Fixing Group Issues for VMware Cloud Services Customers + Okta SCIM

If you are a VMware Cloud Services Customer and you are trying to use the VMware Workspace ONE application in Okta to leverage SCIM management of identities in WS1, you might be running into an issue with Groups.

In Workspace ONE Access you will notice that groups created from Okta are associated with the System Domain but are not associated with associated with the directory that was created for Okta to provision users and groups.

The reason this is happening is because the Okta SCIM request to create a group does not contain the  domain attribute which is associated with the correct directory information in Workspace ONE Access. Unfortunately, the SCIM request to create a group in Okta cannot be customized to include this attribute.

To work around this issue, we will have to pre-create the group on Workspace ONE Access.

  1. Open a new tab in postman
  2. Add the correct authorization header (as per the main Okta SCIM Integration Blog
  3. For the HTTP Method, select “POST”
  4. For the URL, enter: “https://%5BTENANT%5D/SAAS/jersey/manager/api/scim/Groups
  5. Under “Headers”, set the Content-Type to “application/json”
  6. Use the following as a sample and Send. You will need to do this for each group you plan on linking in Okta: Replace the DisplayName with the same name as the group in Okta.  You will need to include the correct domain name associated with the directory previously created for use with Okta SCIM.
    1. {    
    2.   “schemas”: [    
    3.     “urn:scim:schemas:core:1.0”,  
    4.     “urn:scim:schemas:extension:workspace:1.0”  
    5.   ],    
    6.   “displayName”: “VMWCSPgroup1”,    
    7.   “urn:scim:schemas:extension:workspace:1.0”: {  
    8.         “domain”: “”  
    9.     }  
    12. }   
  7. You will now see the group created in Workspace ONE Access and associated with the correct directory.
  1. In the Okta Administration Console, please make sure this group exists in Okta before proceeding.
  2. In the VMWare Workspace ONE application (in Okta Admin Console), click on the Push Groups tab.
  3. Click on Refresh App Groups to ensure Okta has a complete list of groups in Workspace ONE Access.
  1. Click on Push Groups -> Find Groups by Name
  2. Enter the name of the group
  3. Ensure that a match is found in Workspace ONE Access with the option to Link Group:
  1. Click Save
  2. Very the the Group Linking was Successful
  1. The group should now sync with Workspace ONE Access.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s