Windows -Azure Enrollment to Workspace ONE UEM for Organization using Okta as IdP

Published in

VMware 360

10 min readJan 4, 2022

Authors: Rupesh Jain, Yuvakumar Kuramannagari

Windows 10 device can be enrolled to Azure AD (IdP) through an Out of Box Experience (OOBE). There are customers who are using 3rd party IdP as OKTA instead of Azure AD. This document will provide the step-by-step instructions for doing Windows -Azure enrollment to VMware Workspace ONE UEM with OKTA as IdP. There are validation steps also defined to validate each integration point.

Pre-requisite:

Access to an OKTA Instance with admin rights.
Access to Azure as an administrator — Azure premium license (P2)
Access to Workspace ONE Access(vIDM) as an administrator.
Access to Workspace ONE UEM console as an administrator.
Postman, download it from https://www.postman.com

Diagram

NOTE:

Users either be created in LDAP and sync to OKTA or can create directly from OKTA.
LDAP is optional based on requirement.
If we are using LDAP, An LDAP server cannot be configured at the Customer OG level in Workspace ONE UEM.

Setup:

Create a Domain in Workspace ONE Access

Create the shared client secret in Workspace ONE Access
Log into the Workspace ONE Access admin console
Click the dropdown arrow on the Catalog tab and select Settings
Click Remote App Access and select Create Client

For Access Type, select Service Client Token from drop down
For Client ID, enter an ID, for example, OktaSCIM
Expand the Advanced section
Click on Generate Shared secret
Update the Access Token Time-to-Live setting to a longer time than the default

Copy the shared secret, we will need this later in the setup process and click on Add
Generate OAuth Bearer Token using Client credentials from above step
Open Postman App
For the HTTP request type, select POST
For the URL, enter: https://tenanturl/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
Replace tenant URL with your Workspace ONE Access URL, for example:https://example.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
Click the Authorization tab and select OAuth 2.0 as the type
For Token Name, enter a name, such as Workspace ONE
For Grant Type, select Client Credentials
For Access Token URL, enter https://tenantURL/SAAS/auth/oauthtoken, where tenantURL is your Workspace ONE Access tenant URL.
For example: https://example.vmwareidentity.com/SAAS/auth/oauthtoken
For Client ID, enter the Client ID that you set in previously
For Client Secret, enter the secret that you copied previously(shared secret from Remote App Access client)
For Scope, enter admin

Click on Get New Access Token
A token is generated and displayed.
To verify that the bearer token was added, click the Headers tab and click hidden headers.

If the bearer token was not added, return to the Authorization tab and select your token from the available tokens drop-down list and check again.
Under Headers, set the Content-Type to: application/vnd.vmware.horizon.manager.connector.management.directory.other+json
Click on Body tab
Use the following as a sample and click Send

{
“type”:”OTHER_DIRECTORY”,
“domains”:[“OKTA.COM”],
“name”:”Okta Universal Directory”
}

Note: Make sure that your domain is unique within your tenant.

Validation: You should see a response similar to the following.

Configure the VMware Workspace ONE Access Application in Okta:

Login to Okta Admin console
Click Applications → Applications
Add Application
Search for the VMware Workspace ONE application and Add
In the Base URL, enter Workspace ONE Access URL
Make sure there is no ‘/’ on the end of the URL, to avoid error and click Done

Click the Provisioning tab and click Configure API Integration.
Check Enable API integration check box, in the API Token text box, paste the bearer token that you created in Postman
Click Test API Credentials and ensure that you see a successful message before proceeding and Save.

Click the Edit button

Select the Enable check boxes for Create Users, Update User Attributes, and Deactivate Users, the click Save
Scroll down and edit the domain attribute

Edit the domain so that it matches the domain you used when you created the directory in Workspace ONE Access.
Click Save.
SCIM provisioning set up is complete
Go to the Assignments tab in the VMware Workspace ONE application and assign the application to users or groups. When you assign the application to a user, the user is created in Workspace ONE Access. When you remove the application for a user, the user is disabled in Workspace ONE Access.
You can go to the Push groups tab in the VMware Workspace ONE application to push groups to Workspace ONE Access. When you push group, the group is created in Workspace ONE Access and the group membership is pushed. Members of the group must already be assigned the Workspace ONE Access application
Validation : Based on user or group setup above , you should see the users or groups in Workspace ONE Access -Users & Groups section

Add Okta as a third party IdP in Workspace ONE Access

Navigate to your applications in Okta
Select VMware Workspace ONE Application

Click the Sign on tab
Scroll down and select View Setup Instructions, this will provide a perfect walkthrough on how to add Okta as the 3rd party IdP in Workspace ONE Access.

After completion, if you have an issues when logging into Workspace ONE Access, it may be usernames. In OKTA change the credentials details to the below:

Validation : Browse the Workspace ONE Access Login URL , it will automatically redirect to OKTA login and once authenticated in OKTA , you will successfully login into Workspace ONE Access
Now that we can login to Workspace ONE Access using Okta as the 3rd party IdP, we need to provision the user over to Workspace ONE UEM. We do this by using the AirWatch provisioning app in Access.

Before completing this section , you will need to login into Workspace ONE UEM as an Admin to retrieve Workspace ONE UEM API key located at Settings → System -> Advance → API → RESTAPI

Configure SAML Authentication from Workspace ONE UEM into Workspace ONE Access

In Workspace ONE Access Portal, navigate to Catalog and Web Apps
Click on Settings on the right

Then select SAML Meta data
Right click on Identity Provider metadata and Save. You should be able to save this as idp.xml

Navigate to Workspace ONE UEM console, Groups & Settings → System → Enterprise Integration → Directory Services
Upload the save idp.xml file to the SAML 2.0 section and scroll to the bottom and hit save. This will populate the fields from the XML file
Make sure that the Authentication Response Security field is correct:

Scroll up and enable SAML for Enrollment
Now you’ll need to add a AirWatch application into Workspace ONE Access that matches these settings:
In Workspace ONE Access console, navigate to Catalog → Web Apps
Select New and search for AirWatch and click
In Configuration fill in the following information:
Device Server URL
GroupID
And audience (default is AirWatch)

The last step is to assign the application to users and save.
Configure the AirWatch Provisioning App in Workspace ONE Access
Make sure that SAML authentication is enabled in the Workspace ONE UEM console in the Accounts → Administrators → Administrator Settings → Directory Services section
Login in to the Workspace ONE Access console
Select the Catalog → Web Apps tab

Click New, the new SaaS Application wizard appears
Enter AirWatch Provisioning in the Search text box or click or browse from catalog, and select AirWatch Provisioning from the results.
To proceed, click Next
On the Single Sign-On page, configure settings as required by your organization. Some settings are populated with default values relevant to the AirWatch Provisioning app. To learn more about a setting, click the information icon next to the setting.
Note: For any setting not listed in the following table, accept the default value.

Click Next and keep everything else as default and Save
The app is added to the catalog. Now you can enable Provisioning.
Select the AirWatch Provisioning app from the catalog list and click Edit → Provisioning
Add the Provisioning Adapter Configuration
Workspace ONE UEM Host
Admin Username
Admin Password
Workspace ONE UEM API key
Workspace ONE UEM Group ID

Click on Test Connection and verify the connection is successful
Scroll down, make sure Enable Provisioning is enabled
Click NEXT, under User Provisioning click on Add Mapping, select Attribute Name to AAD Mapping Attribute and Value to ${user.ExternalId} and Save and click NEXT
Under Group Provisioning tab, Add required group
Click Next and save
Click Assign, select the User Groups and Save

Confirm the attribute match across all Solutions
Validation: Confirm Attributes
Okta provisions users into Workspace ONE Access with the Okta Unique Identifier. This attribute MUST automatically match with the users ExternalID field in Workspace ONE Access. We also provisioned the user into Workspace ONE UEM so that the AAD mapping attribute is the same as the ExternalID

In Workspace ONE UEM, navigate to users and select the user that’s been generated from Workspace ONE Access and hit edit in the top right

This will bring up all the user details and show the AAD Mapping Attribute

Add custom domain to Azure Active Directory:

Login to Azure Portal — https://portal.azure.com
Navigate to Azure Active Directory → Custom domain names
Add custom domain name and follow on screen instructions
Once the domain is verify, it will looks something shown in the screenshot below

Configure Office 365 app in Okta

In Okta navigate to applications and select Add Application, select Microsoft Office 365 and ADD
Enter Microsoft Tenant Name

Under Sign-On Options, select WS-Federation
For WS-Federation Configuration, select Automatic
Provide username and password and fetch the Office 365 Domains, select the domain name you added in previous section and Done

Under Provisioning tab, Enable provisioning
Under Microsoft Office 365 Attribute Mapping section, change the Immutable ID value as show in the screenshot

Under Assignments tab assign the groups or users
Under Push Groups tab, push them to the Azure Active directory
Validation: Verify users are synced to AAD from Okta

Integrate Azure AD with Workspace ONE UEM:

Step by step instructions are provided in Integrating Azure AD with Workspace ONE UEM section of this doc.

Validation for Overall setup:

In OOBE screen, enter username, that should redirect to below Okta screen based on the username domain
Validate the OKTA tenant and it is pointing to the right okta account

Testing & Production Environment setup:

Create separate setup for the above integration for Test environment and Production environment as pointing these randomly to different instance of Workspace ONE UEM can result in issue which will require additional troubleshooting.

Conclusion:

All the configuration should now be in place to perform Windows 10 Out of the box experience(OOBE) enrollments into Workspace ONE UEM using Okta as the source of Identity Provider(IdP).