You can add applications that use the OpenID Connect authentication protocol to VMware Identity Manager and manage them like any other application in the catalog. You can apply an access policy to each application to specify how users are authenticated based on criteria such as network range and device type. After you add the application, you assign it to users and groups.
To add an OpenID Connect application, you specify the application's target URL, redirect URL, client ID, and client secret.
-
Grant type: authorization_code, refresh_token
- Scope: admin, openid, user
- Display user grant: false
- Access token time-to-live (TTL): 3 hours
- Refresh token time-to-live (TTL): Enabled and set to 90 days
- Refresh token idle time-to-live (TTL): 4 days
You can view the OAuth 2.0 client for the application from the Clients tab on the page. Click the client name to view the configuration information. Do not edit any fields in the client.
When you delete the application from the catalog, the OAuth 2.0 client is also deleted.
Authentication Flow when Application is Accessed from Workspace ONE
When a user clicks the application in Workspace ONE, the authentication flow is as follows:
- The user clicks the application in Workspace ONE.
- VMware Identity Manager redirects the user to the target URL.
- The application redirects the user to VMware Identity Manager with an authorization request.
- VMware Identity Manager authenticates the user based on the authentication policy that you specified for the application.
- VMware Identity Manager checks whether the user is entitled to the application.
- VMware Identity Manager sends the authorization code to the redirect URL.
- Using the authorization code, the application requests the access token.
- VMware Identity Manager sends the ID token, access token, and refresh token to the application.
Authentication Flow when Application is Accessed Directly from Service Provider
When a user accesses the application directly from the service provider, the authentication flow is as follows:
- The user clicks the application.
- The user is redirected to VMware Identity Manager for authentication.
- VMware Identity Manager authenticates the user based on the authentication policy that you specified for the application.
- VMware Identity Manager checks whether the user is entitled to the application.
- VMware Identity Manager sends an ID token to the service provider.