Workspace ONE – Okta Integration Part 2: Unified Digital Workspace

The release of Workspace ONE 19.03 brought in a very seamless integration of Okta Applications.

If you have integrated the two solutions previously you will recall the number of steps required to create and entitle new applications in Workspace from Okta. This integrations you to create and entitle applications in Okta and have them seamless appear in Workspace ONE along with your Native and Virtual Applications.

Lets walk through the steps to integrate the two solutions.

In this blog we are going to assume that you have existing connectors for Workspace ONE UEM and Workspace ONE Identity. We are also assuming you have your Workspace ONE Identity access policies already configured for Mobile SSO, Certificate or Password (Cloud Deployment).

Part 2: Unified Digital Workspace

The objective of this section to automatically sync all SAML enabled applications from Okta to Workspace ONE. This configuration will eliminate the manual steps required to both create and entitle Okta applications in Workspace ONE.

Step 1: Create an Okta API Key

  1. Log into the Okta Admin Console
  2. Go to Security -> API
  1. Click on Tokens
  2. Click Create Token
  3. Provide a name for the token
  1. Click Create Token
  1. Click the Copy Token button

    Note:  Its very important you copy and save this token somewhere. Once you close this window you will not be able to retrieve this value again. You will have to delete the token and create a new one.

Step 2: Configure Workspace ONE with Okta API Information

  1. Log into the Workspace ONE Admin Console
  2. Click on Identity & Access Management -> Setup -> Okta

Note: If you are using Chrome, please be aware of Chrome auto filling any fields.

  1. Enter your Okta Cloud URL.
    Note: Do NOT use the Admin URL!!
  1. Paste your Okta API Token
  2. Select the username search parameter that will match in Okta.
  3. Click Save

NOTE: Okta Applications will NOT appear in the Workspace ONE Admin Console

Step 3: Testing

  1. Log into Workspace ONE with a directory account.
  2. You should now see all your Okta Applications along with any other applications configured in Workspace ONE.

The Authentication Flow Explained

When you launch an Okta application from the Workspace ONE Console, it will use the configuration that has been setup in the Okta Application Source to send a SAML Response from Workspace ONE Access to Okta:

To your configured Okta Assertion Consumer URL (ACS), a SAML Response is posted along with a RelayState that will tell Okta which application the user should be sent to:

Okta will use the NameID in the Subject to appropriately map the user to a user within Okta:

If you have configured an application sign-on policy that requires additional authentication, that will be triggered before the user is sent to the target application.

4 thoughts on “Workspace ONE – Okta Integration Part 2: Unified Digital Workspace

      1. Hi there – I currently don’t have a guide on how to do this but here are some high level steps:
        1. Create a new “VMware Workspace ONE” Application in Okta
        2. Add the RelayState (from the Sign-on Tab) so its equal to your admin interface ie.
        3. Create a 3rd Party IDP in Workspace ONE Access using the metadata from the Sign-ON Tab on the app you just created in Okta.
        3b. Create an AuthMethod such as OktaADMIN using passwordprotectedtransport
        4. Create a fallback Auth method for OktaAdmin on your default access policy to allow for admin access. (Note: This fallback can be any number of levels deep as long as its present on the policy).
        5. Assign the application in Okta

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s