Integration of Okta
To integrate Okta in the environment as the leading iDP and to provisioning user and groups from Okta to Workspace ONE, we have to do some preparation. We need a directory of type custom which we will create with Postman (www.postman.com) and a Remote Access Client in Workspace ONE Access. Additionally, an OAuth Bearer Token is necessary. In the created directory the users from the Okta universal directory will be provisioned to via the Okta SCIM adapter.
Create Remote App Access Client in Workspace ONE Access
To be able to do that, we Log into the Workspace ONE Access console:
- Log into the Workspace ONE Access administration portal
- Click Catalog tab
- Choose settings
- Click the tab Remote App Access
- Click Create Client
- Access Type = Service Client Token
- Client ID = enter a unique name (OktaSCIM for instance)
- Expand the advanced options
- Click Generate Shared Secret (save it to a textfile you will need it later)
- Change the time value of Access Token-Time-to-Live (TTL) from days to years
- That is the timeframe in which you have to update the configuration within Okta
- Click Add
Generate OAuth Bearer Token – Postman
After you´ve created the Remote Access Client, we will generate a OAtuh Bearer token via Postman.
- Download Postman from the Website (www.postman.com) and install it on your device
- Open Postman and open a new tab
- In the textbox at the top (Post)enter the URL,
- https://tenanturl/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
- The tenant url is your Workspace ONE Access tenant url
- Example: https://mytenant.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
- At TYPE on the left side click the arrow and choose OAuth 2.0 from the pulldown menu
- On the right side Token Name = choose a name (e.g Workspace ONE)
- Grant Type = Client Credentials
- Access Token URL =https://yourtenant/SAAS/auth/oauthtoken (example: https://mytenant.vmwareidentity.com/SAAS/auth/oauthtoken
- Client ID = set the name to what you configure in Remote Access Client in Workspace ONE Access (here: OktaSCIM)
- Client Secret = put in your generated shared secret key from the Remote Access Client in Workspace ONE Access
- Scope = admin
- Client authentication = let default (Send as Basic Auth header)
- Click Get New Access Token
- The Token will be generated and shown. Copy it to a textfile
- To be sure the Token was added, check under the Headers tab and click hidden
Under the key authorization in the value column, you should see your Bearer Token. If not, please go back to the authorization tab and choose your Bearer Token from the pulldown menu.
In worst case if it don´t works as expected, repeat the creation of the Bearer Token.
Creation of a Directory of type other in Workspace ONE Access
To provision users from Okta Universal Directory to Workspace ONE Access you have to or should create a Directory to synchronize to.
For that we use Postman again.
Under the Headers tab, add in the key column Content-Type and put in the Valuecolumn for it: application/vnd.vmware.horizon.manager.connector.management.directory.other+json
(If content-type don´t exist, start typing in the column key and choose it from the pulldown menu.
Now switch to the Body tab and use a syntax like this:
Example
{
"type":"OTHER_DIRECTORY",
"domains":["OKTA.COM"],
"name":"Okta Universal Directory"
}
Please pay attention to the correct syntax. Often is an issue if you copy and paste like “ instead of “. Then the command will not work. The OKTA.COM is only a domain example, set it to anything you want but be sure it is unique within your environment!
Caution: If you plan to integrate with Microsoft Azure AD and wants to provision users through all systems including Azure to use one account and password through all your systems and devices, then put in your primary domain here or create a new one for domain federation which you can use here. That will be covert in a later chapter.
As a result, you should get like this: