For updates on this blog and other blogs, follow me on Twitter: @SteveIDM

 

In the third installment of the Okta Integration with Workspace ONE, we are going to cover SCIM Provisioning from Okta to Workspace ONE.

 

The Official VMware Workspace ONE application is currently available on Okta Preview

 

In the first release of this functionality, there will be a lot of manual steps. I fully expect a more seamless process in future releases.

 

Minimum Requirements:

  • Workspace ONE UEM SAAS or version 19.09 for dedicated/on-premise.
  • Workspace ONE Access SAAS
    • Note: Although some aspects of the integration will work for on-premise customers, not all functionality is currently available.

 

Note: When creating users in Workspace ONE from Okta, they will be created as new users in Workspace ONE Access and UEM. Any previous users synchronized from AD will not get over written. Users that are currently enrolled with AD credentials will need to re-enroll with Okta credentials (if you are switching from AD to Okta).

 

This process will require some proficiency and knowledge in using Postman to manage identities in Workspace ONE Access (formerly known as VMware Identity Manager).  Please check out my blog on using Postman to Manage Workspace ONE Identities.

https://communities.vmware.com/blogs/steveIDM/2019/05/09/using-postman-to-manage-workspace-one-identities

Here is a high level overview of the process:

Screen Shot 10-15-19 at 11.44 AM.PNG

  1. Okta is configured to use Workspace ONE Provisioning Application
  2. Okta will SCIM the user to Workspace ONE Access
  3. The AirWatch Provisioning Adapter in Workspace ONE Access will provision the user to Workspace ONE UEM.

 

This blog will not going into detail on the provisioning to UEM. Please see the following blog on provisioning to UEM:

Workspace ONE - AirWatch Provisioning App

Step 1:  Create a Remote App Access Client

  1. Log into Workspace ONE Access
  2. Click on Catalog (Down Arrow) and then Settings
  3. Click on Remote App Access
  4. Click Create Client
  5. Select "Service Client Token"
  6. Enter a Client ID ie. OktaSCIM
  7. Expand Advanced
  8. Click Generate Shared Secret
  9. Update the Access Token TTL to something longer then the default. Note: If you choose 1 year, you will need to update the Okta configuration every year with a new bearer token.


  10. Copy the shared secret. You will need this later.
  11. Click Add

 

Step 2:  Configure Postman to use your OAuth Token

 

Note: Depending on your version of Postman, these steps below might be slightly different.

 

  1. Open a new Tab in Postman
  2. For the HTTP Method, select "POST"
  3. For the URL, enter: https://[TENANTURL]SAAS/jersey/manager/api/connectormanagement/directoryconfigs
    Replace the Tenant URL with your URL
    https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  4. In the authorization section, select "OAuth 2.0" as the type:
  5. Click Get New Access Token
  6. Provide a Token Name (ie. Workspace ONE)
  7. Under Grant Type, select "Client Credentials"
  8. "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
  9. ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken
  10. Under Client ID, enter your Client ID from step 1.
  11. Under Secret, enter your secret from step 1.
  12. Under Scope, enter 'admin'
  13. Click Request Token
  14. On the left hand side, Select "Request Headers" and click "Preview Request".

  15. You should see a message saying headers were updated correctly:
  16. Click the Headers Tab and verify that the bearer token was added as a temporary header.
  17. If the bearer token was not added, return to the Authorization Tab and select your token from the available tokens drop down list and preview the request again.

 

Step 3:  Create an "Other" Directory for your Okta Users.

  1. Under "Headers", Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
    Screen Shot 10-15-19 at 11.49 AM.PNG
  2. Click on the Body tab
  3. Use the following as a sample and Click Send

 

{  
"type":"OTHER_DIRECTORY",  
"domains":["Okta.com"],  
"name":"Okta Universal Directory"  
}  

 

You should see a similar result

Screen Shot 10-15-19 at 11.50 AM.PNG

 

Step 4:  Add the VMware Workspace ONE App in Okta

 

 

  1. Log into the Okta Admin Console
  2. Click on Applications -> Applications
  3. Click Add Application
  4. Search for the "VMware Workspace ONE"
  5. Select VMware Workspace ONE under Integrations:

  6. Click Add


  7. Enter your Workspace ONE URL in the field labeled "Base URL"
    ie. https://dsas.vmwareidentity.com
  8. Click Done
  9. Click on the Provisioning Tab and Click Configure API Integration
  10. Select Enable API Integration
  11. Paste your bearer token that was created in the earlier step with postman.
  12. Click Test API Credentials
  13. Ensure you have a "Success" before proceeding.
  14. Click Save
  15. Click on the Edit Button
  16. Select Enable for Create and Deactivate and click Save
  17. If you used a different domain then "okta.com" when creating your directory (using Postman), you will need scroll down and edit the domain attribute so it matches your domain.



Known Issues:

  1. When pushing groups from Okta to Workspace ONE, Okta has a feature called "Push Now". If you run into an error when using this capability, click the Retry All Groups button:

    Screen Shot 01-11-20 at 12.52 AM.PNG

 

For additional troubleshooting see:

https://communities.vmware.com/blogs/steveIDM/2019/10/21/workspace-one-and-okta-troubleshooting-blog