In the third instalment of the Okta Integration with Workspace ONE, we are going to cover SCIM Provisioning from Okta to Workspace ONE.
NOTE: There is currently a known issue that will prevent you from enrolling a device with the Workspace ONE Intelligent Hub application using the Okta Unique Identifier. This should be fixed in the September time frame. However, if your UEM environment is CN135 the fix is already deployed.
If you follow these instructions, keep in mind that device enrollment will NOT work until this fix is in place.
These instructions will use a "CUSTOM" SCIM application. I will update this blog when the official WS1 application is released in OIN.
Please do not use in Production.
In the first release of this functionality, there will be a lot of manual steps. I fully expect a more seamless process in future releases.
This process will require some proficiency and knowledge in using Postman to manage identities in Workspace ONE Access (formerly known as VMware Identity Manager). Please check out my blog on using Postman to Manage Workspace ONE Identities.
Here is a high level overview of the process:
- Okta is configured to use Workspace ONE Provisioning Application
- Okta will SCIM the user to Workspace ONE Access
- The AirWatch Provisioning Adapter in Workspace ONE Access will provision the user to Workspace ONE UEM.
This blog will not going into detail on the provisioning to UEM. Please see the following blog on provisioning to UEM:
Step 1: Create a Remote App Access Client
- Log into Workspace ONE Access
- Click on Catalog (Down Arrow) and then Settings
- Click on Remote App Access
- Click Create Client
- Select "Service Client Token"
- Enter a Client ID ie. OktaSCIM
- Expand Advanced
- Click Generate Shared Secret
- Update the Access Token TTL to something longer then the default. Note: If you choose 1 year, you will need to update the Okta configuration every year with a new bearer token.
- Copy the shared secret. You will need this later.
- Click Add
Step 2: Configure Postman to use your OAuth Token
Note: Depending on your version of Postman, these steps below might be slightly different.
- Open a new Tab in Postman
- In the authorization section, select "OAuth 2.0" as the type:
- Click Get New Access Token
- Provide a Token Name (ie. Workspace ONE)
- Under "Auth URL", enter https:[Tenant URL]/SAAS/auth/oauth2/authorize
ie. https://dsas.vmwareidentity.com/SAAS/auth/oauth2/authorize - "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken - Under Client ID, enter your Client ID from step 1.
- Under Secret, enter your secret from step 1.
- Under Scope, leave blank.
- Under Grant Type, select "Client Credentials"
- Click Request Token
- Click on WorkspaceONE under Existing Tokens
- Select Use Token. Note: You will need to use this token later in the Okta Console.
- If you click on the headers tab you will see the "Authorization" header has been added with the correct token.
Step 3: Create an "Other" Directory for your Okta Users.
- Open a new Tab in Postman
- Add the Authorization Header as per the previous section.
- For the HTTP Method, select "POST"
- For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
Replace the Tenant URL with your URL
Replace the ID with the ID from the step 4 in this section.
ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs - Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
- Use the following as a sample and Click Send
{ "type":"OTHER_DIRECTORY", "domains":["Okta"], "name":"Okta" }
Copy the "userStoreId" that is returned by the above command.
Step 4: Add the Workspace ONE SCIM Provisioning App in Okta
At the time of writing this blog, the Workspace ONE Provisioning APP is not published on the OIN.
In the meanwhile, I will document the steps to create on manually.
- Log into the Okta Admin Console
- Click on Applications -> Applications
- Search for the "SCIM 1.1 Test App (OAuth Bearer Token)" application
- Provide a Name for the application and check both "Do not display" checkboxes
- Click Next
- Click Done
- Click on Sign On
- Under application format, select Email prefix
Note: This step is required to avoid an issue with using email addresses as usernames when deploying SCEP certificates in Workspace ONE UEM.
- Click on the Provisiong Tab and Click Configure API Integration
- Click Enable API Integration
- Enter the SCIM 1.1 Base URL in the following format: https://[tenant url]/SAAS/jersey/manager/scim
- Paste your bear token that was created in the earlier step with postman.
- Click Test API Credentials
- Ensure you have a "Success" before proceeding.
- Click Save
- Scroll down to the Attribute Mapping Section
- Delete the following attributes
-entitlements
-roles - Click "Go to Profile Editor"
- Click "Add Attribute"
- Click Add Attribute
- Enter "userStoreUuid" as the Display name, Variable Name and External Name
- Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
- Select Attribute Required
- Save
- Click Add Attribute
- Enter "userPrincipalName" as the Display name, Variable Name and External Name
- Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
- Select Attribute Required
- Save
- Click Add Attribute
- Enter "domain" as the Display name, Variable Name and External Name
- Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
- Select Attribute Required
- Save
- Click Add Attribute
- Click on Mappings
- Click on the Okta to Workspace ONE SCIM Tab
- Scroll down to the new attributes we created and map the attributes as per below:
Okta User Profile Workspace ONE SCIM User Profile 'PROVISIONED' internalUserType Enter the UserStoreID returned in Step 3 userStoreUuid user.email userPrincipalName Enter the Domain Used in Step 3 domain user.getInternalProperty("id") ws1_externalID - Remove the mappings for displayName and locale
- Click Save Mappings
- Click Apply Updates Now
- Click on the Provisioning Tab again
- Click Edit and Enable Provisioning for Create Users and Deactivate Users. Note: Do not select update users
- Click Save
- Using a test user, assign the user the Workspace ONE SCIM application
- If you receive an error such as below you might need to un-map additional attributes.