You can add applications that use the OpenID Connect authentication protocol to Workspace ONE Access and manage them like any other application in the catalog. You can apply an access policy to each application to specify how users are authenticated based on criteria such as network range and device type. After you add the application, you assign it to users and groups.
To add an OpenID Connect application, you specify the application's target URL, redirect URL, client ID, and client secret.
-
Grant type: authorization_code, refresh_token
- Scope: admin, openid, user
- Display user grant: false
- Access token time-to-live (TTL): 3 hours
- Refresh token time-to-live (TTL): Enabled and set to 90 days
- Refresh token idle time-to-live (TTL): 4 days
You can view the OAuth 2.0 client for the application from the Clients tab on the page. Click the client name to view the configuration information. Do not edit any fields in the client.
When you delete the application from the catalog, the OAuth 2.0 client is also deleted.
Authentication Flow when Application is Accessed from Workspace ONE
When a user clicks the application in Workspace ONE, the authentication flow is as follows:
- The user clicks the application in Workspace ONE.
- Workspace ONE Access redirects the user to the target URL.
- The application redirects the user to Workspace ONE Access with an authorization request.
- Workspace ONE Access authenticates the user based on the authentication policy that you specified for the application.
- Workspace ONE Access checks whether the user is entitled to the application.
- Workspace ONE Access sends the authorization code to the redirect URL.
- Using the authorization code, the application requests the access token.
- Workspace ONE Access sends the ID token, access token, and refresh token to the application.
Authentication Flow when Application is Accessed Directly from Service Provider
When a user accesses the application directly from the service provider, the authentication flow is as follows:
- The user clicks the application.
- The user is redirected to Workspace ONE Access for authentication.
- Workspace ONE Access authenticates the user based on the authentication policy that you specified for the application.
- Workspace ONE Access checks whether the user is entitled to the application.
- Workspace ONE Access sends an ID token to the service provider.