The main use cases supported by the Workspace ONE and Okta integration include enabling Workspace ONE login using Okta authentication, adding Okta applications to the Workspace ONE catalog, and enabling device trust and universal SSO across native and web applications.

Workspace ONE Login Using Okta

The Workspace ONE app, Workspace ONE Intelligent Hub app, and web portal can be configured to use Okta as a trusted identity provider, allowing end users to log in using Okta authentication policies. This use case also applies to VMware Horizon® customers who are using the Workspace ONE catalog to launch Horizon apps and desktops, but have not yet deployed Workspace ONE UEM to manage devices.

To implement this use case, configure the following:

Configure Okta as an Identity Provider for Workspace ONE

Unified Catalog

The Workspace ONE catalog can be configured to publish applications federated through Okta, along with any other applications configured through Workspace ONE, such as Horizon and Citrix applications and desktops, and native applications powered by Workspace ONE UEM. This allows end users to go to a single app to discover, launch, or download their enterprise apps from any device with a consistent user experience.

Note: Okta SWA apps are not currently supported.

To implement this use case, configure the following:

  1. Configure Okta as an Identity Provider for Workspace ONE
  2. Configure Workspace ONE Access as an Identity Provider in Okta
  3. Configure Application Source in Workspace ONE Access
  4. Configure Okta Applications in Workspace ONE Access

Device Trust

Integrating Okta with Workspace ONE allows administrators to establish device trust by evaluating device posture, such as whether the device is managed, before permitting end users to access sensitive applications. For iOS and Android devices, device posture policies are configured in Okta and evaluated anytime a user logs into a protected application.

For example, a device trust flow using the Salesforce application would follow this sequence for iOS and Android devices:

Device Trust flow diagram
  1. End user attempts to access the Salesforce tenant.
  2. Salesforce redirects to Okta as the configured identity provider.
  3. Okta processes the incoming request and routes the client to the Workspace ONE identity provider based on configured routing rules.
  4. Workspace ONE challenges the user for authentication using Mobile SSO for iOS or Mobile SSO for Android and redirects back to Okta with device trust status.
  5. Okta completes evaluation of the device trust policy.

    If the device is unmanaged, the user is prompted to enroll in Workspace ONE.

  6. Okta issues the SAML assertion for Salesforce, if the device trust rule is satisfied based on the SAML assertion response received from Workspace ONE.

The Device Trust use case requires end-to-end setup, covering all the procedures in this document. To implement this use case, configure the following:

  1. Configure Okta as an Identity Provider for Workspace ONE
  2. Configure Workspace ONE Access as an Identity Provider in Okta

    Establish SAML-based relationship with Workspace ONE for device trust check.

  3. Configure Application Source in Workspace ONE Access
  4. Configure Okta Applications in Workspace ONE Access
  5. Configure identity provider routing rules and access policies.