If you are a VMware Cloud Services Customer and you are trying to use the VMware Workspace ONE application in Okta to leverage SCIM management of identities in WS1, you might be running into an issue with Groups.
In Workspace ONE Access you will notice that groups created from Okta are associated with the System Domain but are not associated with associated with the directory that was created for Okta to provision users and groups.
The reason this is happening is because we are unable to include the correct domain/directory information in Okta when creating the group initially.
To work around this issue, we will have to pre-create the group on Workspace ONE Access.
- Open a new tab in postman
- Add the correct authorization header (as per the main Okta SCIM Integration Blog https://communities.vmware.com/blogs/steveIDM/2019/08/13/workspace-one-okta-integration-part-3-setting-up-scim-provisioning)
- For the HTTP Method, select "POST"
- For the URL, enter: "https://[TENANT]/SAAS/jersey/manager/api/scim/Groups
- Under "Headers", set the Content-Type to "application/json"
- Use the following as a sample and Send. You will need to do this for each group you plan on linking in Okta: Replace the DisplayName with the same name as the group in Okta. You will need to include the correct domain name associated with the directory previously created for use with Okta SCIM.
{ "schemas": [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:workspace:1.0" ], "displayName": "VMWCSPgroup1", "urn:scim:schemas:extension:workspace:1.0": { "domain": "vmwaredemo.com" } }
- You will now see the group created in Workspace ONE Access and associated with the correct directory.
- In the Okta Administration Console, please make sure this group exists in Okta before proceeding.
- In the VMWare Workspace ONE application (in Okta Admin Console), click on the Push Groups tab.
- Click on Refresh App Groups to ensure Okta has a complete list of groups in Workspace ONE Access.
- Click on Push Groups -> Find Groups by Name
- Enter the name of the group
- Ensure that a match is found in Workspace ONE Access with the option to Link Group:
- Click Save
- Very the the Group Linking was Successful
- The group should now sync with Workspace ONE Access.