The release of Workspace ONE 19.03 brought in a very seamless integration of Okta Applications.
If you have integrated the two solutions previously you will recall the number of steps required to create and entitle new applications in Workspace from Okta. This integrations you to create and entitle applications in Okta and have them seamless appear in Workspace ONE along with your Native and Virtual Applications.
Lets walk through the steps to integrate the two solutions.
In this blog we are going to assume that you have existing connectors for Workspace ONE UEM and Workspace ONE Identity. We are also assuming you have your Workspace ONE Identity access policies already configured for Mobile SSO, Certificate or Password (Cloud Deployment).
Part 1: Core Setup and Configuration
The objective of this section to configure Okta to delegate authentication to Workspace ONE Identity where Mobile SSO and Device Compliance are configured.
Step 1: Exporting the Workspace ONE IdP Metadata
- Log into Workspace ONE Identity Console -> Catalog -> Settings
- Click on "Identity Provider (IdP) metadata" and save the file locally.
- Scroll down to the Signing Certificate Section and Download.
Step 2: Add Identity Provider to Okta
- Log into your Okta Admin Console
- Click on Security -> Identity Providers -> SAML 2.0 Identity Provider
- Click on Add Identity Provider
- Provider a name: ie. Workspace ONE
- For IdP Username, select "idpuser.subjectNameId"
- For "If no match is found", select "Redirect to Okta sign-in page"
- For your "IdP Issuer URI", retrieve and paste this value from your SAML Metadata you downloaded in step one.
- For your "IdP Single Sign-On URL",retrieve and paste this value from your SAML Metadata you downloaded in step one.
- For the "IdP Signature Certificate, upload the signing certificate you downloaded in Step 1.
- Expand the newly created Identity Provider and download the metadata
Step 3: Create Okta Application Source in Workspace ONE Identity
- In Workspace ONE Identity Console, click on Catalog -> Settings
- Click on Application Sources
- Click on Okta
- On the Okta Application Source page, click next
- Select "URL/XML" and paste the contents of the Okta metdata we downloaded in the previous step.
- On the Access Policies page, click next (see note below):
Note: For the purpose of this blog we are using the "default_access_policy_set". However, it is recommended that you create an access policy specific for the Okta Application Source. The reason for this recommendation is that you'll likely not want any fallback mechanisms when performing Mobile SSO (so we can present a error message to enroll your device). However, when you enroll your device into Workspace ONE UEM you probably want a fallback mechanism. - Click Save on the summary page.
Step 4: Create Okta Routing Rules
- Log into the Okta console.
- Go to Security -> Identity Providers
- Click on Routing Rules
- Click Add Routing Rule
- Provide a Rule Name
- Select the platforms that you want to using Workspace ONE Identity (ie. IOS/Android)
- Select the applications that you want to use Workspace ONE Identity
- Select the Identity Provider we created previously
- Click Create Rule
Step 5: Testing
- Access your Salesforce development tenant
- Select to Authenticate with Okta
- Based on your Okta Rules, you should be redirected to Workspace ONE Identity.
- Authenticate within WS1
- You should return back to Okta and be redirected and successfully authenticated into SalesForce
Troubleshooting Tips
- Ensure your user is entitled to Salesforce within Okta.
- Verify the IdP Issuer in Okta is correct:
https://aw-sdsatest.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml - Verify the username values we are sending from Workspace ONE to Okta will match:
TO