I've written several blogs on the Okta Integration with Workspace ONE and thought it would be best to consolidate troubleshooting in one place.
When you encounter an error, don't forget to look at Dashboard -> Reports and go to Audit Events in Workspace ONE Access.
Please bookmark this blog as I will update this blog as necessary.
- Digital Workspace
- Identity Provider - Okta (3rd Party IDP)
- Identity Provider - Workspace ONE (Routing Rules)
- Device Trust
- After successfully authenticating with Workspace ONE you receive a 400 Error Code: GENERAL_NONSUCCESS
- On an non trusted device (Unmanaged) you receive the error "Kerberos NEGOTIATE failed or was cancelled by the user"
- On a trusted device (Managed), you are stuck a loop between Okta and Workspace ONE Access
- On a trusted device (Managed) you get an Okta Logon page with a "Device Must be Secured by Workspace ONE"
- SCIM
- You receive the error: “Errors reported by remote server: Required user attributes:[distinguishedName] are missing.”
- You receive the error: “Errors reported by remote server: User creation is not supported for specified directory id”
- You receive the error: “Errors reported by remote server: User domain name specified for the user resource doesn't belong to the directory.”
- You receive the error “Errors reported by remote server: The group resource for create should not specify members.”
- You receive the error: “Errors reported by remote server: Resource 'Group' is malformed: Attribute urn:okta:custom:group:1.0:description is not defined for resource Group”
Digital Workspace
You have configured Okta in Workspace ONE Access but you are not seeing the Okta applications in Workspace ONE?
It is likely that one of the three issues have occurred:
- Did you log into Workspace ONE Access as an end user? Okta Application will not appear in the Admin console.
- In the Okta Cloud URL (Identity & Access Management -> Setup - Okta) , do not add the "-admin". It needs to be end user uri. ie. https://vmware.oktapreview.com
- Did you select the correct search parameter? In Workspace ONE Access, we typically have a sAMAccountName as the username (ie. jdoe) and in Okta, we typically have an email or UPN as the the username. If this is the case, change the search parameter (Identity & Access Management -> Setup - Okta) to use email or upn.
Okta applications previously were showing in my Workspace ONE Catalog but are no longer appearing
If it has been 30 days since anyone in your tenant has accessed the Workspace ONE console, your Okta API key might have expired. Verify the key in Okta has not expired.
Identity Provider - Okta (3rd Party IDP)
You receive the error "federationArtifact.not.found Federation Artifact not found"
This error means the SAML context that Okta is sending is not currently defined in the 3rd Party IDP. In Workspace ONE Access, go to Identity & Access Management -> Identity Providers and modify the Okta Identity Provider to include the "Unspecified" SAML Context.
You receive the error "You do not have access to this service. Contact your administrator for assistance"
Verify the value being sent in the Name ID is properly configured to match a user in Workspace ONE Access. In Workspace ONE Access, go to Identity & Access Management -> Identity Providers and modify the Okta Identity Provider. Verify what the mapping is for "Unspecified". If the mapping is set to username, we might have a mismatch. Either check with a SAML Tracer or go to Dashboard -> Reports and go to Audit Events. Look for the "LOGIN failed ()" event and you'll see the username beside it. If you click on details, you will see something like "IDP (id: 541991) does not have JIT enabled when creating user (nameId: steve@one-identity.ca) " You have two options in the case:
- Modify the value in Identity & Access Management -> Identity Providers -> Okta Identity Provider so "Unspecified" is equal to Email or UserPrincipalName.
- Modify the Sign-On Policy for the Workspace ONE app in Okta to send the Email Prefix/Username Prefix
When you logout of Workspace ONE it will log you back in.
In the "VMware Workspace ONE" application in OKta, click on Sign-On and make sure Single Logout is enabled. You will have to upload your signing certificate from Workspace ONE Access. Once you have enabled this you will need to re-export the metadata and update the 3rd Party IDP in Workspace ONE Access. Don't forget to enable Single Logout Out (Keep the other two field blank).
Identity Provider - Workspace ONE (Routing Rules)
When using routing rules and after successfully authenticating with Workspace ONE you receive a 400 Error Code: GENERAL_NONSUCCESS
Verify in the 3rd Party IDP setting in Okta that you've configured the correct Issuer URI. It should end in "SAAS/API/1.0/GET/metadata/idp.xml"
When using routing rules and after successfully authenticating with Workspace ONE you receive an Okta Logon Page
In the Okta Application Source in Workspace ONE, make sure you are sending the correct value in the Username Value. In most cases, Workspace ONE usernames are sAMAccountName and will not match the username in Okta. You should change the value to either "${user.userPrincipalName}" or "${user.email}"
Device Trust
After successfully authenticating with Workspace ONE you receive a 400 Error Code: GENERAL_NONSUCCESS
Verify in the Identity Provider section in Okta that you the "Request Authentication Context" is set to "Device Trust"
On an non trusted device (Unmanaged) you receive the error "Kerberos NEGOTIATE failed or was cancelled by the user"
In Workspace ONE Access, edit the Okta Application Source (Catalog -> WebApps-> Settings -> Application Source), under Configuration - Advanced Properties, make sure Enable Authentication Failure Notification is set to Yes.
On a trusted device (Managed), you are stuck a loop between Okta and Workspace ONE Access
In Workspace ONE Access, edit the Okta Application Source (Catalog -> WebApps-> Settings -> Application Source), under Configuration - Advanced Properties, make sure Device SSO Response and Enabled ForceAuthN Request are both set to yes.
On a trusted device (Managed) you get an Okta Logon page with a "Device Must be Secured by Workspace ONE"
In the Workspace ONE policies, verify that you only have one authentication policy method for each platform. You can not use Mobile SSO + Device Compliance in a Workspace ONE Policy.
SCIM
You receive the error: “Errors reported by remote server: Required user attributes:[distinguishedName] are missing.”
You have the DN as a required attribute in Workspace ONE Access. You will need to uncheck this value in Identity & Access Management -> Setup -> User Attributes
You receive the error: “Errors reported by remote server: User creation is not supported for specified directory id”
You are attempting to create a user in a directory that is not of type “Other”. Verify when you completed the pre-requisites that you did not use a domain that is used by another directory. Its possible the domain was used for JIT. If this is the case you will need to create another directory of type other with a unique domain.
You receive the error: “Errors reported by remote server: User domain name specified for the user resource doesn't belong to the directory.”
The domain you configured in the attribute mapping in Okta does not match the domain for the directory created in Workspace ONE Access.
You receive the error “Errors reported by remote server: The group resource for create should not specify members.”
You need to create the users first in Workspace ONE using Postman and then link the group in Okta instead of Create.
You receive the error: “Errors reported by remote server: Resource 'Group' is malformed: Attribute urn:okta:custom:group:1.0:description is not defined for resource Group”
You need to create the users first in Workspace ONE using Postman and then link the group in Okta instead of Create.