Skip navigation
2020

If you are a VMware Cloud Services Customer and you are trying to use the VMware Workspace ONE application in Okta to leverage SCIM management of identities in WS1, you might be running into an issue with Groups.

 

In Workspace ONE Access you will notice that groups created from Okta are associated with the System Domain but are not associated with associated with the directory that was created for Okta to provision users and groups.

 

oktagroupissue.png

The reason this is happening is because the Okta SCIM request to create a group does not contain the  domain attribute which is associated with the correct directory information in Workspace ONE Access. Unfortunately, the SCIM request to create a group in Okta cannot be customized to include this attribute.

 

To work around this issue, we will have to pre-create the group on Workspace ONE Access.

 

  1. Open a new tab in postman
  2. Add the correct authorization header (as per the main Okta SCIM Integration Blog https://communities.vmware.com/blogs/steveIDM/2019/08/13/workspace-one-okta-integration-part-3-setting-up-scim-provisioning)
  3. For the HTTP Method, select "POST"
  4. For the URL, enter: "https://[TENANT]/SAAS/jersey/manager/api/scim/Groups
  5. Under "Headers", set the Content-Type to "application/json"
  6. Use the following as a sample and Send. You will need to do this for each group you plan on linking in Okta: Replace the DisplayName with the same name as the group in Okta.  You will need to include the correct domain name associated with the directory previously created for use with Okta SCIM.
    {  
      "schemas": [  
        "urn:scim:schemas:core:1.0",
        "urn:scim:schemas:extension:workspace:1.0"
      ],  
      "displayName": "VMWCSPgroup1",  
      "urn:scim:schemas:extension:workspace:1.0": {
            "domain": "vmwaredemo.com"
        }
    
    
    } 
    
    
  7. You will now see the group created in Workspace ONE Access and associated with the correct directory.
    oktagroupissue2.png
  8. In the Okta Administration Console, please make sure this group exists in Okta before proceeding.
  9. In the VMWare Workspace ONE application (in Okta Admin Console), click on the Push Groups tab.
  10. Click on Refresh App Groups to ensure Okta has a complete list of groups in Workspace ONE Access.|
    Screen Shot 08-24-20 at 10.29 AM.PNG
  11. Click on Push Groups -> Find Groups by Name
  12. Enter the name of the group
  13. Ensure that a match is found in Workspace ONE Access with the option to Link Group:
    Screen Shot 05-28-20 at 11.55 AM.PNG
  14. Click Save
  15. Very the the Group Linking was Successful
  16. The group should now sync with Workspace ONE Access.