As the first step in configuring SCIM user provisioning from Okta to Workspace ONE Access, complete the required prerequisite tasks in Workspace ONE Access. These tasks include creating an OAuth 2.0 client, generating an OAuth bearer token, and creating a directory of type Other.

Some of these tasks require you to use the Postman app, so download and install the app from https://www.getpostman.com before you begin.

Create OAuth 2.0 Client

In the Workspace ONE Access console, create an OAuth 2.0 client for the SCIM integration with Okta.

When you create the client, a shared secret is autogenerated. After creating the client, copy the shared secret. You need the secret later in the setup process.

Note: In the latest release of the Workspace ONE Access console, with the New Navigation toggle turned on, you cannot enter your own shared secret. You can only generate a shared secret.

Procedure

  1. Log into the Workspace ONE Access console.
  2. Select Settings > OAuth 2.0 Management.
  3. In the Clients tab, click Add Client.
  4. For Access type, select Service Client Token.
  5. For Client ID, enter an ID, for example, OktaSCIM.
    Make sure you follow the naming rules displayed on the page.
  6. Update the Access token time-to-live (TTL) setting to a longer time than the default.
    Important: Setting the Access token time-to-live (TTL) setting to a longer time is important because you must update the Okta configuration with a new bearer token in that time. For example, if you choose one year, you must update the Okta configuration every year with a new bearer token.

    Create Client
  7. Click Save.
    The client is created and a shared secret is autogenerated.
  8. Copy and save the shared secret before you leave the page.
    Important: After you leave the page, the shared secret is no longer available. If you do not copy the shared secret before leaving the page, you will have to regenerate the secret.

    The image displays the OktaSCIM client page with the configuration values. The Client ID and Shared Secret can be copied.

Generate OAuth Bearer Token

After creating the OAuth 2.0 client in Workspace ONE Access, generate an OAuth bearer token.

Prerequisites

Download and install the Postman app. You can download Postman from https://getpostman.com.

Procedure

  1. Open a new tab in the Postman app.
  2. For the HTTP method, select POST.
  3. For the URL, enter:
    https://tenanturl/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
    Replace tenanturl with your Workspace ONE Access URL, for example:
    https://example.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  4. Click the Authorization tab and select OAuth 2.0 as the type.

    The image shows the Type drop-down menu with OAuth 2.0 selected.
  5. In the Configure New Token section, enter the required information.
    1. For Token Name, enter a name, such as WorkspaceONE.
    2. For Grant Type, select Client Credentials.
    3. For Access Token URL, enter https://tenantURL/SAAS/auth/oauthtoken, where tenantURL is your Workspace ONE Access tenant URL.
      For example:
      https://example.vmwareidentity.com/SAAS/auth/oauthtoken
      Note: While this example uses the domain name vmwareidentity.com, your Workspace ONE Access domain name might be different. See VMware Knowledge Base article 68035 for the complete list of Workspace ONE Access domains.
    4. For Client ID, enter the Client ID that you set in Create OAuth 2.0 Client.
    5. For Client Secret, enter the secret that was generated in Create OAuth 2.0 Client.
      Note: If you did not copy the secret while creating the client, you can regenerate it. To regenerate the secret, go to the Settings > OAuth 2.0 Management page in the Workspace ONE Access console, select the client, and click Regenerate Secret on the client page.
    6. For Scope, enter admin.
    For example:
    Displays Configure New Token section with example values
  6. Click Get New Access Token.
    A token is generated and displayed.
  7. To verify that the bearer token was added, click the Headers tab and click hidden headers.
    hidden headers
    The bearer token appears.

    bearer token

  8. If the bearer token was not added, return to the Authorization tab and select your token from the Available Tokens drop-down menu and check again.

Create a Directory of Type Other in Workspace ONE Access

Use the Postman app to create a directory of type Other in Workspace ONE Access for your Okta users.

Procedure

  1. Under Headers, set the Content-Type to:
    application/vnd.vmware.horizon.manager.connector.management.directory.other+json
    Tip: Start typing in Content-Type in the Key column to select the Content-Type entry.

    Content type
  2. Select the Body tab.
  3. Use the following as a sample and click Send.
    {    
    "type":"OTHER_DIRECTORY",    
    "domains":["OKTA.COM"],    
    "name":"Okta Universal Directory"    
    }
    Note: Make sure that your domain is unique within your tenant.
    You should see a result similar to the following:

    create directory result