You can add applications that use the OpenID Connect authentication protocol to VMware Identity Manager and manage them like any other application in the catalog. You can apply an access policy to each application to specify how users are authenticated based on criteria such as network range and device type. After you add the application, you assign it to users and groups.

To add an OpenID Connect application, you specify the application's target URL, redirect URL, client ID, and client secret.

When you add an OpenID Connect application to the catalog, an OAuth 2.0 client is automatically created in VMware Identity Manager for the application. The client is created with the configuration information you specify while adding the application, which includes the target URL, redirect URL, client ID, and client secret. All other parameters use default values. These include:

  • Grant type: authorization_code, refresh_token

  • Scope: admin, openid, user
  • Display user grant: false
  • Access token time-to-live (TTL): 3 hours
  • Refresh token time-to-live (TTL): Enabled and set to 90 days
  • Refresh token idle time-to-live (TTL): 4 days

You can view the OAuth 2.0 client for the application from the Clients tab on the Catalog > Settings > Remote App Access page. Click the client name to view the configuration information. Do not edit any fields in the client.

Important: Do not delete the OAuth 2.0 client associated with the application or the application will no longer be available to users.

When you delete the application from the catalog, the OAuth 2.0 client is also deleted.

Authentication Flow when Application is Accessed from Workspace ONE

When a user clicks the application in Workspace ONE, the authentication flow is as follows:

  1. The user clicks the application in Workspace ONE.
  2. VMware Identity Manager redirects the user to the target URL.
  3. The application redirects the user to VMware Identity Manager with an authorization request.
  4. VMware Identity Manager authenticates the user based on the authentication policy that you specified for the application.
  5. VMware Identity Manager checks whether the user is entitled to the application.
  6. VMware Identity Manager sends the authorization code to the redirect URL.
  7. Using the authorization code, the application requests the access token.
  8. VMware Identity Manager sends the ID token, access token, and refresh token to the application.

Authentication Flow when Application is Accessed Directly from Service Provider

When a user accesses the application directly from the service provider, the authentication flow is as follows:

  1. The user clicks the application.
  2. The user is redirected to VMware Identity Manager for authentication.
  3. VMware Identity Manager authenticates the user based on the authentication policy that you specified for the application.
  4. VMware Identity Manager checks whether the user is entitled to the application.
  5. VMware Identity Manager sends an ID token to the service provider.