VMware UAG integration with OKTA SAML

Further in the category after Azure SAML integration, I will be discussing about SAML integration of UAG with OKTA IdP. This can be achieved by following the below three steps which are explained in detail below:

  • OKTA IdP configuration UAG details as per your organization
  • Upload SAML Metadata from IDP to UAG
  • Configure Horizon Settings on UAG for SAML Integration

Setup Details:
Horizon 7.11 or higher configured with UAG 3.8 or higher.
Portal ID: https://<PublicIP/DomainName>/portal
Portal SSO URL: https://<PublicIP/DomainName>/portal/samlsso
OKTA integrated with with same Ad as does Horizon.

  • Login to okta admin console and navigate to Applications > Add Application
  • Click on Create New App
  • Select Platform as Web and Sign on method as SAML 2.0
  • Enter App Name and upload App Logo (Optional) and click Next
  • Enter below parameter and click Next
    • Single sign in URL: https://<PublicIP/DomainName>/portal/samlsso
    • Audience URI: https://<PublicIP/DomainName>/portal/saml
  • Select option as per your eligibility and click Finish
  • In application console, Navigate to Assignments > Assign and select the users to whom you want to allow access to this application and click Done
    Note: You can assign permission to groups as well by going to Group tab.
  • Click on Back to Applications
  • Verify application is listed under ACTIVE
  • Login into UAG and click on gear icon for Upload Identity Provider Metadata under Identity Bridging Settings
  • Click on Select
  • Select the metadata file and click on Save
  • Navigate the Edge Service Settings and click on gear icon for Horizon Settings
  • Scroll down and click on More in Horizon Settings
  • You will see new parameters, select the below mentioned value and Click on Finish.Auth Methods: SAML or SAML and Passthrough (Depeding on usecase)
  • Identity Provider: https://www.okta.com

With this we are done with SAML Integration of UAG with OKTA identity provider. You can now test your application. in case you want to leverage on MFA, same need to be enabled on PingOne for desired users and policy need to be created for the same.

Related Post