Extending the Workspace ONE Application in Okta for Additional Attributes

This post was originally published on this site

In Workspace ONE Access, you might have configured additional attributes and would like to populate those attributes from your source of truth such as Okta.


Perhaps its a single attribute:

Screen Shot 08-20-20 at 02.53 PM.PNG

Or maybe you have many attributes:


Screen Shot 08-20-20 at 02.55 PM.PNG


When these attributes are created in Workspace ONE Access, they are created in a custom schema.  The schema is in the following format:




The TENANT will be replaced by your actual tenant name, such as “urn:scim:schemas:extension:workspace:tenant:dsas:1.0”.


If you are unsure, I recommend you use Postman to query the user using the GET API. ie. {{tenant_url}}/SAAS/jersey/manager/api/scim/Users?filter=userName%20eq%20%22steve%22


Here is a sample Postman that I’ll use as my guideline. Note – this step is not required but I will use it to demonstrate my approach.


Screen Shot 08-20-20 at 02.59 PM.PNG


Now that we know how attributes are stored in Workspace ONE Access, lets configure Okta to send these attributes


  1. Open the Workspace ONE Application in Okta
  2. Click on the Provisioning Tab
  3. Click on ” Go to Profile Editor”
    Screen Shot 08-20-20 at 03.05 PM.PNG
  4. Click Add Attribute
    Screen Shot 08-20-20 at 03.07 PM.PNG
  5. Enter the Display Name, Variable Name and External Name exactly how it is created in WS1 Access (ie. objectGUID).
  6. Enter the custom schema as we noted above. Make sure your tenant name is included correctly.
  7. Check the user personal checkbox under Scope
    Screen Shot 08-20-20 at 03.08 PM.PNG
  8. Click Save
  9. Repeat this process for all the attributes you want to provision.
  10. Click on Mappings
  11. Click on the Okta User to VMware Workspace ONE Tab (Note: My image below is slightly different as I’ve renamed my application)
    Screen Shot 08-20-20 at 03.12 PM.PNG
  12. Select the correct attribute to map. In my environment, I’m mapping the ExternalID to the objectGUID
    Screen Shot 08-20-20 at 03.13 PM.PNG
    Note: You can get the AD objectGUID using: findDirectoryUser().externalId
  13. Click Save Mappings
  14. Click Apply Updates Now

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.