Integrating VMware Workspace ONE with Okta VMware Workspace ONE
You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright 2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2
Contents Integrating VMware Workspace ONE with Okta 4 1 Overview of Workspace ONE and Okta Integration 5 Main Use Cases 5 2 Configure Okta as an Identity Provider for Workspace ONE 8 Start Creating a New Identity Provider in VMware Identity Manager 8 Create a New SAML App in Okta 9 Complete Creating the New Identity Provider in Workspace ONE 11 Add Okta Authentication Method to Access Policies in Workspace ONE 13 Assign the App to Users in Okta 14 3 Configure Workspace ONE as an Identity Provider in Okta 15 Get Workspace ONE Identity Provider Information 15 Add Identity Provider in Okta 16 Configure Okta Application Source in Workspace ONE 19 4 Configure Okta Identity Provider Routing Rules 22 5 Configure Conditional Access Policies in Workspace ONE 25 6 Add Okta Applications to Workspace ONE Catalog 29 VMware, Inc. 3
Integrating VMware Workspace ONE with Okta Integrating VMware Workspace ONE with Okta provides information about integrating Okta with VMware Workspace ONE. It describes specific use cases and provides instructions on how to configure Workspace ONE and Okta to support those use cases. Intended Audience This information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and data center operations. Additional Information VMware Documentation VMware Workspace ONE VMware Identity Manager VMware Workspace ONE UEM (AirWatch) Okta Documentation VMware, Inc. 4
Overview of Workspace ONE 1 and Okta Integration VMware Workspace ONE is a secure enterprise platform that delivers and manages applications on ios, Android, and Windows 10 and Mac OS devices. Identity, application, and enterprise mobility management are integrated into the Workspace ONE platform. VMware Identity Manager and VMware Workspace ONE UEM (AirWatch) are part of the Workspace ONE platform. As part of Workspace ONE, VMware Identity Manager provides enterprise identity integration and web and mobile single sign-on (SSO) services. VMware Identity Manager can be used as a standalone federation Identity Provider (IDP). It can also complement an existing IDP and SSO solution to provide additional services such as a unified app catalog portal and device posture-based conditional access. VMware Identity Manager can integrate with other SSO and IDP solutions as a federated IDP or Service Provider (SP). This integration is generally based on SAML trust connections. This guide provides step-by-step instructions to configure and test use cases supported by the Workspace ONE integration with Okta. Main Use Cases The main use cases supported by the Workspace ONE and Okta integration include enabling Workspace ONE login using Okta, adding Okta applications to the Workspace ONE catalog, and enabling device trust across native and web applications. Workspace ONE Login Using Okta The Workspace ONE app (native app or web app) can be configured to use Okta as a trusted identity provider, allowing end users to log in using Okta authentication policies. This use case also applies to VMware Horizon customers who are using the Workspace ONE web app to launch Horizon apps and desktops, but have not yet deployed Workspace ONE UEM to manage devices. To implement this use case, configure the following: Chapter 2 Configure Okta as an Identity Provider for Workspace ONE VMware, Inc. 5
Unified Catalog The Workspace ONE catalog can be configured to publish applications federated through Okta, along with any other applications configured through Workspace ONE, such as Horizon and Citrix applications and desktops, and native applications powered by Workspace ONE UEM. This allows end users to go to a single app to discover, launch, or download their enterprise apps from any device with a consistent user experience. Note Only SAML apps federated through Okta can be published in Workspace ONE. Okta SWA apps cannot be published. To implement this use case, configure the following: 1 Configure Okta Application Source in Workspace ONE 2 Chapter 6 Add Okta Applications to Workspace ONE Catalog Device Trust Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating posture before permitting access from end users to sensitive applications, such as whether the device is managed and compliant. Device posture policies are established in Workspace ONE and evaluated anytime a user logs into a protected application. This diagram shows the login flow using the Salesforce application as an example. Figure 1 1. Device Trust Flow 3 4 1 2 7 Idp Discovery Routing Rule Critical App Device Trust Check Workspace ONE 6 Unmanaged 5 Managed but non-compliant All Ok Enroll Device Block Access 1 End user attempts to access the Salesforce tenant. 2 Salesforce redirects to Okta as the configured identity provider. 3 Okta processes the incoming request and routes the client to the Workspace ONE IDP based on configured routing rules. VMware, Inc. 6
4 Workspace ONE challenges the client device for credentials. 5 Workspace ONE checks device compliance status. 6 Upon successful authentication with Workspace ONE, the client device is redirected back to Okta. 7 Okta validates the SAML assertion from Workspace ONE and issues the SAML assertion for Salesforce. To implement this use case, configure the following: 1 Chapter 3 Configure Workspace ONE as an Identity Provider in Okta Establish SAML-based relationship with Workspace ONE for device trust check. 2 Chapter 4 Configure Okta Identity Provider Routing Rules Route authentication requests for specified device types and applications to Workspace ONE. 3 Chapter 5 Configure Conditional Access Policies in Workspace ONE Establish or review Workspace ONE access policies. End to End Setup Covering All Use Cases To set up the Workspace ONE and Okta integration to cover all three use cases, configure the following: 1 Chapter 2 Configure Okta as an Identity Provider for Workspace ONE Configure Okta as an IDP for Workspace ONE. 2 Chapter 3 Configure Workspace ONE as an Identity Provider in Okta Establish the relationship with Workspace ONE. 3 Chapter 4 Configure Okta Identity Provider Routing Rules Route specified devices or sessions to Workspace ONE. 4 Chapter 5 Configure Conditional Access Policies in Workspace ONE Establish or review Workspace ONE access policies. 5 Chapter 6 Add Okta Applications to Workspace ONE Catalog Create links to Okta applications in Workspace ONE. VMware, Inc. 7
Configure Okta as an Identity 2 Provider for Workspace ONE This section describes the process of configuring Okta as the identity provider to Workspace ONE. This setup can be used to provide streamlined access to virtualized applications, provide Okta's extensible Multi Factor Authentication to applications in Workspace ONE, and provide a consistent and familiar login experience for users and administrators. This chapter includes the following topics: Start Creating a New Identity Provider in VMware Identity Manager Create a New SAML App in Okta Complete Creating the New Identity Provider in Workspace ONE Add Okta Authentication Method to Access Policies in Workspace ONE Assign the App to Users in Okta Start Creating a New Identity Provider in VMware Identity Manager Create a new third-party identity provider in the VMware Identity Manager console and find the SAML metadata information. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Click the Identity & Access Management tab, then click Identity Providers. 3 Click Add Identity Provider and select Create Third Party IDP. 4 Scroll to the bottom of the page to the SAML Signing Certificate section. VMware, Inc. 8
5 Click the Service Provider (SP) Metadata link and open it in a new tab. 6 In the SAML metadata file, find the values for the following: entityid For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/sp.xml AssertionConsumerService Location for HTTP-POST binding For example: https://tenant.vmwareidentity.com/saas/auth/saml/response You will use these values in the next task. Create a New SAML App in Okta Create a new SAML app in the Okta admin console. Procedure 1 Log in to your Okta org and navigate to the Admin user interface. 2 Navigate to Applications > Applications. 3 Click Add Application. 4 Click Create New App. 5 Select Web as the Platform and SAML 2.0 as the Sign on method. 6 Click Create. 7 Enter a name for the app, for example, Workspace ONE SAML. 8 Click Next. 9 Enter the following information. Option Single sign on URL Audience URI (SP Entity ID): Name ID format Application username Description Enter the AssertionConsumerService URL. This is the URL retrieved from the Workspace ONE SAML metadata in Start Creating a New Identity Provider in VMware Identity Manager. For example: https://tenant.vmwareidentity.com/saas/auth/saml/response Enter the entityid. This is the entityid retrieved from the Workspace ONE SAML metadata in Start Creating a New Identity Provider in VMware Identity Manager. For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/sp.xml Select Unspecified. Select Okta username. The application username mapping is defined in the next section. Okta username maps to User Principal Name(UPN) in Workspace ONE. VMware, Inc. 9
10 Click Next. 11 Select the I'm an Okta customer adding an internal app button. 12 Check the This is an internal app that we have created box. 13 Click Finish. 14 From the Settings section of the Sign On menu for the new application, locate and copy the URL for the Identity Provider metadata. VMware, Inc. 10
Complete Creating the New Identity Provider in Workspace ONE Return to the VMware Identity Manager console to complete creating the new third-party identity provider. Procedure 1 In the new identity provider page, enter the following information. Option Identity Provider Name SAML AuthN Request Binding Description Enter a name for the new identity provider, such as Okta SAML IdP. Select HTTP Post. Note This field appears after you enter the metadata URL in the SAML Metadata section and click Process IdP Metadata. SAML Metadata a In the Identity Provider Metadata text box, enter the metadata URL copied from Okta. For example: https://youroktatenant/app/appid/sso/saml/metadata b Click Process IdP Metadata. c In the Name ID format mapping from SAML Response section, click the + icon, then select the following values: Name ID Format: urn:oasis:names:tc:saml:1.1:nameid-format:unspecified Name ID Value: userprincipalname Note Select the User Attribute that the application username value defined in Okta will match. Users Select the directories you want to authenticate using this identity provider. VMware, Inc. 11
Option Network Authentication Methods Description Select the networks that can access this identity provider. Enter the following: Authentication Methods: Okta SAML IdP Method SAML Context: urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport VMware, Inc. 12
2 Click Add. Add Okta Authentication Method to Access Policies in Workspace ONE After you set up Okta as the identity provider to Workspace ONE, add the newly-created authentication method to access policies in Workspace ONE. Procedure 1 In the VMware Identity Manager console, click the Identity & Access Management tab, then click Policies. 2 Select a policy to edit or click Add Policy to create a new policy. 3 If you are creating a new policy, enter a name and description for the policy. 4 Add or edit a policy rule to match your criteria and use the Okta SAML IdP Method as needed. For example: If a user's network range is: ALL RANGES and user is accessing content from: Web Browser and user belongs to group(s): Empty (all users) Then Perform this action: Authenticate using then the user may authenticate using: Okta SAML IdP Method Note Select the authentication method you created for the IDP in Complete Creating the New Identity Provider in Workspace ONE. VMware, Inc. 13
5 Click Save. Assign the App to Users in Okta After you complete the setup, return to the Okta org and assign the newly-created Workspace ONE application to users. Assign the application to a few users at first and test the integration. VMware, Inc. 14
Configure Workspace ONE as an Identity Provider in Okta 3 This section describes the process of configuring Workspace ONE as an identity provider in Okta. This configuration can be used to provide Mobile SSO (password-less authentication) for users on enrolled devices as well as conditional access based on Device Compliance as configured and managed by AirWatch and enforced by Workspace ONE. For additional information, see: "Configure Inbound SAML" section of the Okta Identity Providers documentation The blog "Okta and VMware Workspace ONE Integration: VMware Identity Manager as IDP for Okta" This chapter includes the following topics: Get Workspace ONE Identity Provider Information Add Identity Provider in Okta Configure Okta Application Source in Workspace ONE Get Workspace ONE Identity Provider Information From Workspace ONE, retrieve the SAML metadata information that is required to set up an identity provider in Okta. Procedure 1 Log in to the VMware Identity Manager admin console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click Settings. 4 Click SAML Metadata in the left pane. The Download Metadata tab is displayed. 5 Download the Signing Certificate. a b In the Signing Certificate section, click Download. Make a note of the location of the downloaded signingcertificate.cer file. VMware, Inc. 15
6 Retrieve the SAML metadata. a b In the SAML Metadata section, right-click the Identity Provider (IdP) metadata link and open it in a new tab or window. In the identity provider metadata file, find and make a note of the following values: entityid For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/idp.xml SingleSignOnService URL with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- POST" For example: https://tenant.vmwareidentity.com/saas/auth/federation/sso Add Identity Provider in Okta Create the identity provider (IDP) record in Okta. For additional information about how Okta handles external identity providers, see the Okta documentation on Identity Providers. Procedure 1 Log in to the Okta admin user interface with Administrator privileges or any other role entitled to add an Identity Provider. 2 Navigate to Security > Identity Providers. 3 Click Add Identity Provider. VMware, Inc. 16
4 Enter a name for the identity provider. For example, Workspace ONE. 5 Enter the following information: Option IdP Username Filter Match against If no match is found IdP Issuer URI IdP Single Sign-On URL IdP Signature Certificate Description idpuser.subjectnameid If you plan to send the username in a custom SAML attribute, define an appropriate expression. For information, see https://developer.okta.com/reference/okta_expression_language. Uncheck the box. Okta Username Adjust the selection as required for your environment and the values that you plan to send. See the Directory Alignment chapter for information. Redirect to Okta sign-in page Enter the entityid. This is the value you obtained from the identity provider metadata file from Workspace ONE. For example: https://tenant.vmwareidentity.com/saas/api/1.0/get/metadata/idp.xml Enter the SingleSignOnService Location URL. This is the value you obtained from the identity provider metadata file from Workspace ONE. For example: https://tenant.vmwareidentity.com/saas/auth/federation/sso Browse and select the Signing Certificate file you downloaded from Workspace ONE. Tip You may need to change the file extension or default browser filter to look for *.crt and *.pem files. VMware, Inc. 17
6 Click Add Identity Provider. 7 Verify that the following information appears: SAML Metadata Assertion Consumer Service URL Audience URI For example: 8 Download and save the metadata file. a b c Click the Download Metadata link. Save the metadata file locally. Open the metadata file and copy its contents. VMware, Inc. 18
Configure Okta Application Source in Workspace ONE Configure Okta as an application source in Workspace ONE. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click Settings. 4 Click Application Sources in the left pane. 5 Click OKTA. 6 In the OKTA Application Source wizard Definition page, click Next. VMware, Inc. 19
7 In the Configuration page: a b For Configuration, select URL/XML. In the URL/XML text box, copy and paste the SP metadata that you downloaded from Okta in Add Identity Provider in Okta. 8 Click Next. 9 In the Access Policies page, select the access policy set to use. Authentication requests from Okta applications will be authenticated using this policy set. 10 Click Next, review your selections, and click Save. 11 Click the OKTA Application Source again. 12 In the Configuration page, modify the Username Value to match the value that Okta is matching against, such as Okta Username. VMware, Inc. 20
13 Save your changes. VMware, Inc. 21
Configure Okta Identity 4 Provider Routing Rules Identity Provider Routing Rules is a feature provided by Identity Provider Discovery in Okta. This feature allows an Okta admin to route users to different authentication sources based on the user, user property, target application, source network, or device type. In the context of this guide, the primary use case is to direct authentication to Workspace ONE if the user is attempting to log in from a mobile device. Identity Provider routing rules are evaluated in order. You can rearrange the order of listed rules. If no user-configured rules apply to an authentication attempt, the system provided Default Rule is used. Procedure 1 Sign into Okta as an administrator with privileges sufficient to create or modify Identity Provider Routing Rules. 2 Navigate to Security > Identity Providers. 3 Click the Routing Rules tab. VMware, Inc. 22
4 Click Add Routing Rule or select a rule from the list and click Edit. 5 Enter a rule name. 6 Define the conditions. User's IP is Anywhere In a specific Zone or list of Zones Not in a specific Zone or list of Zones User's device platform is A device form factor A device operating system User is accessing Selective Target application Any application User matches Evaluate properties of the login value Regex on Domain Domain in a list Pattern matching on specific user attributes Equals Starts with Contains Regex VMware, Inc. 23
7 Define the action. Use this Identity Provider Okta Authenticate the user locally or via delegated Auth. IWA Redirect the user to an IWA server for Desktop SSO. SAML IdP Redirect the user to a specific federated IdP. This identity provider rule redirects authentication requests for the specified device types and target applications to Workspace ONE. Other authentication requests are processed through the default routing rule. 8 Click Create Rule. VMware, Inc. 24
Configure Conditional Access Policies in Workspace ONE 5 Administrators can create multiple access policy sets to assign to different applications based on the security level required. You can create an access policy set to enforce conditional access and leverage Mobile Sign-On authentication for applications federated with Okta. Additionally, you can add Okta as an authentication method in the Workspace ONE default access rule to allow users access to the Workspace ONE catalog using Okta credentials. Create the access policy for ios and Android with Mobile SSO and Device Compliance as the authentication methods. When Mobile SSO and Device Compliance fails, it will fall back to Okta Authentication. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Click the Identity & Access Management tab. 3 Click the Policies tab. 4 Click Add Policy. 5 In the Definition page of the wizard, enter the following information. Option Policy Name Description Applies to Description A name for the policy A description for the policy Select Okta. This assigns the access policy set to the Okta Application Source. All authentication requests from Okta are evaluated with this policy rule set. VMware, Inc. 25
6 Click Next. 7 In the Configuration page, click Add Policy Rule and configure the policy rule. a b c d Select ios as the device type in the and user is accessing content from list. Select Mobile SSO (for ios) as the first authentication method. Select Device Compliance (with AirWatch) as the second factor authentication method. Click Save. VMware, Inc. 26
This is a policy rule for ios. A client device is only allowed access if proper credentials are provided and the device is enrolled and compliant in AirWatch. 8 Add similar policy rules for Android and Workspace ONE App device types. 9 Modify the default_access_policy_set. a b c In the Identity & Access Management > Policies page, click default_access_policy_set. Click Edit. In the Definition page of the Edit Policy wizard, click Next. VMware, Inc. 27
d In the Configuration page, click Add Policy Rule to add a new policy rule. 1 Select ios as the device type. 2 Select Mobile SSO as the primary authentication method. 3 Select Okta Auth as the authentication fallback method. 4 Click Save. e Add a similar policy rule for the Android device type. 1 Click Add Policy Rule. 2 Select Android as the device type. 3 Select Mobile SSO as the primary authentication method. 4 Select Okta Auth as the authentication fallback method. 5 Click Save. The default policy rule controls login into the Workspace ONE catalog. This rule allows users to leverage Mobile SSO to authenticate, if available on the device, otherwise fallback to authentication with Okta credentials. VMware, Inc. 28
Add Okta Applications to Workspace ONE Catalog 6 To provide a consistent access experience for users while still leveraging the appropriate platform to suit your technical requirements, you can provide Okta applications to your users in Workspace ONE. If you have configured the OKTA Application Source in Workspace ONE, follow this procedure to add an Okta application to your users' Workspace ONE portal. Procedure 1 Log in to the VMware Identity Manager console with full administrator privileges. 2 Select the Catalog > Web Apps tab. 3 Click New. 4 In the New SaaS Application wizard's Definition page, enter the following information. Option Name Description Icon Category Description Enter a name for the application. (Optional) Enter a description of the application. (Optional) Upload an icon. (Optional) To add the application to a category, select it from the drop-down menu. VMware, Inc. 29
5 Click Next. 6 In the Configuration page, enter the following information. Option Authentication Type Target URL Open in VMware Browser Description OKTA Application Source Enter the Okta app embed link. For example: https://youroktaorg/home/salesforce/0oae85fp45zcznlya0h7/24 For information on finding the link in Okta, see the "Show application embed links" section in the Okta documentation. No 7 Click Next. 8 In the Access Policies page, select the access policy for the application, then click Next. 9 Review your selections and click Save or click Save & Assign to assign the application to users and groups. If you do not assign the application to any users and groups at this time, you can do so later by selecting the application in the Catalog > Web Apps page and clicking Assign. When a user clicks an Okta application in Workspace ONE, it will send an IDP-initiated SAML Authentication Response to Okta with a RelayState value of the Okta embed link. Okta will then send an IDP-initiated SAML Authentication Response to the target Service Provider. VMware, Inc. 30