Recently I’ve been getting more and more involved with customers who are looking to completely get away from their on-premise infrastructure, including AD…….
There seems to be a number of solutions out there that can help with this but no other is nearly as feature rich as Okta. Okta’s ability to import AD users, rearrange attribute mappings and integrate with thousands of applications, has left me seeing it crop up as the go to solution for organisations who fully embrace the cloud and Digital Workspace technologies.
That being said, this can add additional hurdles when deploying Workspace ONE to manage your end-points and provide one centralised application catalogue:
- Do you leverage the Okta LDAP interface from Workspace ONE or provision your users from Okta?
- Which application catalogue do you use? Workspace ONE or Okta?
- How do you sync groups from Okta into Workspace ONE?
- Are there any missing attributes within Okta compared to AD?
To answer the above questions an organisations needs to ask themselves what their end goal is. When it comes to device management, there may be some aspects that are affected. Apple DEP for example:
- iOS and macOS do not currently support modern authentication (web browser sign-in) when the device is being configured OOB. iOS 13 definitely will (I’m told) – This means SAML enrolment into Workspace ONE for these devices is out of the window, we’d need to use the Okta LDAP interface.
- What are your usernames? Are they email addresses? Why is this important? I’ve found (the hard way) that email address as usernames can cause no end of issues when setting up/configuring mobile SSO. This issue is the ‘@’ symbol in the cert common name.
- Group synchronisation – Do we need to sync groups from Okta? If so, we’ll need to use the Okta LDAP interface.
If leveraging the Okta LDAP interface is what you require, have a look here, this page should provide you with caveats and pre-reqs to get this working. For a complete walk through on how to integrate this with Workspace ONE UEM navigate to this walk through.
Provisioning Users from Okta using JIT
A great way of integrating users from Okta, is to provision them when they log in. The end result here is we want an admin to create a new user, the new user login to their Workspace ONE portal (where they can see their virtual, native and Okta Apps) be redirected to Okta, login to Workspace ONE app and Workspace ONE provision the user into Workspace ONE UEM (AirWatch).
This is the end result:
Now there are some caveats to this:
- As it stands there is no automated way to create the ObjectGUID attribute
- User information will not update if altered in Okta, there is no ‘Sync’ here
In order to put this in place, you’ll need to add an additional attribute to the default profile of your Okta users, call objectGUID. This is needed as users in Workspace ONE Access (vIDM) require an ‘ExternalID’ attribute:
Once this has been done you, can then create your Workspace ONE app:
I’ve then configured my vIDM tenant to use Okta as the 3rd party identity provider so users are redirected for log on. I’ve glanced over the configuration steps but let me know in the comments if you need more detailed steps!
Within the next few months the Okta/Workspace ONE SCIM solution should be in place that will drastically stream line this whole process.
Steve the identity guy has outlined a walkthrough here.
Sales Engineer specialising in Unified Endpoint Management (UEM) and the Digital Workspace.