GUIDE AUGUST 2018 PRINTED 4 MARCH 2019 INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE
Table of Contents Overview Introduction Purpose Audience Integrating Okta with VMware Workspace ONE Introduction Prerequisites Configuring Workspace ONE as a Third-Party Identity Provider in Okta Creating Routing Rules in Okta Adding Applications Federated with Okta to the Workspace ONE Application Catalog Configuring Okta as a Third-Party Identity Provider in Workspace ONE Summary and Additional Resources Conclusion Additional Resources About the Author Feedback GUIDE 2
Integrating Okta: VMware Workspace ONE Operational Tutorial Overview Introduction VMware provides this operational tutorial to help you with your VMware Workspace ONE environment. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. As an IT professional, you can use Workspace ONE to deploy, manage, and secure applications. At the same time, you can offer a flexible, bring-your-own-device (BYOD) initiative to your end users from a central location. Purpose This operational tutorial provides you with discussions and exercises to help with your existing VMware Workspace ONE production environment. VMware provides operational tutorials to help you with Common procedures or best practices Complex manual procedures Troubleshooting Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation. Audience This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager and VMware Workspace ONE UEM (unified endpoint management), powered by VMware AirWatch, is also helpful. Integrating Okta with VMware Workspace ONE Introduction This tutorial helps you to integrate VMware Workspace ONE with Okta. Procedures include: Configuring Workspace ONE as a Third-Party Identity Provider in Okta Creating Routing Rules in Okta Adding Applications Federated with Okta into the Workspace ONE App Catalog Configuring Okta as a Third-Party Identity Provider in Workspace ONE The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step. Prerequisites Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation. Check whether you have the following components installed and configured: Admin access to VMware Identity Manager tenant and Okta tenant Test application federated with Okta (to follow the steps in this exercise, use Salesforce and Office365) VMware Identity Manager tenant and Okta tenant connected to the same Active Directory domain Optional: Mobile device to test redirection to Workspace ONE GUIDE 3
Configuring Workspace ONE as a Third-Party Identity Provider in Okta This exercise helps you test access to a SaaS application (Salesforce) that is federated with Okta while using Workspace ONE as a third-party identity provider. The process of federating Salesforce with Okta is outside the scope of this exercise. 1. Retrieve SAML Metadata from Workspace ONE Admin Console First, you must retrieve the appropriate SAML metadata file from the Workspace ONE tenant. 1.1. Navigate to Workspace ONE Tenant URL Navigate to your Workspace ONE tenant and log in. 1.2. Navigate to Catalog Settings GUIDE 4
1. Click Catalog. 2. Click Web Apps. 3. Click Settings. 1.3. Open SAML IDP Metadata 1. Click SAML Metadata. 2. Click Identity Provider (IdP) Metadata to open the metadata file in a new browser tab. You will reference this in a later step. GUIDE 5
1.4. Download Signing Certificate 1. Scroll down 2. Click on Download to download the Signing Certificate file. 1.5. Save Signing Certificate GUIDE 6
Click Save to save the certificate file locally on your computer. 2. Add Identity Provider in Okta Next, add Workspace ONE as a trusted identity provider in Okta. Log in to your Okta admin console. 2.1. Add Identity Provider GUIDE 7
1. Click Security. 2. Click Identity Providers. 3. Click Add Identity Provider. 2.2. Identity Provider Configuration GUIDE 8
1. Enter the IdP Username, for example, Workspace ONE. 2. Select idpuser.subjectnameid from the IdP Username drop-down menu. 3. Select Okta Username from the Match Against drop-down menu. GUIDE 9
2.3. Active Directory User Profile in Okta Note that users in this Okta tenant use their Active Directory userprincipalname as the Okta Username. This is value you need to send from Workspace ONE in the SAML assertion. 2.4. Copy IdP Information from Metadata GUIDE 10
1. Copy the entityid URL from the SAML metadata file into the IdP Issuer URI box (for example, https://tenant.vwareidentity.com/saas/api/1.0/get/metadata/idp.xml). 2. Copy the SingleSignOnService URL for HTTP-Redirect into the IdP Single Sign-On URL box (for example, https://tenant.vmwareidentity.com/saas/auth/federation/sso). 3. Click Browse File to upload the IdP Signature Certificate. 2.5. Upload Signing Certificate 1. Select the signingcertificate file downloaded from the Workspace ONE tenant. 2. Select Open. 2.6. Finish Adding Identity Provider GUIDE 11
Click Add Identity Provider. 3. Download and Copy Okta SAML Metadata The next steps help you download and copy the Okta SAML metadata for the newly created identity provider in Okta. 3.1. Download Okta SAML Metadata Click Download Metadata. 3.2. Save Okta Metadata Locally GUIDE 12
Save the metadata file locally on your computer. Click Save. 3.3. Copy Contents of Okta Metadata File GUIDE 13
Open the metadata file on a text editor and copy the contents of the file to your clipboard. 4. Configure Okta as an Application Source in Workspace ONE Next, configure Okta as an Application Source in Workspace ONE. GUIDE 14
Return to your Workspace ONE admin console. 1. Click Application Sources. 2. Click OKTA. 5. Configure Application Source Definition GUIDE 15
Click Next. 5.1. Paste Okta Metadata into Application Source Configuration GUIDE 16
1. Paste the contents of the metadata file into the URL/XML text box. 2. Click Next. 5.2. Configure Application Source Access Policy GUIDE 17
1. Select an authentication policy from the drop-down menu. 2. Click Next. 5.3. Save Application Source GUIDE 18
Click SAVE. 5.4. Navigate Back to Application Source GUIDE 19
Click Okta to navigate back into the Application Source configuration. 5.5. Change Username Value to userprincipalname GUIDE 20
1. Click Configuration. 2. Change the Username Value field to ${user.userprincipalname}. This sends the user's userprincipalname as the NameID value which matches the user Okta username. 3. Click Summary. 5.6. Save Application Source GUIDE 21
Click Save. The federation trust between Okta and Workspace ONE has been successfully created. Before you can test authentication to Okta using Workspace ONE, you must create the appropriate routing rules in Okta to route authentication requests coming into Okta to Workspace ONE. Creating Routing Rules in Okta This exercise helps you to create routing rules in Okta to redirect authentication traffic to Workspace ONE. For more information, see Identity Provider Discovery in the Okta Product Documentation. Note: Identity Provider Discover is an early access feature and might require you to contact Okta Support to enable it in your tenant. 1. Add Routing Rule in Okta GUIDE 22
Navigate back to the Identity Providers page in your Okta Admin console. 1. Click Routing Rules. 2. Click Add Routing Rule. Note that a default rule is already added in the tenant to authenticate all traffic with Okta. This serves as a catch-all rule for all traffic that does not meet the criteria specified within the new routing rule being created. 2. Configure Workspace ONE Routing Rule GUIDE 23
For this setup, you create a rule to route only mobile traffic (ios or Android) for your test application. Anything else is authenticated with Okta. 1. Enter a friendly name for the Rule Name, for example, Workspace ONE. 2. Select Any of these devices. GUIDE 24
3. Select ios. 4. Select Android. 3. Finish Routing Rule Configuration 1. 2. 3. 4. 5. Scroll down. Select Any of the following applications. Search for and select your test application in the search bar. Select Workspace ONE (previously configured IDP connection) from the Use the identity Provider drop-down menu. Click Create Rule. 4. Activate Rule GUIDE 25
Click Activate to active the newly created Routing Rule. 5. Log In to Test Application GUIDE 26
You can now test logging into your test application using one of the mobile device platforms (ios or Android) selected as a routing rule. Click Okta. 6. Authenticate with Workspace ONE GUIDE 27
Even though you selected Okta as the federation provider for the test application, you are automatically redirected to Workspace ONE for authentication. Click Sign in. 7. Confirm Successful Login GUIDE 28
After you successfully authenticate with Workspace ONE, you are granted access to your test application. The following steps occur seamlessly without impacting the end-user login experience: 1. After successful authentication, Workspace ONE issues a SAML assertion for Okta with the authentication user's Name ID. 2. Okta validates the SAML assertion issued by Workspace ONE and checks if the authenticated user is authorized to access the target application. If authorized, Okta issues a second SAML assertion for the target application with the corresponding Name ID. 3. Client device passes SAML assertion from Okta to the target application to gain access. Adding Applications Federated with Okta to the Workspace ONE Application Catalog This exercise helps you to add applications that are federated with Okta into the Workspace ONE catalog for seamless access. This enables the end user to authenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the target application federated with Okta. 1. Retrieve Salesforce Application Identifier First, you must retrieve the application identifier for your test application in Okta. This allows Workspace ONE to indicate what the target application is when it issues a SAML assertion to Okta. 1.1. Navigate to Test Application Configuration in Okta GUIDE 29
Navigate to the Okta admin console. 1. Click the Applications tab. 2. Click Applications. 3. Click your test application. 1.2. Navigate to General Tab Navigate to the General tab within your test application configuration. 1.3. Copy Application Embed Link GUIDE 30
Scroll-down to find the Embed Link value for your test application. Copy this value to your clipboard. 2. Add Salesforce to Workspace ONE Next, add a new SaaS application (Salesforce) to Workspace ONE. 2.1. Navigate to Web Apps Navigate to the Workspace ONE admin console. 1. Click Catalog. 2. Click Web Apps. 3. Click New to add a new SaaS application. 2.2. Configure SaaS Application Definition GUIDE 31
1. Enter a friendly name for your SaaS application, for example, Salesforce OKTA. 2. Click Next. 2.3. Select Okta Application Source as Authentication Type GUIDE 32
1. Select Okta Application Source from the Authentication Type drop-down. This application will inherit the SAML configuration that was already done for the Okta application source. 2. Paste the application embed link that was copied from the application configuration in the Okta tenant. 3. Click Next. 2.4. Configure SaaS Application Access Policy GUIDE 33
1. Select an access policy for your SaaS application from the Access Policy drop-down. 2. Click Next. 2.5. Save SaaS Application GUIDE 34
Click Save & Assign. 3. Assign SaaS Application GUIDE 35
1. Search for the test user or group to assign this application. 2. Select Automatic from the Deployment Type drop-down menu. 3. Click Save. 4. Log In to Workspace ONE Catalog GUIDE 36
Log in to the Workspace ONE catalog with your test user. 5. Open Test Okta Application GUIDE 37
1. Click Catalog. 2. Click Open to launch the test application that was added to the catalog. 6. Confirm Successful Authentication Into Test Application GUIDE 38
You should be logged in directly to the test application. Even though the client device is redirected to Okta in the interim, this redirection happens seamlessly without impacting end user sign-in experience. Configuring Okta as a Third-Party Identity Provider in Workspace ONE This exercise helps you to add Okta as a third-party identity provider within Workspace ONE. This allows end users to authenticate using Okta credentials when accessing the Workspace ONE catalog. 1. Retrieve Workspace ONE SP Metadata GUIDE 39
This configuration will be an inverse from configurations in the previous exercises. In the previous configuration, Workspace ONE was acting as an identity provider and Okta as a service provider. In this case, Workspace ONE will be the service provider and Okta the identity provider. First, you must retrieve the appropriate metadata file from the Workspace ONE admin console. Navigate to the SAML Metadata settings menu. Click Service Provider (SP) metadata to open the SP metadata file on a new browser file. You will use this metadata in a later step. 2. Add Application in Okta GUIDE 40
Return to the Okta admin console to add a new application. 1. Click Applications. 2. Click Applications. 3. Click Add Application. 2.1. Create New Application You must create a new SAML SP configuration in Okta to accept authentication requests from Workspace ONE. Click Create New App. 2.2. Create SAML 2.0 Application GUIDE 41
1. Select Web from the platform drop-down menu. 2. Select SAML 2.0 as the sign-in method. 3. Click Create. 2.3. Configure Application General Settings GUIDE 42
1. Enter a friendly name for App name, for example, Workspace ONE. 2. Click Next. 2.4. Copy SP Endpoints from Metadata GUIDE 43
Copy the required SP endpoints from the Workspace ONE SP metadata file. 1. Copy the AssertionConsumerService URL for HTTP-POST binding from the SP metadata file and paste it into the Single sign on URL text box. 2. Copy the Entity ID URL from the SP metadata file and paste it into the Audience URI (SP Entity ID) text box. 2.5. Confirm Name ID and Value Note that for this setup, you will use the default selection for the Name ID Format (Unspecified) and Application Username values. Okta sends the user's userprincipalname from Active Directory which will be matched to the user's userprincipalname in Workspace ONE. 2.6. Navigate to Next Step GUIDE 44
Scroll down and click Next. 2.7. Configure as Internal Application GUIDE 45
1. Select I'm an Okta customer adding an internal app. 2. Click Finish. 3. Assign Workspace One Application GUIDE 46
Assign this new application to your test user or group in Okta. 1. Click Assignments. 2. Click Assign. Select a specific user or user group. 3.1. Confirm User or Group Assignment Confirm the application has been assigned to your test user or group. 4. Download Okta IDP Metadata GUIDE 47
Download the IDP metadata file created for this new application in Okta. 1. Click the Sign-On tab. 2. RIght-click the Identity Provider Metadata link. 3. Click Save Link As... 4.1. Save Metadata File Locally GUIDE 48
1. Enter a unique name for the metadata file. 2. Click Save to save the file locally. 4.2. Copy Contents of Okta Metadata File GUIDE 49
Open and copy the contents of the recently downloaded metadata file. 5. Create Third-Party IDP in Workspace ONE Next, add Okta as a trusted third-party identity provider in Workspace ONE. Navigate to your Workspace ONE admin console. 1. 2. 3. 4. Click Identity & Access Management. Click Identity Providers. Click Add Identity Provider. Click Create Third-Party IDP. 5.1. Process Okta IDP Metadata GUIDE 50
1. Enter a friendly name for Identity Provider Name, for example, Okta. 2. Paste the contents of the metadata file downloaded from the Okta tenant. 3. Click Process IdP Metadata. 5.2. Change Name ID Value to userprincipalname Select userprincipalname from the Name ID Value on the first row. This will match the value being used for the unspecified Name ID format in Okta. 5.3. Assign User Directory, Network Range and Authentication Method to IDP GUIDE 51
1. Select your Active Directory as the user source for this third-party identity provider. This should be the same Active Directory used in Okta. 2. Select All Ranges as the Network Range for this identity provider. 3. Create a new authentication method for this identity provider to be used as part of the authentication policies. Enter a friendly name for Authentication Methods, for example, OktaPassword. 4. Select urn:oassis:names:tc:saml:2.0:ac:classes:passsword from the SAML Context drop-down menu. 5.4. Add Third-Party IDP Click Add to add the new IDP configuration. 6. Edit Default Access Policy Set GUIDE 52
Before we can test authentication with the Okta IDP we will need to modify the default access policy to use the authentication method associated with that IDP. 1. Click Identity & Access Management. 2. Click default_access_policy_set. 7. Edit Default Access Policy Set Click Edit. 8. Edit Test Device Policy GUIDE 53
1. Click Configuration. 2. Click to modify the policy for the device type you are testing with. 9. Add Okta IDP Authentication Method GUIDE 54
1. Select the authentication method associated with Okta IDP, for example, OktaPassword, from the authenticate using... drop-down menu. 2. Click Save. 9.1. Confirm Changes to Policy GUIDE 55
Click Next. 9.2. Save Default Policy Set Click Save. GUIDE 56
10. Test Authentication into Workspace ONE Catalog Now, test authenticating into the Workspace ONE catalog using a device platform for which the authentication policy changes where applied to. You should be redirected directly to authenticate with Okta credentials. 11. Confirm Successful Authentication into Workspace ONE Catalog GUIDE 57
Upon successful authentication with Okta you are granted access to the Workspace ONE catalog. Summary and Additional Resources Conclusion This tutorial provided steps to configure Workspace ONE as a third-party identity provider in Okta, create routing rules in Okta, add applications federated with Okta to the Workspace ONE app catalog, and configure Okta as a third-party identity provider in Workspace ONE. Additional Resources For more information about Workspace ONE, you can explore the following resources: VMware Workspace ONE Action Path VMware Workspace ONE product page VMware Workspace ONE Documentation VMware Identity Manager product page VMware Identity Manager Documentation VMware Workspace ONE UEM, powered by VMware AirWatch product page VMware AirWatch Documentation VMware Workspace ONE free trial VMware Workspace ONE Cloud-Based Reference Architecture VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture VMware End-User-Computing Blogs Workspace ONE UEM Hands-On Lab About the Author This exercise was written by: Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware Feedback The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-UserComputing Technical Marketing at euc_tech_content_feedback@vmware.com. GUIDE 58
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.