Identity Provider Name |
Enter a friendly name for this OpenID Connect identity provider instance. |
Authentication Configuration |
Select Auto Discovery if the identity provider offers the capability to use the well-known published OpenID Connect URL to get the OpenID Connect endpoint configuration URLs. Enter the URL as https://{oauth-provider-hostname}/{local-oauth-api-path}/.well-known/openid-configuration. Select Manual Configuration to add the OpenID Connect URL endpoint manually, if using Auto Discovery is not possible or contains incorrect information. The following endpoint URLs are configured with Auto Discovery. For Manual Configuration, add the URLs for each of the endpoints.
- Authorization Endpoint URL where to obtain the authorization code, using the authorization code grant.
- Token endpoint URL is used to obtain access tokens and refresh tokens.
- Issuer Identifier URL is the URL of the entity that issues a set of claims.
- JWKS URL. is the URL of the authorization server's public key in the JSON Web Key Set (JWKS) format.
|
Pass through Claims |
Enable pass through claims to support the use of non-standard OpenID Connect claims. The third-party OpenID Connect identity provider sends the non-standard claims to Workspace ONE Access. Workspace ONE Access adds these claims to the token that is generated. |
Client ID |
The identity provider-generated Client ID that is the unique identifier for Workspace ONE Access. |
Client Secret |
The client secret generated by the OpenID Connect identity provider. This secret is known only to the identity provider and the Workspace ONE Access service. If this client secret is changed on the identity provider server, make sure you update the client secret in the Workspace ONE Access server. |
User Lookup Attributes |
In the Open ID User Identifier Attribute column, select the user attribute in the identity provider services to map to the Workspace ONE Access User Identifier attributes. The mapped attribute values are used to look up the user account in Workspace ONE Access. You can add a custom third-party attribute and map it to a user attribute value in the Workspace ONE Access service. |
Enable JIT Provisioning |
When Just-in-Time provisioning is enabled, users are created in Workspace ONE Access and updated dynamically when they log in, based on the token sent by the identity provider. If you enable JIT, configure the following.
- Directory Name. Enter the JIT directory name where user accounts are added.
- Domains. Enter the domains that authenticated users belong to. If more than one domain is configured, the domain information must be in the token that is sent to Workspace ONE Access.
- Map the User Attributes. Click + to map OpenID claims to the Workspace ONE Access attributes. These values are added when the user account is created in the Workspace ONE Access directory.
|
Users |
If you do not enable JIT provisioning, select the directories that include the users who can authenticate using this identity provider. |
Network |
The existing network ranges configured in the service are listed. Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication. |
Authentication Method Name |
Enter a name to identify the third-party OpenID Connect authentication method in the access policy. When you create the access policy rules, you select this authentication method to redirect users to authenticate against the OpenID Connect authorization server. |