Let’s talk Okta
The past few weeks I have been focussing a lot on Okta. This is mainly due to the availability of the SCIM provisioning of users and groups from Okta to Workspace ONE. Okta is one of the leading cloud identity providers. Before the availability of the SCIM adapter it was already possible to use Okta as a third party identity provider (IdP). So what has changed?
Everything has changed
Everything has changed! Let’s go back a bit. Before SCIM provisioning into Workspace ONE was available, we needed another way of getting our Okta users into Workspace ONE. We had two ways of doing this: use the on-premise connector and sync a directory, or we could use JIT (Just-in-Time) creation of users. The latter one had one big downside, and that is that it did not support group memberships. All Workspace ONE environments that I’ve seen required groups for something, so JIT wasn’t a realistic option in my honest opinion.
So, really the only option we had before was to integrate our on-premises directory. This would most likely be Active Directory, but really any LDAP directory would suffice. This meant that for most environments you would need:
- Two or more Domain Controllers
- Two or more cloud connectors
For a company that has shifted to SaaS based services, and has been able to decommission most of their server environment, this may feel a bit unnecessary. And thanks to the great work that VMware and Okta together did, it now is!
At last! Provisioning
Basically, you now have got an extra tab on your Workspace ONE application from the Okta Integration Network in your Okta console. On this tab you configure what’s called the “API integration“. To do this there’s a thorough guide you can follow on the VMware docs website: link.
After you have configured this, two things happen:
- Users that are assigned to the application get pushed into Workspace ONE
- You can now push Okta groups to Workspace ONE (!!!!)
Let’s see this in action shall we?
What stands out? First of all: Okta’s UI is very user friendly. Creating users can be done with little to no IT knowledge. For small companies, this is great! Second: this process is very fast. We’re talking seconds here, you don’t have to wait for the next sync interval. When the user is created in Okta, the SCIM provisioning happens instantaneous. Third: the users lifecycle is completely managed!
What do I mean by this? Did you notice that the user is deleted from the “EUC Tech Topics” group from Workspace ONE? This means that SCIM provisioning not only does its magic on user creating, but also on any modification!
This is exactly what most of us were waiting for for a long time. Having it finally available in production is absolutely amazing. The last few weeks I have spent most of my days navigating the Okta admin console tinkering around with all the settings. A while ago I already passed the Okta Certified Professional exam. And today I felt that I was ready to give the next one a shot: Okta Certified Administrator. And guess what… I passed it! For anyone considering the Okta exams I wholeheartedly recommend them. Make sure you spend a lot of time in the console. You can of course get your free Okta trial tenant here.
(tip: also make sure to get a fully fledged Office 365 Developer tenant here – they are valid for 90 days and get renewed automatically if you are actively using it)
Thank you again for reading this post. Make sure to comment down below if you have anything to share on this!