Okta LDAP Interface integration with Workspace ONE UEM

Okta offers the Universal Directory which is a user management system that provides a view of all integrated directories, including Okta’s internal user directory, from a single pane of glass.

When integrating Workspace ONE UEM with Okta, we can leverage the the LDAP Interface, which is a component that allows us to connect LDAP applications to the Okta Universal Directory without the need of any additional on-premise agents or connectors.

Once enabled (please refer to Okta’s documentation/support on how to do this) you can see the parameters to connect to the LDAP Interface on the Okta console by navigating to Directory / Directory Integrations / LDAP Interface.

In order to integrate the Okta Universal Directory with Workspace ONE UEM, login to the UEM console and navigate to Settings > System Enterprise Integration > Directory Services. Select Skip wizard and configure manually in order to access the configuration page.

Below are the settings I used to configure it on my test environment:

Server Tab

Server: <"Host" retrieved from the Okta LDAP Interface>
Encryption Type: SSL
Port: 636
Protocol Version: 3
Use Service Account Credentials: Disabled
Bind Authentication Type: Basic
Bind Username: <Distinguished Name of the Bind User>
Clear Bind Password: Unchecked
Bind Password: <Password for Bind User>
Domain: <Domain Name>

User Tab

Base DN: <"User Base DN" retrieved from the Okta LDAP Interface>

User Object Class: inetOrgPerson
User Search Filter: (&(objectClass=inetOrgPerson)(uid={EnrollmentUser}))

Expand the Advanced option in order to configure the Attribute mapping:

Object Identifier: uniqueIdentifier
Username: uid
Full Name: cn
User Principal Name: uid
Binding Attribute: distinguishedName

Group Tab

Base DN:  <"Group Base DN" retrieved from the Okta LDAP Interface>

Group Object Class: groupofUniqueNames
Organizational Unit Object Class: organizationalUnit

Expand the Advanced option:

Group Search Filter: (&(objectClass=groupofUniqueNames)(cn=*))
Membership Attribute: User Attribute(“Member of”)
Auto Sync Default: Checked
Auto Merge Default: Checked

Test that you can connect successfully to the directory and that you can add Users and Groups to the UEM console.

For this configuration, I used the following documentation as a reference:

https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-connection-settings.htm
https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-enable.htm