Steve The Identity Guy

In the third installment of the Okta Integration with Workspace ONE, we are going to cover SCIM Provisioning from Okta to Workspace ONE.

In the first release of this functionality, there will be a lot of manual steps. I fully expect a more seamless process in future releases.

Minimum Requirements:

• Workspace ONE UEM SAAS or version 19.09 for dedicated/on-premise.
• Workspace ONE Access SAAS
  • Note: Although some aspects of the integration will work for on-premise customers, not all functionality is currently available.

Note: When creating users in Workspace ONE from Okta, they will be created as new users in Workspace ONE Access and UEM. Any previous users synchronized from AD will not get over written. Users that are currently enrolled with AD credentials will need to re-enroll with Okta credentials (if you are switching from AD to Okta).

This process will require some proficiency and knowledge in using Postman to manage identities in Workspace ONE Access (formerly known as VMware Identity Manager).  Please check out my blog on using Postman to Manage Workspace ONE Identities.

Here is a high level overview of the process:

1. Okta is configured to use Workspace ONE Provisioning Application
2. Okta will SCIM the user to Workspace ONE Access
3. The AirWatch Provisioning Adapter in Workspace ONE Access will provision the user to Workspace ONE UEM.

This blog will not going into detail on the provisioning to UEM. Please see the following blog on provisioning to UEM:
https://theidentityguy.ca/2020/11/10/workspace-one-airwatch-provisioning-app/

Step 1:  Create a Remote App Access Client

1. Log into Workspace ONE Access
2. Click on Catalog (Down Arrow) and then Settings
3. Click on Remote App Access
4. Click Create Client
5. Select “Service Client Token”
6. Enter a Client ID ie. OktaSCIM
7. Expand Advanced
8. Click Generate Shared Secret
9. Update the Access Token TTL to something longer then the default. Note: If you choose 1 year, you will need to update the Okta configuration every year with a new bearer token.
   

10. Copy the shared secret. You will need this later.
11. Click Add

Step 2:  Configure Postman to use your OAuth Token

Note: Depending on your version of Postman, these steps below might be slightly different.

1. Open a new Tab in Postman
2. For the HTTP Method, select “POST”
3. For the URL, enter: https://TENANTURL/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
   Replace the Tenant URL with your URL
   https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
4. In the authorization section, select “OAuth 2.0” as the type:
   

5. Change “Add Authorization data to” so its equal to Request Headers

6. Click Get New Access Token
7. Provide a Token Name (ie. Workspace ONE)
8. Under Grant Type, select “Client Credentials”
9. “Under Access Token URL”, enter https:[Tenant URL]/SAAS/auth/oauthtoken
10. ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken
11. Under Client ID, enter your Client ID from step 1.
12. Under Secret, enter your secret from step 1.
13. Under Scope, enter ‘admin’
    

14. Click Request Token
15. Click the Headers Tab and verify that the bearer token was added as a temporary header.
16. If the bearer token was not added, return to the Authorization Tab and select your token from the available tokens drop down list and preview the request again.

Step 3:  Create an “Other” Directory for your Okta Users.

1. Under “Headers”, Set the Content-Type to “application/vnd.vmware.horizon.manager.connector.management.directory.other+json”
   

2. Click on the Body tab
3. Use the following as a sample and Click Send
   {
"type":"OTHER_DIRECTORY",
"domains":["Okta.com"],    
"name":"Okta Universal Directory"  
}    

You should see a similar result

Step 4:  Add the VMware Workspace ONE App in Okta

1. Log into the Okta Admin Console
2. Click on Applications -> Applications
3. Click Add Application
4. Search for the “VMware Workspace ONE”
5. Select VMware Workspace ONE under Integrations:
   

6. Click Add
   

7. Enter your Workspace ONE URL in the field labeled “Base URL”
   ie. https://dsas.vmwareidentity.com
   

8. Click Done
9. Click on the Provisioning Tab and Click Configure API Integration
10. Select Enable API Integration
11. Paste your bearer token that was created in the earlier step with postman.
    
    Note: This is the token you obtained via Postman and NOT the secret you generated in the Access Console.
12. Click Test API Credentials
    

13. Ensure you have a “Success” before proceeding.
14. Click Save
15. Click on the Edit Button
    

16. Select Enable for Create and Deactivate and click Save
17. If you used a different domain then “okta.com” when creating your directory (using Postman), you will need scroll down and edit the domain attribute so it matches your domain.
    

18. You can now assign users and groups to the application
    
    Note: Users needs to be assigned the application (either directly or via a group assignment) before you can push groups (along with memberships) to Workspace ONE.
    

Known Issues:

1. When pushing groups from Okta to Workspace ONE, Okta has a feature called “Push Now”. If you run into an error when using this capability, click the Retry All Groups button: