You can add applications that use the OpenID Connect authentication protocol to the Workspace ONE Access catalog and manage them like any other application in the catalog. You can apply an access policy to each application to specify how users are authenticated based on criteria such as network range and device type. After you add the application, you assign it to users and groups.

To add an OpenID Connect application, you specify the application's target URL, redirect URL, client ID, and client secret.

When you add an OpenID Connect application to the catalog, an OAuth 2.0 client is automatically created in Workspace ONE Access for the application. The client is created with the configuration information you specify while adding the application, which includes the target URL, redirect URL, client ID, and client secret. All other parameters use default values. These include:
  • Grant type: authorization_code, refresh_token

  • Scope: admin, openid, user
  • Display user grant: false
  • Access token time-to-live (TTL): 3 hours
  • Refresh token time-to-live (TTL): Enabled and set to 90 days
  • Refresh token idle time-to-live (TTL): 4 days

You can view the OAuth 2.0 client for the application from the Clients tab on the Catalog > Settings > Remote App Access page. Click the client name to view the configuration information. Do not edit any fields in the client.

Important: Do not delete the OAuth 2.0 client associated with the application or the application will no longer be available to users.

When you delete the application from the catalog, the OAuth 2.0 client is also deleted.

Authentication Flow when Application is Accessed from Workspace ONE

When a user clicks the application in Workspace ONE, the authentication flow is as follows:

  1. The user clicks the application in Workspace ONE.
  2. Workspace ONE Access redirects the user to the target URL.
  3. The application redirects the user to Workspace ONE Access with an authorization request.
  4. Workspace ONE Access authenticates the user based on the authentication policy that you specified for the application.
  5. Workspace ONE Access checks whether the user is entitled to the application.
  6. Workspace ONE Access sends the authorization code to the redirect URL.
  7. Using the authorization code, the application requests the access token.
  8. Workspace ONE Access sends the ID token, access token, and refresh token to the application.

Authentication Flow when Application is Accessed Directly from Service Provider

When a user accesses the application directly from the service provider, the authentication flow is as follows:

  1. The user clicks the application.
  2. The user is redirected to Workspace ONE Access for authentication.
  3. Workspace ONE Access authenticates the user based on the authentication policy that you specified for the application.
  4. Workspace ONE Access checks whether the user is entitled to the application.
  5. Workspace ONE Access sends an ID token to the service provider.