WS1 Access integration and Okta

[Zed]

Integrating Okta with Workspace One (WS1). I know I need to add Okta as an Idp in WS1. Do I need to also add (which is causing confusion as which is then the Idp) WS1 as an Idp INSIDE Okta? To achieve SSO, Trust and unified apps etc.
Thanks in advance!

https://help.okta.com/en-us/content/topics/device-trust/saml/mobile/enforce-device-trust-mobile-sso-with-okta-vmware-ws1.htm

[Glyn Dobson]

The link that you reference is for the Okta classic engine; you should check that this is what you are using. If you are using the Okta Identity Engine, device trust is implemented using Okta Verify: https://help.okta.com/oie/en-us/content/topics/identity-engine-upgrade/dt-upgrade-considerations.htm

The flow in the link you referenced is using Workspace ONE Access as the IDP. This is the recommended approach to setting up Mobile SSO for Android/iOS or Certificate Based authentication for Windows/macOS. You would need to add Workspace ONE Access as an Identity Provider in Okta in order to this.

[Zed]

I have confirmed, the client uses Identity Engine (not Classic) and it seems we need to do it both ways, do you agree? Thanks!

[Glyn Dobson]

Short version, yes.

Longer version:

To use Okta to auth into UEM you would need to configure SAML under Directory Services to use Okta.

If you want to use Okta to auth into the Access portal, you would need to configure Okta as the IDP inside Access and set the appropriate rules in the Default Access Policy to send the auth request over to Okta.

For Mobile SSO to work, Access must be the IDP so you would need to set Access as an IDP inside Okta and then set the appropriate routing rules to send the authentication request over to Access. On the Access side, make sure your Default Access Policy is set so that the rules for Android and iOS are the first ones in the list (for that device type) to be evaluated and set them to use Mobile SSO as the authentication method. I'd suggest adding Device Compliance in there too

[Sascha Warno]

Okta is pretty flexible with its own authentication policies and routing rules, so you won't create any kind of loops even so you integrate them both as IdP for Access and Acces as IdP for Okta.

You would create a set of rules and enforce Okta's own login methods for the Access SP/Application, whilst setting up Okta as authentication method for enrollments for example in the default access policy in Access.

You and then leverage Access as IdP or IdP Authenticator in Okta. The newer method of the integration uses Access as possession factor inside of Okta authentication policies. For that you create a webapp in Access and specify a policy for it that requires Mobile SSO and compliance.

You could even go further and integrate Okta as IdP yet again just to use it as MFA solution if you want to have a step up auth from Mobile SSO and compliance.

I'm writing on a guide at the moment for Techzone, just a lot of configs to cover. There are also other solutions if compliance is the priority by using Tunnel or APIs to talk to Okta's Workflow solution.

[Zed]

Thanks guys, much appreciated.

[Mobile Jon]

For what it is worth, you can absolutely create an authentication loop in Okta. I did this to myself when I first was building the integration. Inevitably, it depends on how you want to tie the two of them together. I personally still prefer to use User Agent redirection because I don't like OIC's new solution for Mobile SSO.