Introduction: Bridging Identity Management Systems
As organizations adopt multi-cloud strategies and diverse SaaS applications, the need for unified identity and access management becomes paramount. Integrating Okta as a third-party identity provider with VMware Workspace ONE creates a powerful combination that leverages Okta’s robust identity management capabilities while maintaining Workspace ONE’s comprehensive endpoint management features.
This implementation guide provides detailed steps for configuring Okta as an identity provider for Workspace ONE, enabling single sign-on (SSO), multi-factor authentication (MFA), and centralized user lifecycle management across your enterprise mobility infrastructure.
Architecture Overview
Integration Components
Identity Flow Architecture:
- Okta Universal Directory: Central user repository and identity source
- Workspace ONE Access: Identity broker and policy enforcement point
- SAML 2.0 Federation: Secure token exchange between Okta and Workspace ONE
- Directory Synchronization: User and group synchronization mechanisms
- Policy Engine: Conditional access and risk-based authentication
Authentication Flow:
- User initiates access to Workspace ONE resources
- Workspace ONE Access redirects to Okta for authentication
- Okta authenticates user and applies MFA policies
- Okta issues SAML assertion to Workspace ONE Access
- Workspace ONE Access validates assertion and grants access
- User gains access to managed applications and resources
Prerequisites and Planning
Technical Requirements
Okta Environment:
- Okta Tenant: Production or preview Okta organization
- Admin Privileges: Super Admin or Application Admin rights
- User Licenses: Appropriate Okta licenses for SSO and MFA
- Custom Attributes: Any custom user attributes required for Workspace ONE
Workspace ONE Environment:
- Workspace ONE Access: Version 20.10 or later recommended
- Network Connectivity: HTTPS connectivity between Okta and Workspace ONE
- SSL Certificates: Valid SSL certificates for all endpoints
- Admin Access: Super Admin rights in Workspace ONE Access
Planning Considerations
User Attribute Mapping:
| Okta Attribute | Workspace ONE Attribute | Required | Notes |
|---|---|---|---|
| login | userName | Yes | Primary identifier |
| Yes | Email address | ||
| firstName | firstName | No | Display name |
| lastName | lastName | No | Display name |
| department | department | No | Organizational unit |
| manager | manager | No | Reporting structure |
Okta Configuration
Creating the Workspace ONE Application
Step 1: Add Application in Okta
- Log in to Okta Admin Console
- Navigate to Applications > Applications
- Click Create App Integration
- Select SAML 2.0 as the sign-in method
- Click Next
Step 2: Configure General Settings
# Application configuration parameters
App Name: VMware Workspace ONE Access
App Logo: [Upload Workspace ONE logo]
App Visibility:
- Do not display application icon to users
- Do not display application icon in the Okta Mobile appStep 3: Configure SAML Settings
# SAML Configuration
Single Sign On URL: https://[workspace-one-access-fqdn]/SAAS/auth/saml/response
Use this for Recipient URL and Destination URL: Checked
Allow this app to request other SSO URLs: Unchecked
Audience URI (SP Entity ID): https://[workspace-one-access-fqdn]/SAAS/auth/saml/metadata
Default RelayState: (Leave blank)
Name ID Format: EmailAddress
Application Username: Email
# Attribute Statements
Name: firstName
Name Format: Basic
Value: user.firstName
Name: lastName
Name Format: Basic
Value: user.lastName
Name: email
Name Format: Basic
Value: user.email
Name: userName
Name Format: Basic
Value: user.login
Name: department
Name Format: Basic
Value: user.department
# Group Attribute Statements (if using groups)
Name: groups
Name Format: Basic
Filter: Matches regex .*
Value: appuser.groupsAdvanced Okta Configuration
Custom Attribute Configuration:
# PowerShell script to configure custom attributes via Okta API
$OktaBaseUrl = "https://your-okta-domain.okta.com"
$ApiToken = "your-api-token"
$Headers = @{
"Authorization" = "SSWS $ApiToken"
"Accept" = "application/json"
"Content-Type" = "application/json"
}
# Create custom user schema attribute for Workspace ONE
$CustomAttribute = @{
definitions = @{
custom = @{
properties = @{
workspaceOneOrgGroup = @{
title = "Workspace ONE Organization Group"
type = "string"
description = "Organization Group assignment for Workspace ONE"
required = $false
permissions = @(
@{
principal = "SELF"
action = "READ_ONLY"
}
)
}
}
}
}
}
$Uri = "$OktaBaseUrl/api/v1/meta/schemas/user/default"
Invoke-RestMethod -Uri $Uri -Method POST -Headers $Headers -Body ($CustomAttribute | ConvertTo-Json -Depth 10)Group-Based Access Configuration:
# Create Okta groups for Workspace ONE access control
$Groups = @(
@{
name = "WorkspaceONE-Admins"
description = "Workspace ONE Administrators"
},
@{
name = "WorkspaceONE-Users"
description = "Standard Workspace ONE Users"
},
@{
name = "WorkspaceONE-PowerUsers"
description = "Workspace ONE Power Users"
}
)
foreach ($Group in $Groups) {
$GroupData = @{
profile = @{
name = $Group.name
description = $Group.description
}
}
$Uri = "$OktaBaseUrl/api/v1/groups"
$Result = Invoke-RestMethod -Uri $Uri -Method POST -Headers $Headers -Body ($GroupData | ConvertTo-Json)
Write-Host "Created group: $($Result.profile.name) with ID: $($Result.id)"
}Workspace ONE Access Configuration
Identity Provider Setup
Step 1: Access Identity Provider Configuration
- Log in to Workspace ONE Access Admin Console
- Navigate to Identity & Access Management > Setup
- Click Identity Providers
- Click Add Identity Provider
- Select Create Third Party IDP
Step 2: Configure Basic Settings
# Identity Provider Configuration
Identity Provider Name: Okta-Production
Identity Provider Type: SAML 2.0
# Network Configuration
Identity Provider Host Name: [okta-domain].okta.com
Base DN for Users: (Leave blank for SAML)
Bind DN: (Leave blank for SAML)
Bind Password: (Leave blank for SAML)
# SAML Configuration
SAML Context: https://[okta-domain].okta.com
Single Sign-On Service URL: https://[okta-domain].okta.com/app/[app-id]/sso/saml
Single Logout Service URL: https://[okta-domain].okta.com/app/[app-id]/slo/samlStep 3: Certificate Configuration
- Download the Okta signing certificate from the Okta application
- In Workspace ONE Access, upload the certificate under Certificate
- Verify certificate details and validity
User Attribute Mapping
Configure Attribute Mapping:
# User Attribute Mapping Configuration
userName: ${saml.subject.userName}
email: ${saml.subject.email}
firstName: ${saml.subject.firstName}
lastName: ${saml.subject.lastName}
department: ${saml.subject.department}
groups: ${saml.subject.groups}
# Custom Attributes
organizationGroup: ${saml.subject.workspaceOneOrgGroup}
userPrincipalName: ${saml.subject.userName}
displayName: ${saml.subject.firstName} ${saml.subject.lastName}Group Mapping Configuration:
# Group Mapping Rules
# Map Okta groups to Workspace ONE Access roles
# Admin Group Mapping
Source Group: WorkspaceONE-Admins
Target Role: Super Admin
Conditions: groups contains "WorkspaceONE-Admins"
# Power User Group Mapping
Source Group: WorkspaceONE-PowerUsers
Target Role: Directory Admin
Conditions: groups contains "WorkspaceONE-PowerUsers"
# Standard User Group Mapping
Source Group: WorkspaceONE-Users
Target Role: User
Conditions: groups contains "WorkspaceONE-Users"Advanced Integration Features
Conditional Access Policies
Risk-Based Authentication:
# Okta Sign-On Policy Configuration
Policy Name: Workspace ONE Conditional Access
Policy Description: Risk-based access for Workspace ONE resources
# Policy Rules
Rule 1: High-Risk Access
Conditions:
- Network: Any location outside corporate network
- Device: Unmanaged devices
- Risk: High risk score
Actions:
- Require MFA: Yes
- MFA Types: Okta Verify Push, SMS, Voice
- Session: 1 hour
Rule 2: Standard Access
Conditions:
- Network: Corporate network or trusted locations
- Device: Managed devices
- Risk: Low to medium risk score
Actions:
- Require MFA: Optional
- Session: 8 hours
Rule 3: Admin Access
Conditions:
- Groups: WorkspaceONE-Admins
Actions:
- Require MFA: Always
- MFA Types: Okta Verify Push only
- Session: 2 hoursJust-In-Time Provisioning
Automatic User Provisioning:
# JIT Provisioning Configuration in Workspace ONE Access
Enable JIT Provisioning: Yes
Default Domain: company.com
Default Organization Group: /Company/Users
# Provisioning Rules
Rule 1: Admin Provisioning
Condition: groups contains "WorkspaceONE-Admins"
Action:
- Create user in /Company/Admins
- Assign Admin role
- Enable advanced features
Rule 2: Department-Based Provisioning
Condition: department equals "IT"
Action:
- Create user in /Company/IT
- Assign PowerUser role
- Enable IT-specific applications
Rule 3: Standard User Provisioning
Condition: Default rule
Action:
- Create user in /Company/Users
- Assign User role
- Enable standard applicationsTesting and Validation
Integration Testing
Test User Creation:
# PowerShell script for creating test users in Okta
$TestUsers = @(
@{
login = "testuser1@company.com"
email = "testuser1@company.com"
firstName = "Test"
lastName = "User1"
department = "IT"
groups = @("WorkspaceONE-Users")
},
@{
login = "testadmin@company.com"
email = "testadmin@company.com"
firstName = "Test"
lastName = "Admin"
department = "IT"
groups = @("WorkspaceONE-Admins")
}
)
foreach ($User in $TestUsers) {
$UserData = @{
profile = @{
login = $User.login
email = $User.email
firstName = $User.firstName
lastName = $User.lastName
department = $User.department
}
credentials = @{
password = @{
value = "TempPassword123!"
}
}
}
# Create user
$Uri = "$OktaBaseUrl/api/v1/users?activate=true"
$Result = Invoke-RestMethod -Uri $Uri -Method POST -Headers $Headers -Body ($UserData | ConvertTo-Json -Depth 10)
# Add to groups
foreach ($GroupName in $User.groups) {
$GroupId = (Get-OktaGroup -Name $GroupName).id
$GroupUri = "$OktaBaseUrl/api/v1/groups/$GroupId/users/$($Result.id)"
Invoke-RestMethod -Uri $GroupUri -Method PUT -Headers $Headers
}
Write-Host "Created test user: $($User.login)"
}SSO Testing Checklist:
- Authentication Flow: Verify redirect to Okta and successful authentication
- Attribute Mapping: Confirm all user attributes are correctly mapped
- Group Membership: Validate group-based access and role assignment
- MFA Integration: Test multi-factor authentication requirements
- Session Management: Verify session timeout and logout functionality
- Error Handling: Test error scenarios and user experience
Troubleshooting Common Issues
SAML Assertion Validation:
# PowerShell script to decode and validate SAML assertions
function Decode-SAMLAssertion {
param(
[string]$EncodedAssertion
)
try {
# Decode base64 SAML assertion
$DecodedBytes = [System.Convert]::FromBase64String($EncodedAssertion)
$DecodedXml = [System.Text.Encoding]::UTF8.GetString($DecodedBytes)
# Parse XML
$XmlDoc = New-Object System.Xml.XmlDocument
$XmlDoc.LoadXml($DecodedXml)
# Extract key information
$NamespaceManager = New-Object System.Xml.XmlNamespaceManager($XmlDoc.NameTable)
$NamespaceManager.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion")
$NamespaceManager.AddNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
# Get assertion details
$Issuer = $XmlDoc.SelectSingleNode("//saml:Issuer", $NamespaceManager).InnerText
$Subject = $XmlDoc.SelectSingleNode("//saml:Subject/saml:NameID", $NamespaceManager).InnerText
$Attributes = $XmlDoc.SelectNodes("//saml:Attribute", $NamespaceManager)
Write-Host "SAML Assertion Analysis:"
Write-Host "Issuer: $Issuer"
Write-Host "Subject: $Subject"
Write-Host "Attributes:"
foreach ($Attribute in $Attributes) {
$Name = $Attribute.GetAttribute("Name")
$Value = $Attribute.SelectSingleNode("saml:AttributeValue", $NamespaceManager).InnerText
Write-Host " $Name = $Value"
}
} catch {
Write-Error "Failed to decode SAML assertion: $($_.Exception.Message)"
}
}Common Issues and Solutions:
| Issue | Symptoms | Solution |
|---|---|---|
| Certificate Mismatch | SAML validation errors | Verify certificate upload and validity |
| Attribute Mapping | Missing user information | Check attribute statements in Okta |
| Group Assignment | Incorrect role assignment | Verify group mapping rules |
| Session Timeout | Frequent re-authentication | Adjust session policies in both systems |
Security Considerations
SAML Security Best Practices
Certificate Management:
- Certificate Rotation: Implement regular certificate rotation schedule
- Certificate Validation: Verify certificate chain and validity
- Backup Certificates: Maintain backup certificates for continuity
- Certificate Monitoring: Monitor certificate expiration dates
Assertion Security:
- Assertion Encryption: Enable SAML assertion encryption when possible
- Signature Validation: Always validate SAML assertion signatures
- Replay Protection: Implement assertion replay protection
- Audience Restriction: Validate assertion audience restrictions
Network Security
Network Segmentation:
- DMZ Placement: Place Workspace ONE Access in DMZ
- Firewall Rules: Restrict traffic to necessary ports and protocols
- SSL/TLS: Enforce strong SSL/TLS configurations
- Network Monitoring: Monitor authentication traffic for anomalies
Monitoring and Maintenance
Authentication Monitoring
Okta System Log Analysis:
# PowerShell script for Okta authentication monitoring
$LogQuery = @{
since = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
until = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
filter = 'eventType eq "user.authentication.sso"'
limit = 1000
}
$QueryString = ($LogQuery.GetEnumerator() | ForEach-Object { "$($_.Key)=$($_.Value)" }) -join "&"
$Uri = "$OktaBaseUrl/api/v1/logs?$QueryString"
$AuthEvents = Invoke-RestMethod -Uri $Uri -Headers $Headers
# Analyze authentication patterns
$SuccessfulAuths = $AuthEvents | Where-Object { $_.outcome.result -eq "SUCCESS" }
$FailedAuths = $AuthEvents | Where-Object { $_.outcome.result -eq "FAILURE" }
Write-Host "Authentication Summary (Last 24 hours):"
Write-Host "Total Events: $($AuthEvents.Count)"
Write-Host "Successful: $($SuccessfulAuths.Count)"
Write-Host "Failed: $($FailedAuths.Count)"
# Identify top failure reasons
$FailureReasons = $FailedAuths | Group-Object { $_.outcome.reason } | Sort-Object Count -Descending
Write-Host "Top Failure Reasons:"
$FailureReasons | Select-Object Name, Count | Format-TablePerformance Monitoring
Response Time Monitoring:
# PowerShell script for monitoring authentication response times
function Test-AuthenticationPerformance {
param(
[string]$WorkspaceOneUrl,
[int]$TestIterations = 10
)
$Results = @()
for ($i = 1; $i -le $TestIterations; $i++) {
$Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
try {
# Test authentication endpoint response
$Response = Invoke-WebRequest -Uri "$WorkspaceOneUrl/SAAS/auth/saml/metadata" -UseBasicParsing
$Stopwatch.Stop()
$Results += @{
Iteration = $i
ResponseTime = $Stopwatch.ElapsedMilliseconds
StatusCode = $Response.StatusCode
Success = $true
}
} catch {
$Stopwatch.Stop()
$Results += @{
Iteration = $i
ResponseTime = $Stopwatch.ElapsedMilliseconds
StatusCode = $null
Success = $false
Error = $_.Exception.Message
}
}
Start-Sleep -Seconds 1
}
# Calculate statistics
$SuccessfulTests = $Results | Where-Object { $_.Success }
$AvgResponseTime = ($SuccessfulTests | Measure-Object ResponseTime -Average).Average
$MaxResponseTime = ($SuccessfulTests | Measure-Object ResponseTime -Maximum).Maximum
$MinResponseTime = ($SuccessfulTests | Measure-Object ResponseTime -Minimum).Minimum
Write-Host "Authentication Performance Results:"
Write-Host "Successful Tests: $($SuccessfulTests.Count)/$TestIterations"
Write-Host "Average Response Time: $([math]::Round($AvgResponseTime, 2)) ms"
Write-Host "Min Response Time: $MinResponseTime ms"
Write-Host "Max Response Time: $MaxResponseTime ms"
return $Results
}Conclusion
Integrating Okta as a third-party identity provider with VMware Workspace ONE creates a robust, scalable identity and access management solution that enhances security while improving user experience. The combination leverages Okta’s advanced identity capabilities with Workspace ONE’s comprehensive endpoint management features.
Key benefits of this integration include:
- Centralized Identity Management: Single source of truth for user identities
- Enhanced Security: Advanced MFA and conditional access capabilities
- Improved User Experience: Seamless SSO across all managed resources
- Operational Efficiency: Automated user provisioning and lifecycle management
- Compliance Support: Comprehensive audit trails and access controls
Success with this integration requires careful planning, thorough testing, and ongoing monitoring. Organizations should focus on proper attribute mapping, security configuration, and user training to maximize the benefits of the integrated solution.
“The integration of Okta with Workspace ONE has transformed our identity management strategy, providing the security and user experience our organization needs while reducing administrative overhead.” – Identity and Access Management Architect
As both platforms continue to evolve, organizations should stay current with new features and capabilities that can further enhance their identity and access management posture. Regular reviews and optimizations will ensure the integration continues to meet evolving business and security requirements.