VMware UAG: Okta SAML integration - pt.1

13/06/2023 No Comments Reading Time: 3–4 minutes

vmware-uag-okta-saml-integration-01

To provide MFA during the authentication process, Okta SAML can be integrated in VMware UAG to increase the security level of your Horizon VDI infrastructure.

SAML (Security Assertion Markup Language) is an XML-based standard for transferring identity data between two parties:

  • Identity provider (IdP) - Okta
  • Service provider (SP) - UAG

okta saml 1

picture from vmware

 

Blog series

VMware UAG: Okta SAML integration - configure Okta environment
VMware UAG: Okta SAML integration - configure SAML in Okta and UAG

 

Setup Okta environment

To configure the Okta platform you need to login to the Admin console first.

Using your preferred browser enter the URL https://okta.com and click Login to access the console. Enter your Username and click Next.

okta saml 2

Enter the correct Password and click Verify.

okta saml 3

Click Admin to begin the Okta environment configuration.

okta saml 4

The Okta dashboard.

okta saml 5

To leverage MFA capability, Okta needs to be synced with Active Directory to authenticate Users during the login process to your VMware Horizon infrastructure.

 

Okta SAML Agent prerequisites

Before proceeding with Okta configuration, you need to meet some prerequisites.

To authenticate the users who need to access Horizon VDIs, you need to synchronize your Active Directory with Okta. This requirement is achieved by installing an Okta Agent in an on-prem server.

okta saml 6

The used server must meet the following prerequisites:

  • The Windows Server can be virtual or physical.
  • 2 vCPUs and 8GB RAM.
  • The Okta Agent can be installed in Windows 2016/2019/2022.
  • The server must be joined to the domain as member. The Host can be a member of any domain in the same forest.
  • The .NET 4.6.2 or later must be installed on the server.
  • An Okta service account is required to install and run the agent.

 

Download Okta Agent

From Okta Admin console, go to Directory > Directory Integrations area and click Add Active Directory.

okta saml 7

Click Set Up Active Directory.

okta saml 8

Click Download Agent.

okta saml 9

Once the Agent has been downloaded, you need to install the Agent in your on-prem server to establish the connection to Okta portal using URL and account reported in the Admin console.

okta saml 10

 

Create Active Directory Okta service account

Before proceeding with the Agent installation, you need to create the service account in your Active Directory (okta.service in the example) used to run the Agent service.

okta saml 11

Assign the following permissions:

  • Add the Okta service account to the Pre-Windows 2000 Compatible Access group.

okta saml 12

  • Assign the Read all properties for the AD objects to sync.

okta saml 13

Make sure to include the Okta service account as member of the local Administrators group in the on-prem server.

okta saml 14

Login the on-prem server using the Okta service account and copy the Agent installer. Run the installer and click Next to begin the installation.

okta saml 15

Leave default Installation folder and click Install.

okta saml 16

A required component is installed in the server.

okta saml 17

Specify the correct Domain name and click Next.

okta saml 18

If you have already created the service account, select Use an alternate account that I specify option and enter both Username and Password. Click Next.

okta saml 19

If this message is displayed, make sure the service account is a member of the Pre-Windows 2000 Compatible Access AD group.

okta saml 20

Click Next.

okta saml 21

In the Enter Organization URL field enter the URL as indicated in the Okta portal (https://trial-9648815.okta.com in the example). The URL can be customized when a valid license has been purchased. Click Next.

okta saml 22

Enter your Username and click Next.

okta saml 23

Enter the Password and click Verify.

okta saml 24

Click Allow Access to grant requested permissions.

okta saml 25

The Agent is being registered.

okta saml 26

Click Finish to close the installation wizard.

okta saml 27

Open the Okta AD Agent Management Utility and verify if the Agent is running.

okta saml 28

 

Configure AD in Okta portal

Move back to Okta portal. Once the Agent established the connection with Okta portal, click Next.

okta saml 29

Select OUs to sync Users and Groups from and leave default Okta username format. Click Next.

okta saml 30

Click Next.

okta saml 31

Leave default attributes and click Next.

okta saml 32

The Agent setup is complete. Click Done.

okta saml 33

 

Import Users and Groups in Okta

From Directory Integrations area, select the Import tab and click Import Now.

okta saml 34

Since this is the first import, select Full import and click Import.

okta saml 35

The system starts importing Users and Groups from the selected OUs.

okta saml 36

After a few seconds, Users and Groups have been imported in Okta. Click OK.

okta saml 37

Now select users to assign to Okta and click Confirm Assignments.

okta saml 38

Enable Auto-Activate users after confirmation checkbox and click Confirm.

okta saml 39

Selected Users have been assigned and confirmed.

okta saml 40

The setup of the Directory integration is now complete and Okta can now synchronize the configured OUs.

Part 2 will cover the SAML configuration in Okta and UAG with a connection test to verify if everything works as expected.

signature

Related Posts

About The Author

Paolo Valsecchi

System Engineer, VCP-DCV, VCP-DM, vExpert, VMCE, VMCA, Veeam Vanguard. Working experience focused on VMware vSphere, Microsoft Active Directory, and backup/DR solutions.

Leave a Reply