta as a trusted identity provider, allowing end users to log in using Okta authentication policies. This use case also applies to VMware Horizon customers who are using the Workspace ONE web app to launch Horizon apps and desktops, but have not yet deployed Workspace ONE UEM to manage devices. To implement this use case, configure the following: Chapter 2 Configure Okta as an Identity Provider for Workspace ONE VMware, Inc. 5

Unified Catalog The Workspace ONE catalog can be configured to publish applications federated through Okta, along with any other applications configured through Workspace ONE, such as Horizon and Citrix applications and desktops, and native applications powered by Workspace ONE UEM. This allows end users to go to a single app to discover, launch, or download their enterprise apps from any device with a consistent user experience. Note Only SAML apps federated through Okta can be published in Workspace ONE. Okta SWA apps cannot be published. To implement this use case, configure the following: 1 Configure Okta Application Source in Workspace ONE 2 Chapter 6 Add Okta Applications to Workspace ONE Catalog Device Trust Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating posture before permitting access from end users to sensitive applications, such as whether the device is managed and compliant. Device posture policies are established in Workspace ONE and evaluated anytime a user logs into a protected application. This diagram shows the login flow using the Salesforce application as an example. Figure 1 1. Device Trust Flow 3 4 1 2 7 Idp Discovery Routing Rule Critical App Device Trust Check Workspace ONE 6 Unmanaged 5 Managed but non-compliant All Ok Enroll Device Block Access 1 End user attempts to access the Salesforce tenant. 2 Salesforce redirects to Okta as the configured identity provider. 3 Okta processes the incoming request and routes the client to the Workspace ONE IDP based on configured routing rules. VMware, Inc. 6

4 Workspace ONE challenges the client device for credentials. 5 Workspace ONE checks device compliance status. 6 Upon successful authentication with Workspace ONE, the client device is redirected back to Okta. 7 Okta validates the SAML assertion from Workspace ONE and issues the SAML assertion for Salesforce. To implement this use case, configure the following: 1 Chapter 3 Configure Workspace ONE as an Identity Provider in Okta Establish SAML-based relationship with Workspace ONE for device trust check. 2 Chapter 4 Configure Okta Identity Provider Routing Rules Route authentication requests for specified device types and applications to Workspace ONE. 3 Chapter 5 Configure Conditional Access Policies in Workspace ONE Establish or review Workspace ONE access policies. End to End Setup Covering All Use Cases To set up the Workspace ONE and Okta integration to cover all three use cases, configure the following: 1 Chapter 2 Configure Okta as an Identity Provider for Workspace ONE Configure Okta as an IDP for Workspace ONE. 2 Chapter 3 Configure Workspace ONE as an Identity Provider in Okta Establish the relationship with Workspace ONE. 3 Chapter 4 Configure Okta Identity Provider Routing Rules Route specified devices or sessions to Workspace ONE. 4 Chapter 5 Configure Conditional Access Policies in Workspace ONE Establish or review Workspace ONE access policies. 5 Chapter 6 Add Okta Applications to Workspace ONE Catalog Create links to Okta applications in Workspace ONE. VMware, Inc. 7

Configure Okta as an Identity 2 Provider for Workspace ONE This section describes the process of configuring Okta as the identity provider to Workspace ONE. This setup can be used to provide streamlined access to virtualized applications, provide Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators. This chapter includes the following topics: Start Creating a New Identity Provider in VMware Identity Manager Create a New SAML App in Okta Complete Creating the New Identity Provider in Workspace ONE Add Okta Authentication Method to Access Policies in Workspace ONE Assign the App to Users in Okta Start Creating a New Identity Provider in VMware Identity Manager Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Click the Identity & Access Management tab, then click Identity Providers. 3 Click Add Identity Provider and select Create Third Party IDP. 4 Scroll to the bottom of the page to the SAML Signing Certificate section. VMware, Inc. 8

5 Click the Service Provider (SP) Metadata link and open it in a new tab. 6 In the SAML metadata file, find the values for the following: entityid For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/sp.xml AssertionConsumerService Location for HTTP-POST binding For example: https://tenant.vmwareidentity.com/saas/auth/saml/response You will use these values in the next task. Create a New SAML App in Okta Create a new SAML app in the Okta admin console. Procedure 1 Log in to your Okta org and navigate to the Admin user interface. 2 Navigate to Applications > Applications. 3 Click Add Application. 4 Click Create New App. 5 Select Web as the Platform and SAML 2.0 as the Sign on method. 6 Click Create. 7 Enter a name for the app, for example, Workspace ONE SAML. 8 Click Next. 9 Enter the following information. Option Single sign on URL Audience URI (SP Entity ID): Name ID format Application username Description Enter the AssertionConsumerService URL. This is the URL retrieved from the Workspace ONE SAML metadata in Start Creating a New Identity Provider in VMware Identity Manager. For example: https://tenant.vmwareidentity.com/saas/auth/saml/response Enter the entityid. This is the entityid retrieved from the Workspace ONE SAML metadata in Start Creating a New Identity Provider in VMware Identity Manager. For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/sp.xml Select Unspecified. Select Okta username. The application username mapping is defined in the next section. Okta username maps to User Principal Name(UPN) in Workspace ONE. VMware, Inc. 9

10 Click Next. 11 Select the I'm an Okta customer adding an internal app button. 12 Check the This is an internal app that we have created box. 13 Click Finish. 14 From the Settings section of the Sign On menu for the new application, locate and copy the URL for the Identity Provider metadata. VMware, Inc. 10

Complete Creating the New Identity Provider in Workspace ONE Return to the VMware Identity Manager console to complete creating the new third-party identity provider. Procedure 1 In the new identity provider page, enter the following information. Option Identity Provider Name SAML AuthN Request Binding Description Enter a name for the new identity provider, such as Okta SAML IdP. Select HTTP Post. Note This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata. SAML Metadata a In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example: https://youroktatenant/app/appid/sso/saml/metadata b Click Process IdP Metadata. c In the Name ID format mapping from SAML Response section, click the + icon, then select the following values: Name ID Format: urn:oasis:names:tc:saml:1.1:nameid-format:unspecified Name ID Value: userprincipalname Note Select the User Attribute that the application username value defined in Okta will match. Users Select the directories you want to authenticate using this identity provider. VMware, Inc. 11

Option Network Authentication Methods Description Select the networks that can access this identity provider. Enter the following: Authentication Methods: Okta SAML IdP Method SAML Context: urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport VMware, Inc. 12

2 Click Add. Add Okta Authentication Method to Access Policies in Workspace ONE After you set up Okta as the identity provider to Workspace ONE, add the newly-created authentication method to access policies in Workspace ONE. Procedure 1 In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies. 2 Select a policy to edit or click Add Policy to create a new policy. 3 If you are creating a new policy, enter a name and description for the policy. 4 Add or edit a policy rule to match your criteria and use the Okta SAML IdP Method as needed. For example: If a user's network range is: ALL RANGES and user is accessing content from: Web Browser and user belongs to group(s): Empty (all users) Then Perform this action: Authenticate using then the user may authenticate using: Okta SAML IdP Method Note Select the authentication method you created for the IDP in Complete Creating the New Identity Provider in Workspace ONE. VMware, Inc. 13

5 Click Save. Assign the App to Users in Okta After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to users. Assign the application to a few users at first and test the integration. VMware, Inc. 14

Configure Workspace ONE as an Identity Provider in Okta 3 This section describes the process of configuring Workspace ONE as an identity provider in Okta. This configuration can be used to provide Mobile SSO (password-less authentication) for users on enrolled devices as well as conditional access based on Device Compliance as configured and managed by AirWatch and enforced by Workspace ONE. For additional information, see: "Configure Inbound SAML" section of the Okta Identity Providers documentation The blog "Okta and VMware Workspace ONE Integration: VMware Identity Manager as IDP for Okta" This chapter includes the following topics: Get Workspace ONE Identity Provider Information Add Identity Provider in Okta Configure Okta Application Source in Workspace ONE Get Workspace ONE Identity Provider Information From Workspace ONE, retrieve the SAML metadata information that is required to set up an identity provider in Okta. Procedure 1 Log in to the VMware Identity Manager admin console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click Settings. 4 Click SAML Metadata in the left pane. The Download Metadata tab is displayed. 5 Download the Signing Certificate. a b In the Signing Certificate section, click Download. Make a note of the location of the downloaded signingcertificate.cer file. VMware, Inc. 15

6 Retrieve the SAML metadata. a b In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window. In the identity provider metadata file, find and make a note of the following values: entityid For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/idp.xml SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- POST" For example: https://tenant.vmwareidentity.com/saas/auth/federation/sso Add Identity Provider in Okta Create the identity provider (IDP) record in Okta. For additional information about how Okta handles external identity providers, see the Okta documentation on Identity Providers. Procedure 1 Log in to the Okta admin user interface with Administrator privileges or any other role entitled to add an Identity Provider. 2 Navigate to Security > Identity Providers. 3 Click Add Identity Provider. VMware, Inc. 16

4 Enter a name for the identity provider. For example, Workspace ONE. 5 Enter the following information: Option IdP Username Filter Match against If no match is found IdP Issuer URI IdP Single Sign-On URL IdP Signature Certificate Description idpuser.subjectnameid If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see https://developer.okta.com/reference/okta_expression_language. Uncheck the box. Okta Username Adjust the selection as required for your environment and the values that you plan to send. See the Directory Alignment chapter for information. Redirect to Okta sign-in page Enter the entityid. This is the value you obtained from the identity provider metadata file from Workspace ONE. For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/idp.xml Enter the SingleSignOnService Location URL. This is the value you obtained from the identity provider metadata file from Workspace ONE. For example: https://tenant.vmwareidentity.com/saas/auth/federation/sso Browse and select the Signing Certificate file you downloaded from Workspace ONE. Tip You may need to change the file extension or default browser filter to look for *.crt and *.pem files. VMware, Inc. 17

6 Click Add Identity Provider. 7 Verify that the following information appears: SAML Metadata Assertion Consumer Service URL Audience URI For example: 8 Download and save the metadata file. a b c Click the Download Metadata link. Save the metadata file locally. Open the metadata file and copy its contents. VMware, Inc. 18

Configure Okta Application Source in Workspace ONE Configure Okta as an application source in Workspace ONE. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click Settings. 4 Click Application Sources in the left pane. 5 Click OKTA. 6 In the OKTA Application Source wizard Definition page, click Next. VMware, Inc. 19

7 In the Configuration page: a b For Configuration, select URL/XML. In the URL/XML text box, copy and paste the SP metadata that you downloaded from Okta in Add Identity Provider in Okta. 8 Click Next. 9 In the Access Policies page, select the access policy set to use. Authentication requests from Okta applications will be authenticated using this policy set. 10 Click Next, review your selections, and click Save. 11 Click the OKTA Application Source again. 12 In the Configuration page, modify the Username Value to match the value that Okta is matching against, such as Okta Username. VMware, Inc. 20

13 Save your changes. VMware, Inc. 21

Configure Okta Identity 4 Provider Routing Rules Identity Provider Routing Rules is a feature provided by Identity Provider Discovery in Okta. This feature allows an Okta admin to route users to different authentication sources based on the user, user property, target application, source network, or device type. In the context of this guide, the primary use case is to direct authentication to Workspace ONE if the user is attempting to log in from a mobile device. Identity Provider routing rules are evaluated in order. You can rearrange the order of listed rules. If no user-configured rules apply to an authentication attempt, the system provided Default Rule is used. Procedure 1 Sign into Okta as an administrator with privileges sufficient to create or modify Identity Provider Routing Rules. 2 Navigate to Security > Identity Providers. 3 Click the Routing Rules tab. VMware, Inc. 22

4 Click Add Routing Rule or select a rule from the list and click Edit. 5 Enter a rule name. 6 Define the conditions. User's IP is Anywhere In a specific Zone or list of Zones Not in a specific Zone or list of Zones User's device platform is A device form factor A device operating system User is accessing Selective Target application Any application User matches Evaluate properties of the login value Regex on Domain Domain in a list Pattern matching on specific user attributes Equals Starts with Contains Regex VMware, Inc. 23

7 Define the action. Use this Identity Provider Okta Authenticate the user locally or via delegated Auth. IWA Redirect the user to an IWA server for Desktop SSO. SAML IdP Redirect the user to a specific federated IdP. This identity provider rule redirects authentication requests for the specified device types and target applications to Workspace ONE. Other authentication requests are processed through the default routing rule. 8 Click Create Rule. VMware, Inc. 24

Configure Conditional Access Policies in Workspace ONE 5 Administrators can create multiple access policy sets to assign to different applications based on the security level required. You can create an access policy set to enforce conditional access and leverage Mobile Sign-On authentication for applications federated with Okta. Additionally, you can add Okta as an authentication method in the Workspace ONE default access rule to allow users access to the Workspace ONE catalog using Okta credentials. Create the access policy for ios and Android with Mobile SSO and Device Compliance as the authentication methods. When Mobile SSO and Device Compliance fails, it will fall back to Okta Authentication. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Click the Identity & Access Management tab. 3 Click the Policies tab. 4 Click Add Policy. 5 In the Definition page of the wizard, enter the following information. Option Policy Name Description Applies to Description A name for the policy A description for the policy Select Okta. This assigns the access policy set to the Okta Application Source. All authentication requests from Okta are evaluated with this policy rule set. VMware, Inc. 25

6 Click Next. 7 In the Configuration page, click Add Policy Rule and configure the policy rule. a b c d Select ios as the device type in the and user is accessing content from list. Select Mobile SSO (for ios) as the first authentication method. Select Device Compliance (with AirWatch) as the second factor authentication method. Click Save. VMware, Inc. 26

This is a policy rule for ios. A client device is only allowed access if proper credentials are provided and the device is enrolled and compliant in AirWatch. 8 Add similar policy rules for Android and Workspace ONE App device types. 9 Modify the default_access_policy_set. a b c In the Identity & Access Management > Policies page, click default_access_policy_set. Click Edit. In the Definition page of the Edit Policy wizard, click Next. VMware, Inc. 27

d In the Configuration page, click Add Policy Rule to add a new policy rule. 1 Select ios as the device type. 2 Select Mobile SSO as the primary authentication method. 3 Select Okta Auth as the authentication fallback method. 4 Click Save. e Add a similar policy rule for the Android device type. 1 Click Add Policy Rule. 2 Select Android as the device type. 3 Select Mobile SSO as the primary authentication method. 4 Select Okta Auth as the authentication fallback method. 5 Click Save. The default policy rule controls login into the Workspace ONE catalog. This rule allows users to leverage Mobile SSO to authenticate, if available on the device, otherwise fallback to authentication with Okta credentials. VMware, Inc. 28

Add Okta Applications to Workspace ONE Catalog 6 To provide a consistent access experience for users while still leveraging the appropriate platform to suit your technical requirements, you can provide Okta applications to your users in Workspace ONE. If you have configured the OKTA Application Source in Workspace ONE, follow this procedure to add an Okta application to your users' Workspace ONE portal. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click New. 4 In the New SaaS Application wizard's Definition page, enter the following information. Option Name Description Icon Category Description Enter a name for the application. (Optional) Enter a description of the application. (Optional) Upload an icon. (Optional) To add the application to a category, select it from the drop-down menu. VMware, Inc. 29

5 Click Next. 6 In the Configuration page, enter the following information. Option Authentication Type Target URL Open in VMware Browser Description OKTA Application Source Enter the Okta app embed link. For example: https://youroktaorg/home/salesforce/0oae85fp45zcznlya0h7/24 For information on finding the link in Okta, see the "Show application embed links" section in the Okta documentation. No 7 Click Next. 8 In the Access Policies page, select the access policy for the application, then click Next. 9 Review your selections and click Save or click Save & Assign to assign the application to users and groups. If you do not assign the application to any users and groups at this time, you can do so later by selecting the application in the Catalog > Web Apps page and clicking Assign. When a user clicks an Okta application in Workspace ONE, it will send an IDP-initiated SAML Authentication Response to Okta with a RelayState value of the Okta embed link. Okta will then send an IDP-initiated SAML Authentication Response to the target Service Provider. VMware, Inc. 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback