Quantcast
Channel: VMware Communities : All Content - All Communities
Viewing all articles
Browse latest Browse all 182126

Workspace ONE - Okta Integration Part 3: SCIM Provisioning

$
0
0

For updates on this blog and other blogs, follow me on Twitter: @SteveIDM

 

In the third installment of the Okta Integration with Workspace ONE, we are going to cover SCIM Provisioning from Okta to Workspace ONE.

 

NOTE: This integration requires UEM 19.09 which should be deployed to most SAAS tenants.

 

These instructions will use a "CUSTOM" SCIM application. I will update this blog when the official WS1 application is released in OIN.

 

Please do not use in Production.

 

In the first release of this functionality, there will be a lot of manual steps. I fully expect a more seamless process in future releases.

 

This process will require some proficiency and knowledge in using Postman to manage identities in Workspace ONE Access (formerly known as VMware Identity Manager).  Please check out my blog on using Postman to Manage Workspace ONE Identities.

https://communities.vmware.com/blogs/steveIDM/2019/05/09/using-postman-to-manage-workspace-one-identities

Here is a high level overview of the process:

Screen Shot 10-15-19 at 11.44 AM.PNG

  1. Okta is configured to use Workspace ONE Provisioning Application
  2. Okta will SCIM the user to Workspace ONE Access
  3. The AirWatch Provisioning Adapter in Workspace ONE Access will provision the user to Workspace ONE UEM.

 

This blog will not going into detail on the provisioning to UEM. Please see the following blog on provisioning to UEM:

Workspace ONE - AirWatch Provisioning App

Step 1:  Create a Remote App Access Client

  1. Log into Workspace ONE Access
  2. Click on Catalog (Down Arrow) and then Settings
  3. Click on Remote App Access
  4. Click Create Client
  5. Select "Service Client Token"
  6. Enter a Client ID ie. OktaSCIM
  7. Expand Advanced
  8. Click Generate Shared Secret
  9. Update the Access Token TTL to something longer then the default. Note: If you choose 1 year, you will need to update the Okta configuration every year with a new bearer token.


  10. Copy the shared secret. You will need this later.
  11. Click Add

 

Step 2:  Configure Postman to use your OAuth Token

 

Note: Depending on your version of Postman, these steps below might be slightly different.

 

  1. Open a new Tab in Postman
  2. In the authorization section, select "OAuth 2.0" as the type:
  3. Click Get New Access Token
  4. Provide a Token Name (ie. Workspace ONE)
  5. Under Grant Type, select "Client Credentials"
  6. "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
  7. ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken
  8. Under Client ID, enter your Client ID from step 1.
  9. Under Secret, enter your secret from step 1.
  10. Under Scope, enter 'admin'
  11. Click Request Token
  12. On the left hand side, Select "Request Headers" and click "Preview Request".

  13. You should see a message saying headers were updated correctly:
  14. Click the Headers Tab and verify that the bearer token was added as a temporary header.
  15. If the bearer token was not added, return to the Authorization Tab and select your token from the available tokens drop down list and preview the request again.

 

Step 3:  Create an "Other" Directory for your Okta Users.

  1. Open a new Tab in Postman
  2. Add the Authorization Header as per the previous section.
  3. For the HTTP Method, select "POST"
  4. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
    Replace the Tenant URL with your URL
    ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  5. Under "Headers", Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
    Screen Shot 10-15-19 at 11.49 AM.PNG
  6. Use the following as a sample and Click Send

 

{  
"type":"OTHER_DIRECTORY",  
"domains":["Okta.com"],  
"name":"Okta Universal Directory"  
}  

 

You should see a similar result

Screen Shot 10-15-19 at 11.50 AM.PNG

 

Step 4:  Add the Workspace ONE SCIM Provisioning App in Okta

 

At the time of writing this blog, the Workspace ONE Provisioning APP is not published on the OIN.

 

In the meanwhile, I will document the steps to create on manually.

  1. Log into the Okta Admin Console
  2. Click on Applications -> Applications
  3. Search for the "SCIM 1.1 Test App (OAuth Bearer Token)" application
  4. Provide a Name for the application and check both "Do not display" checkboxes
    Screen Shot 10-15-19 at 11.52 AM.PNG
  5. Click Next
  6. Click Done
  7. Click on Sign On
  8. Under application format, select Email prefix
    Note: This step is required to avoid an issue with using email addresses as usernames when deploying SCEP certificates in Workspace ONE UEM.
  9. Screen Shot 10-15-19 at 11.53 AM.PNG
  10. Click on the Provisiong Tab and Click Configure API IntegrationClick Enable API Integration
  11. Enter the SCIM 1.1 Base URL in the following format: https://[tenant url]/SAAS/jersey/manager/api/scim
  12. Paste your bearer token that was created in the earlier step with postman.
  13. Click Test API Credentials
  14. Ensure you have a "Success" before proceeding.
  15. Click Save
  16. Scroll down to the Attribute Mapping Section
  17. Delete the following attributes
    -entitlements
    -roles
  18. Click "Go to Profile Editor"
  19. Click "Add Attribute"
    1. Enter "internalUserType" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Save
  20. Click Add Attribute
    1. Enter "userPrincipalName" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Save
  21. Click Add Attribute
    1. Enter "domain" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Save
  22. Click on Mappings
  23. Click on the Okta to Workspace ONE SCIM Tab
  24. Scroll  down to the new attributes we created and map the attributes as per below:
    Okta User ProfileWorkspace ONE SCIM User Profile
    'PROVISIONED'internalUserType
    user.emailuserPrincipalName
    Enter the Domain Used in Step 3domain
    Screen Shot 10-15-19 at 11.59 AM.PNG
  25. Remove the mappings (Mappings -> Okta to Scim 1.1):

    Attributes
    displayName
    locale
    title
    department
    organization
  26. Click Save Mappings
  27. Click Apply Updates Now
  28. Click on the Provisioning Tab again
  29. Click Edit and Enable Provisioning for Create Users and Deactivate Users. Note: Do not select update users
  30. Click Save
  31. Using a test user, assign the user the Workspace ONE SCIM application
  32. If you receive an error such as below you might need to un-map additional attributes.

 

Issues with Groups

It has been discovered that there are a few issues with provisioning groups from Okta to Workspace ONE. While we wait for these issues to be resolved, you will need to pre-create the groups in Workspace ONE Access before they can be sync'd from Okta.

 

The following instructions require you to use Postman. You will not be able to do this from the Workspace ONE Access console.

  1. Open a new tab in Postman
  2. Add the Authorization Header as per the previous section.
  3. For the HTTP Method, select "POST"
  4. For the URL, enter: HTTPS://[TENANTURL]/SAAS/JERSEY/MANAGER/API/SCIM/GROUPS
  5. Replace the Tenant URL with your URL
  6. Under "Headers", Set the Content-Type to " APPLICATION/JSON"
  7. Use the following as a sample and Send. You will need to do this for each group you plan on linking in Okta: Replace the DisplayName with the same name as the group in Okta.

 

{    "SCHEMAS": [      "URN:SCIM:SCHEMAS:CORE:1.0"  ],    "DISPLAYNAME": "SCIMTESTING2"  
}

 

Next we will need to "LINK" the groups in Okta:

 

  1. In the VMware Workspace ONE application (your SCIM 1.1 app) in the Okta console, click on “Push Groups”
  2. Click on Refresh App Groups to ensure Okta has a complete list of groups in Workspace ONE Access.
  3. Click on Push Groups -> Find Groups by Name
  4. Enter the name of the group that is already created in Okta
  5. Ensure that a match is found in Workspace ONE Access with the option to Link Group:


  6. Click Save

 

For additional troubleshooting see:

https://communities.vmware.com/blogs/steveIDM/2019/10/21/workspace-one-and-okta-troubleshooting-blog


Viewing all articles
Browse latest Browse all 182126

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>