For updates on this blog and other blogs: Follow @SteveIDM

 

In Workspace ONE Access, you might have configured additional attributes and would like to populate those attributes from your source of truth such as Okta.

 

Perhaps its a single attribute:

Screen Shot 08-20-20 at 02.53 PM.PNG

Or maybe you have many attributes:

 

Screen Shot 08-20-20 at 02.55 PM.PNG

 

When these attributes are created in Workspace ONE Access, they are created in a custom schema.  The schema is in the following format:

 

urn:scim:schemas:extension:workspace:tenant:TENANT:1.0

 

The TENANT will be replaced by your actual tenant name, such as "urn:scim:schemas:extension:workspace:tenant:dsas:1.0".

 

If you are unsure, I recommend you use Postman to query the user using the GET API. ie. {{tenant_url}}/SAAS/jersey/manager/api/scim/Users?filter=userName%20eq%20%22steve%22

 

Here is a sample Postman that I'll use as my guideline. Note - this step is not required but I will use it to demonstrate my approach.

 

Screen Shot 08-20-20 at 02.59 PM.PNG

 

Now that we know how attributes are stored in Workspace ONE Access, lets configure Okta to send these attributes

 

  1. Open the Workspace ONE Application in Okta
  2. Click on the Provisioning Tab
  3. Click on " Go to Profile Editor"
    Screen Shot 08-20-20 at 03.05 PM.PNG
  4. Click Add Attribute
    Screen Shot 08-20-20 at 03.07 PM.PNG
  5. Enter the Display Name, Variable Name and External Name exactly how it is created in WS1 Access (ie. objectGUID).
  6. Enter the custom schema as we noted above. Make sure your tenant name is included correctly.
  7. Check the user personal checkbox under Scope
    Screen Shot 08-20-20 at 03.08 PM.PNG
  8. Click Save
  9. Repeat this process for all the attributes you want to provision.
  10. Click on Mappings
  11. Click on the Okta User to VMware Workspace ONE Tab (Note: My image below is slightly different as I've renamed my application)
    Screen Shot 08-20-20 at 03.12 PM.PNG
  12. Select the correct attribute to map. In my environment, I'm mapping the ExternalID to the objectGUID
    Screen Shot 08-20-20 at 03.13 PM.PNG
    Note: You can get the AD objectGUID using: findDirectoryUser().externalId

  13. Click Save Mappings
  14. Click Apply Updates Now