EUCbackup Default chapterOKTA Integration with VMware Identity Manager (copied)

OKTA Integration with VMware Identity Manager (copied)

Scenario and Objectives of this Lab Module

We will come into to many existing environments and they will already have existing Federations in place. We will see what is required when the customer has OKTA Federated with existing Applications.

OKTA sees VMware Identity Manager as their go to market solution for cross-platform SSO solutions and have officially deprecated the MDM component in favour of using VMware Identity Manager.

In this scenario OKTA could be the first point of call and we would use VMware Identity Manager to authenticate and provide SSO access to mobile devices.

Please note we will complete the testing of this lab in the latter part of this course once we have Mobile SSO for Android and Mobile SSO for IOS for VMware Identity Manager.

This lab is comprised of 5 parts

Part 1. Configuring an OKTA individual developer account.

Part 2. Configuring a SaaS application to federate with OKTA. The application we will use in this lab is ZENDESK.

Part 3. Federating ZENDESK with OKTA.

Part 4. Federating OKTA with VMware Identity Manager.

Part 5. Configuring VMware Identity Manager to be an OKTA application source.

Part 6. Configuring Routing Rules for OKTA VMware Identity Manager Integration

Note! After we have setup Single Sign On for Android and IOS. We will then Configure Conditional Access policies in Workspace One UEM, then we will test the integrations for SSO through OKTA, VMware Identity Manger and Workspace ONE UEM.

Just a reminder that when creating custom Accounts. Be sure to write down the exact details related to this account. One suggestion might be to standardize on passwords and keep the password as simple as possible, to ensure success of these labs. In the future if you have concerns related to accessing these accounts feel free to reset the passwords.

Failure to follow these guidelines could result in being locked out of your tenant and you would then have to take for responsibility for regaining access leading to a loss of time.

Part 1.

Setting up an OKTA Overview free trial

1. In this section we will register a 30 day free trial with OKTA account that we will use for this lab. It can be used beyond the scope of this lab as well and does not expire.

  1. Open your Chrome Browser on the Control Center and browse to https://www.okta.com/free-trial/#   On the START YOUR 30 DAY FREE TRIAL WITH OKTA TODAY page select SIGN UP TODAY
  2. Fill in the Free Trial Form
    1. Using either a work e-mail address or your custom office365 CloudAdmin email account eg. cloudadmin@ranmobojo.onmicrosoft.com. Fill in your first and last name
    2. In the drop down Would you like more information about the trial? select Yes....
    3. in the phone area type a valid phone number
    4. Under Employee count select a one the numbered check boxes
  3. Select Get Started
  4. Notice you have a Thank You for registering. Welcome to the family. NB! NOTE the url and save your unique URL to notepad e.g. ranmobojo-onmicrosoft.okta.com

 

  1. Go to Office 365 . Log-in with your Cloud Admin account and check your office 365 email. Open your email from the The Okta Team

6. In the Login console use your Okta username the temporary password. Select Sign In

7. On the Welcome window ,

  1. Enter and Confirm your new password,
  2. Choose a forgot password question and Answer
  3. Click a picture to choose a security image
  4. Select Create My Account
  5. On the Getting Started with Okta window notice you now have a 30 day trial of OKTA. Browse around to familiarize with the Console.

8. To complete our setup we will setup Directory sync with our Active Domain and this OKTA environment.

Log into your "on-prem" lab environment as euc-livefire.com\administrator with the password VMware1!

  1. On the ControlCenter2 server open your chrome browser and copy OKTA url on the ControlCenter server. e.g. https://ranmobojo-onmicrosoft.okta.com/
  2. Sign in with your OKTA admin console with your OKTA username and password select Sign In

9. Setting up Directory sync with our Active Domain and this OKTA environment continued..

  1. In the Okta Admin console select Directory > Directory Integrations
  2. In the Directory Integrations interface, bottom right-hand corner, select Add AD Domain/Agent
  3. Select Set Up Active Directory in the bottom right-hand corner
  4. Select Download Agent,
  5. Note the installation information on your admin Console, you will use this information when installing the agent.

10. Setting up Directory sync with our Active Domain and this OKTA environment continued..

  1. Select the downloaded OktaADAgentSetup.exe and select Open select Run
  2. On the Okta AD Agent, select Next
  3. On the Installation options window select Install
  4. In the Select AD Domain accept your default Domain and select Next

11. Setting up Directory sync with our Active Domain and this OKTA environment continued..

  1. On the Okta AD Agent Windows Service Account window accept the default, select Next
  2. On the Okta AD Agent Windows Service User, type and confirm the password, VMware1! select Next
  3. On the Okta AD Agent Proxy Configuration window, select Next

12. Setting up Directory sync with our Active Domain and this OKTA environment continued..

  1. On the Register Okta AD Agent window, select the Custom radio button, next to Enter Organizational URL:  in the Enter Subdomain: box  type your Organization URL in Step 9.5. Select Next
  2. In the Sign in page under Username, type the Administrator account and password in part 9.5 and select Sign In
  3. Select Allow Access
  4. On the Agent Installation window select Next

 

13. Setting up Directory sync with our Active Domain and this OKTA environment continued..

  1. In the Set Up  Active Directory window , In the Connect an Organizational Units (OU) to Okta interface ensure that only corp ou is selected in the users and groups interface. Select Next
  2. In the  Import Ad Users and Groups window select Next

 

14. Setting up Directory sync with our Active Domain and this OKTA environment continued....

  1. On the Select the attributes to build your Okta User profile page select Next
  2. On the Agent Setup Complete page select Done
  3. Select the Okta AD Agent on your Taskbar and select Finish

15. Setting up Directory sync with our Active Domain and this OKTA environment continued....

  1. In the Okta admin console select Directory > Directory Integrations
  2. Below the Active tab select Active Directory
  3. In the Active Directory area next to People select Settings
  4. In the IMPORT AND ACCOUNT SETTINGS console scroll down and select the following:-
    1. Select the check box in line with JIT Provisioning called Create and update users on login
    2. Next to Schedule change the dropdown from never to every hour
  5. Scroll down to the bottom and select Save Settings

16. We will validate our provisioning of user provision now in OKTA

  1. Open up an Incognito window in your browser and launch your OKTA login URL. Login as user1@(custom suffix).euc-livefire.com
    .eg. user1@madrid35.euc-livefire.com with password VMware1! select Sign In
  2. On the Welcome to your OKTA page, click a picture to choose a security image , select Create My Account
  3. Close the Okta makes your life easier page selecting Got it
  4. If you go back to your OKTA admin Console, select Directory > People, you will now notice your provisioned users

Part 2.

Setting up your own SaaS ZENDESK account

  1. In this section we are going to register for a ZENDESK account
    1. Open your browser and add the following URL to your browser https://www.zendesk.co.uk/register/ and select the Sign-in with with Google .
    2. On the Sign In screen, under the Email or Phone box type in the option of your choice. In this particular example, I will be using my custom gmail account Ranmo.bojo@gmail.com, select Next , Under enter your password type your account password
    3. On the ZENDESK wants to access your account select ALLOW

2. We are continuing to register for a ZENDESK account

  1. On the Tell us about your company under Company name type Livefire and your unique domain name for this course appended. e.g. LivefireTokyo01, also provide a fictitious number of employees. The select Next
  2. On the Tell us about yourself, enter required information under First Name and Last Name and telephone number. Select Next

3. We are continuing to register for a ZENDESK account

  1. On the Customize your team window, type your assigned student domain name and select Next
  2. You will briefly notice a Setting up your new account at window, this will automatically move on
  3. You will then be prompted to check your email, log in to your email to verify your ZENDESK registration
  4. Open the sent email and select click here to verify your email address
  5. On the Create an account Window validate your name and choose a password. Note that you are now using custom ZENDESK url. Remember to note your unique url, your user name and your password. When done select Create account

4. We are finishing off the registration for a ZENDESK account

  1. On the Zendesk Suite window select Skip setup.
  2. Under Get Started, select Got it

Notice you have a 29 day trial left on this application which will suffice for this lab setup

Part3: Federating BambooHR with OKTA

1. Federation BambooHR with OKTA

  • In this section we setup a Federation with BambooHR web application. You are entitled to a 7 day trial of the BambooHR SaaS software.
    1. We will start off by going to a browser and In google type BambooHR free trial.
    2. Where it says Try it Free select
    3. In the Were Ready to you up page at your credentials with your email address, select Get Started
    4. On the Congratulations page type your
      1. work phone number, your phone number
      2. company Name, eg. Euclivefire
      3. custom domain name eg. Madrid34.bamboohr.com
      4. Select Create Account
    5. On the Account is ready page select Login
    6. On the login page , login with your email and password

 

2. Federation BambooHR with OKTA

  • Switch to your OKTA admin console to complete the next step of the configuration
    1. In the Okta Admin Console select Applications > Applications
    2. Under Applications select Add Application
    3. In the Search type BambooHR and select Add

3. Federation BambooHR with OKTA

  • In the Add BambooHR interface under General Settings type the following
    1. Next to Application Label, type BambooHR(customdomain) BambooHR Madrid 34
    2. Next Subdomain type your custom domain e.g Madrid34 select Next

3. Federation BambooHR with OKTA

  • In the OKTA Add BambooHR interface under Sign-On Options select the following
    1. Next to SAML 2.0 select the radio button
    2. At the bottom of the window select Done

4. Federation BambooHR with OKTA

  • Switch back to your custom BambooHR Saas AP
    1. In top right-hand select Settings, this is a wheel-cog icon
    2. In the left-hand pane select Apps
    3. Under Apps select Single Sign-On
    4. In the Single Sign-On window select OKTA
    5. Scroll down and select Install

5. Federation of BambooHR with OKTA

  • Switch back to your Okta Console
    1. In the Applications interface next to Sign On select General
    2. Scroll down to App Embed Link and under EMBED LINK copy the entire URL and save in Notepad
    3. Next to Applications tab select the Security tab, select Identity Providers
    4. Under Identity Providers to the right select the drop down arrow next to Configure, select Download Certificate

6. Federation BambooHR with OKTA

  • Switch back to your BambooHR Admin Console
    1. From your Notepad file copy the SSO Login URL and under SSO Login URL paste the copied link from OKTA
    2. Next open the Okta.cert file with a text editor and copy the entire certificate, this includes ---begin certificate xxx --- END CERTIFICATE--- and paste into the x.509 Certificate box
    3. Scroll to the botton of the page and select Install

6. Federation of BambooHR with OKTA

  • Switch back to your OKTA Admin Console
    1. Go back to Applications > Applications and select your BambooHR application
    2. Select Assign > Assign to Groups
    3. In the Assign BambooHR to Groups next to Marketing select Assign and select Done

 

7. Federation of BambooHR with OKTA

  • Switch back to your BAMBOOHR Admin Console
    1. In the Bamboo HR application select the Home tab
    2. To right of the page select the drop down arrow next New... and select New Employee
    3. In the New Employee interface , use the following information in the screenshot to create the User. Most important attribute is email address.
    4. When done select Save Changes

Summary

We have accomplished a few things in Parts 1 to 3. You have seen how well Just In Tme (JIT) provisioning works with external applications and OKTA. OKTA supports a much broader ecosystem of applications than VMware Identity Manager. This part of the lab would represent what an organisation might already have in place or it might represent what we might have put in place first before using VMware Identity Manager. A very important concept to realize is if we are going to federate 3rd party solutions we have to have a basic understanding of the workings / capabilities of the solution we want to federate with to offer the best solution to the customer.
Okta themselves realize that VMware have a very powerful Single-Sign On (SSO) solution using VMware Identity Manager. We will now federate with VMware Identity Manager in Part 4 to accomplish Single Sign on functionality In Part 4

Part 4.

OKTA and VMware Identity Manager Federation Configuration

In this section we will retrieve information required by Okta to setup an Identity Provider . In this scenario VMware Identity Manager will be the Identity Provider.

  1. Login to the Workspace ONE Administration Console on the System Domain with Admin privileges to your New SaaS VIDM Tenant.
    1. Click the ​Catalog -> Web Apps​ tab
    2. Click ​Settings​ from the sub-menu
    3. In the resulting dialog navigate to ​SaaS Apps -> SAML Metadata
    4. Download the ​Signing Certificate. Note the location of the downloaded file ​signingCertificate.cer 

2. In the right Column under SAML Metadata, select and open the Identity Provider (Idp) Metadata url
    and record the following using something like Notepad

  1. entityID i. e.g.​ ​https://tenant.vmwareidentity.com/SAAS/API/1.0/GET/metadata/idp.xml
  2. SingleSignOnService​ Binding="​urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST​"
  3. Select X in the right hand corner of the pane to close the window

3. In this section we will create the Identity Provider (IdP) record in the Okta admin UI with system
    Administrator login.

In the OKTA admin Console

  1. In the top right hand corner. Select the Admin button
  2. Navigate to ​Security -> Identity Providers

4. Select Add Identity Provider button window, next to:      

  1. Under GENERAL SETTINGS
    1. next to Name: type ​WorkspaceONE
  2. Under AUTHENTICATION SETTINGS
    1. Idp UserName : idpuser.subjectNameid
    2. Filter:Unchecked
    3. Match Against:Okta Username
    4. If no match is found:Redirect to Okta sign-in page radio button
  3. Under SAML PROTOCOL SETTINGS
    1. IdP Issuer URI: e.g. https://aw-euclivefire.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml
      Entity ID value value from the VMware Identity Manager IdP metadata file saved to Notepad
    2. IdP Single Sign-On URL: e.g.
      https://aw-euclivefire.vidmpreview.com/SAAS/auth/federation/sso  
      Single Sign on Service value from IdP metadata file from Workspace ONE                                                                                      
    3. IdP Signature Certificate. Browse and select the Signing Certificate from your SAAS VMware Identity Manager Tenant.
  4. Select ​Add Identity Provider

 5. Configure VMware Identity Manager with OKTA integration information

  • In the Identity Providers interface, to the right, select the drop down arrow and select Download Certificate

6. Configure VMware Identity Manager with OKTA integration information continued...

  1. Login to your SAAS vIDM tenant and as Admin for the System Domain.
  2. Select the Catalog tab , select NEW

7.  In the New Saas Application wizard in step 1. Definition under Name give a name OKTA VIDM Integration, select NEXT

8. Switch back to your OKTA SaaS service interface

  1. Select the drop down arrow next to Workspace ONE.
  2. Observe the information in this area. We will be using this as part of our VMware Identity Manager Configuration.
  3. To the right of the console next to Configure select the drop down arrow and select Download Certificate

9. Switch back to your SaaS instance of VMware Identity Manager and continue on the step 2. Configuration section in the New SaaS Application wizard.

  1. Under Configuration select the Manual radio button
  2. Under Single Sign-On URL section. select your Assertion Consumer Service URL from your OKTA Admin Console
    e.g. https://ranmobojo-onmicrosoft.okta.com/sso/saml2/0oaatkfdk7ydWJR8F356
  3. Under Recipient URL title, select your Assertion Consumer Service URL from your OKTA Admin Console
    e.g. https://ranmobojo-onmicrosoft.okta.com/sso/saml2/0oaatkfdk7ydWJR8F356
  4. Under Application ID, select the Audience URI from your OKTA AdminConsole,
    e.g. https://www.okta.com/saml2/service-provider/spznixxopvkucqhcxboz
  5. If necessary scroll down : Under Username Format accept the default which should be Unspecified
  6. Under Username Value: change this to $(user.userPrincipalName)

10.  We continue with  step 2. Configuration section in the New SaaS Application wizard.

  1. Under Application Parameters, expand Advanced Properties
  2. Accept the default for Sign Response = Yes, Sign Assertion = No, Encrypt Assertion = No, Include Assertion Signature = No,
  3. Change Signature Algorithm:  SHA256 with RSA

11. We continue with step 2. Configuration section in the New SaaS Application wizard. Scroll down if
      necessary.

  1. Change Digest Algorithm: SHA256
  2. Leave Assertion Time (default) = 200
  3. Open your downloaded OKTA.cert file and copy and paste the entire cert including the -----BEGIN CERTIFICATE -------xxxx ----END CERTIFICATE------ parts in it in the Request Signature area.

12. We continue with step 2. Configuration section in the New SaaS Application wizard. Scroll down if
   necessary.

  1. Leave the following configurations default.  Encryption Certificate  = Blank, Enable Authentication Failure Nothification = No, Application Login URL = Blank, Proxy Count = Blank , API Access = No
  2. Leave the following configurations default,  Attribute Mapping = None, Open in VMware Browser = No , Show in User Portal = Yes
  3. Select NEXT

13. On step 3. Access Policies section in the New SaaS Application wizard.

  • Accept the default which is to use the default_access_policy_set and select NEXT

14. On the section 4. Summary of the New SaaS Application wizard select SAVE

15. In the Catalog you should see OKTA VIDM Integration

Part 5. Configuring An OKTA Application Source in Workspace ONE.

1. Configuring an OKTA application Source in Workspace ONE...

  1. Under Catalog to the right select SETTINGS
  2. In the Inventory pane under SaasApps select Application Sources
  3. In the Application Sources section under App Source select OKTA
  4. On the OKTA Application Sources window select NEXT

2. Configuring an OKTA application Source in Workspace ONE... continued

  1. Switch back to your OTKA admin Console and select Security > Identity Providers
  2. Expand your arrow > next to your existing WorkspaceONE configuration to face down.
  3. Notice under WorkspaceONE you have 4 rows of information.
    • Save your Assertion Consumer Service URL and your Audience URI to Notepad

Switch back to your Workspace ONE admin console

3. Configuring an OKTA application Source in Workspace ONE... continued

  1. In the OKTA Application Source under Configuration change the radio button to Manual
  2. In section 2. Configuration of the OKTA Application Source page add the following:-
    1. In the Single Sign-On URL section copy and paste your Assertion Consumer URL
    2. In the Recipient URL section copy and paste your Assertion Consumer URL
    3. Next to Application ID: copy and paste your Audience URI

4. Configuring an OKTA application Source in Workspace ONE... continued

  1. In the OKTA Application Source under Configuration Scroll down, next to:
    1. Username Format: Unspecified, (default)
    2. Under the Username Value: ${user.userPrincipalName}
  2. Expand Advanced Properties, configure the following Next to:
    1. Sign Response: Yes (default)
    2. Sign Assertion: No (default)
    3. Encrypted Assertion: No (default)
    4. Include Assertion Signature: No (default)
    5. Signature Algorithm: SHA256 with RSA (default)
    6. Digest Algorithm: SHA256
    7. Assertion Time: 200 (default)

5. Configuring an OKTA application Source in Workspace ONE... continued

  1. In the OKTA Application Source under Configuration continue scrolling down and configuring..
    1. Under Request Signature: open the contents of the Okta.cert file previously downloaded from Okta. Copy and paste the contents including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
    2. Encryption Certificate: Blank (default)
    3. Enable Authentication Failure Notification: No (default)
  2. Continue scrolling down, next to
    1. Application Login URL: Blank (default)
    2. Proxy Count: Blank (default)
    3. API Access: No (default)
    4. Custom Attribute Mapping: None (default)
    5. Open in VMware Browser: No (default)
  3. Select Next

6. Configuring an OKTA application Source in Workspace ONE... continued

  1. On the Access policies page select NEXT
  2. On the Summary page select SAVE

7. Configuring an OKTA application Source in Workspace ONE... continued

  1. Under Settings notice that your OKTA Source is now configured. Under Action select Add Apps
  2. Read the message: We will now go and configure our Zendesk application as a Saas application in our Catalog. When done, select Close and select X to close the Settings page.

Part 6. Configuring Routing Rules for OKTA & VMware Identity Manager Integration

Identity Provider Routing Rules.

In situations where Okta and VMware Identity Manager are to co­exist Identity provider routing rules make for the perfect compromise between owners of the two services. Okta could then continue to remain the primary point of contact for identity with a rule that dynamically redirects mobile platforms apps to VMware Identity Manager.

In this section we will configure a routing rule in our OKTA tenant to facilitate exactly that scenario.

1. Configuring Routing Rules for OKTA & VMware Identity Manager Integration

  • If you have not already done so log into your assigned OKTA tenant with your assigned credentials
    1. In the OKTA admin console select the Security Tab and then select Identity Providers
    2. In the Identity Providers section, next to the Identity Providers sub header select Routing Rules

2. Configuring Routing Rules for OKTA & VMware Identity Manager Integration.....

  1. In the Routing Rules section select the Add Routing Rule button
  2. In the Add Rule Window add the following. Next to:
    1. Rule Name: Mobile SSO Rule for Android and IOS
    2. THEN Use this identity provider select the dropdown arrow: select WorkspaceONE,
    3. Select Create Rule
  3. In the Activate Rule? window select Activate
  4. Notice you now have the Default Rule and the Mobile SSO Rule for Android and IOS