Recently I’ve been getting more and more involved with customers who are looking to completely get away from their on-premise infrastructure, including AD…….
There seems to be a number of solutions out there that can help with this but no other is nearly as feature rich as Okta. Okta’s ability to import AD users, rearrange attribute mappings and integrate with thousands of applications, has left me seeing it crop up as the go to solution for organisations who fully embrace the cloud and Digital Workspace technologies.
That being said, this can add additional hurdles when deploying Workspace ONE to manage your end-points and provide one centralised application catalogue:
- Do you leverage the Okta LDAP interface from Workspace ONE or provision your users from Okta?
- Which application catalogue do you use? Workspace ONE or Okta?
- How do you sync groups from Okta into Workspace ONE?
- Are there any missing attributes within Okta compared to AD?
To answer the above questions an organisations needs to ask themselves what their end goal is. When it comes to device management, there may be some aspects that are affected. Apple DEP for example:
- iOS and macOS do not currently support modern authentication (web browser sign-in) when the device is being configured OOB. iOS 13 definitely will (I’m told) – This means SAML enrolment into Workspace ONE for these devices is out of the window, we’d need to use the Okta LDAP interface.
- What are your usernames? Are they email addresses? Why is this important? I’ve found (the hard way) that email address as usernames can cause no end of issues when setting up/configuring mobile SSO. This issue is the ‘@’ symbol in the cert common name.
- Group synchronisation – Do we need to sync groups from Okta? If so, we’ll need to use the Okta LDAP interface.
If leveraging the Okta LDAP interface is what you require, have a look here, this page should provide you with caveats and pre-reqs to get this working. For a complete walk through on how to integrate this with Workspace ONE UEM navigate to this walk through.
Provisioning Users from Okta using JIT
A great way of integrating users from Okta, is to provision them when they log in. The end result here is we want an admin to create a new user, the new user login to their Workspace ONE portal (where they can see their virtual, native and Okta Apps) be redirected to Okta, login to Workspace ONE app and Workspace ONE provision the user into Workspace ONE UEM (AirWatch).
This is the end result:
Now there are some caveats to this:
- As it stands there is no automated way to create the ObjectGUID attribute
- User information will not update if altered in Okta, there is no ‘Sync’ here
In order to put this in place, you’ll need to add an additional attribute to the default profile of your Okta users, call objectGUID. This is needed as users in Workspace ONE Access (vIDM) require an ‘ExternalID’ attribute:
Once this has been done you, can then create your Workspace ONE app:
I’ve then configured my vIDM tenant to use Okta as the 3rd party identity provider so users are redirected for log on. I’ve glanced over the configuration steps but let me know in the comments if you need more detailed steps!
Within the next few months the Okta/Workspace ONE SCIM solution should be in place that will drastically stream line this whole process.
Steve the identity guy has outlined a walkthrough here.
Sales Engineer specialising in Unified Endpoint Management (UEM) and Identity Management.
Technical Expertise:
o Okta – Identity Management – Providing single sign on services to applications
o VMware Workspace ONE – Configuring and managing AirWatch components across all device types.
o Digital Transformation – Helping organisations implement and deploy a modern strategy for UEM
o Networking – VPN, DNS, DHCP
o Device Management – macOS, iOS, Android, Windows and Rugged Devices
o Cloud Solutions – Azure, Office 365, Identity Providers, VMware AirWatch
o Server – Windows Server, Active Directory, Exchange
Abiola Jimoh
December 27, 2019Hey Charlie – Great work putting this together. Indepth and well structured.
I’m trying to accomplish the same, but OKTA as my source of truth. No AD or Azure AD involved.
Is this possible, User created in OKTA, created the application and added OKTA as a Third Part Identity Manager in vIDM. But when the user clicks on the app in OKTA but I get an Access denied error, You do not have access to this service.
Not sure if it’s supposed to work, or do I need JIT, and OKTA can’t automatically provision the users?
Charlie Hodge
December 28, 2019Hi Abiola,
Thanks for the kind words!
If you’re getting the access denied message from Workspace ONE. That will always be a policy issue within Workspace ONE. As long as your JITing the users into Workspace ONE, it should work.
You’ll need to make sure your policy in Workspace ONE uses the Okta authentication method associated with Okta as a third-party idp.
Charlie.
Quadri
December 27, 2019Hey Charlie – Great work putting this together. Indepth and well structured.
I’m trying to accomplish the same, but OKTA as my source of truth. No AD or Azure AD involved.
Is this possible, User created in OKTA, created the application and added OKTA as a Third Part Identity Manager in vIDM. But when the user clicks on the app in OKTA but I get an Access denied error, You do not have access to this service.
Not sure if it’s supposed to work, or do I need JIT, and OKTA can’t automatically provision the users?
Arkadiusz Krowczynski
February 7, 2020Hi Charlie,
very cool guide an video!!
I was able to JIT the users from Okta to WSOne Access, but not from Access toe UEM.
So seems to be, that missing custom attribute ObjectGUID, right?
Greetings
Charlie Hodge
February 7, 2020Hi Arkadiusz,
Depending on what you’ve trying to achieve… If you’re leveraging the Okta universal directory then there’s no ObjectGUID in Okta. However ever user has a unique identifier so I’ve set it up using a different attribute: externalID = user.getInternalProperty(“id”). This will then use a completly unique field to create the externalID in Workspace ONE access. You can then provision your users into Workspace ONE UEM. I’ve tested it all and it’s working for me!
Good luck!
Charlie.
Arkadiusz Krowczynski
February 13, 2020Hey Charlie,
thank you for you feedback, the user on VMware Acces side looks pretty good now, but provisoning to UEM fails.
I see as error message
Failed to provision user :okta.com\username Internal Server Error to AirWatch Reason 0.
Did you adjusted somethiing in the Provisoning App on VMware Access side??
Thanks again for feedback.
Charlie Hodge
February 13, 2020Hi Arkadiusz,
Does the user have a valid externalID and email address in Access? And does the user already exist in UEM? Send me an email (on the contact page) with your Access tenant URL and I’ll take a look if that’s alright?
Thanks,
Charlie
Arkadiusz Krowczynski
February 19, 2020Hey,
sorry for the late repsone., but it is working no, cleaned up everything a cretaed from scratch, now works like a charme 🙂
Did you ever tried to perform a Group Push from Okta to WSOne?
Thanks and greetings,
Arkadiusz
Charlie Hodge
July 22, 2020Hi Arkadiusz,
Do you know what the issue was in the end?
Thanks
Charlie
silvipinheiro
July 15, 2020Hi Charlie !!
I would like to know if you tested okta as identity source for Horizon solutions through IDM ?
I want to deploy an environment without any AD, just Okta.
Laxmikant
May 14, 2023Hi Charlie
Thanks for detailed tutorial and video with end result I am also trying to achieve exactly same where Okta user should JIT in UEM and enroll iOS devices using WS intelligent hub app.
But I get below error after okta login.
Username should not contain the following characters {0} ?? An unexpected error occurred.