Configure OpenID Connect in Workspace ONE Access for your third-party identity provider to allow users to use their credentials for single sign-on.

Prerequisites

  • Make sure that Workspace ONE Access is registered as an OAuth2 client or as an OAuth2 application on the third-party identity provider.
    • The authorization_code grant must be enabled
    • The redirect_uri set to the Workspace ONE Access callback endpoint

    This registration generates the client ID name and client secret. These values are required when you configure the third-party identity provider in the Workspace ONE Access console. Refer to the identity provider documentation about how to register OAuth2 clients and applications.

  • Know the URL of the Identity provider's well-known published OpenID Connect address if you are using Auto Discovery to configure OpenID Connect endpoints.
  • Know the URLs for the OpenID Connect authorization endpoint, Token endpoint, Issuer Identifier, and JWKS URL of the authorization server's public key if you are using the manual configuration process.
  • If you enable Just-In-Time provisioning, identify the domains from where users are coming from. The domain name displays in the drop-down menu in the log in page. If more than one domain is configured, the domain information must be in the token that is sent to Workspace ONE Access.

Procedure

  1. In the Workspace ONE Access console Identity & Access Management tab, select Identity Providers.
  2. Click Add Identity Provider and select Create OpenID Connect IDP.
  3. Configure the OpenID Connect Identity Provider form.
    Form Item Description
    Identity Provider Name Enter a friendly name for this OpenID Connect identity provider instance.
    Authentication Configuration

    Select Auto Discovery if the identity provider offers the capability to use the well-known published OpenID Connect URL to get the OpenID Connect endpoint configuration URLs. Enter the URL as https://{oauth-provider-hostname}/{local-oauth-api-path}/.well-known/openid-configuration.

    Select Manual Configuration to add the OpenID Connect URL endpoint manually, if using Auto Discovery is not possible or contains incorrect information.

    The following endpoint URLs are configured with Auto Discovery. For Manual Configuration, add the URLs for each of the endpoints.

    • Authorization Endpoint URL where to obtain the authorization code, using the authorization code grant.
    • Token endpoint URL is used to obtain access tokens and refresh tokens.
    • Issuer Identifier URL is the URL of the entity that issues a set of claims.
    • JWKS URL. is the URL of the authorization server's public key in the JSON Web Key Set (JWKS) format.
    Pass through Claims Enable pass through claims to support the use of non-standard OpenID Connect claims.

    The third-party OpenID Connect identity provider sends the non-standard claims to Workspace ONE Access. Workspace ONE Access adds these claims to the token that is generated.

    Client ID The identity provider-generated Client ID that is the unique identifier for Workspace ONE Access.
    Client Secret The client secret generated by the OpenID Connect identity provider. This secret is known only to the identity provider and the Workspace ONE Access service.

    If this client secret is changed on the identity provider server, make sure you update the client secret in the Workspace ONE Access server.

    User Lookup Attributes In the Open ID User Identifier Attribute column, select the user attribute in the identity provider services to map to the Workspace ONE Access User Identifier attributes. The mapped attribute values are used to look up the user account in Workspace ONE Access.

    You can add a custom third-party attribute and map it to a user attribute value in the Workspace ONE Access service.

    Enable JIT Provisioning When Just-in-Time provisioning is enabled, users are created in Workspace ONE Access and updated dynamically when they log in, based on the token sent by the identity provider.

    If you enable JIT, configure the following.

    • Directory Name. Enter the JIT directory name where user accounts are added.
    • Domains. Enter the domains that authenticated users belong to. If more than one domain is configured, the domain information must be in the token that is sent to Workspace ONE Access.
    • Map the User Attributes. Click + to map OpenID claims to the Workspace ONE Access attributes. These values are added when the user account is created in the Workspace ONE Access directory.
    Users If you do not enable JIT provisioning, select the directories that include the users who can authenticate using this identity provider.
    Network The existing network ranges configured in the service are listed.

    Select the network ranges for the users based on their IP addresses, that you want to direct to this identity provider instance for authentication.

    Authentication Method Name

    Enter a name to identify the third-party OpenID Connect authentication method in the access policy.

    When you create the access policy rules, you select this authentication method to redirect users to authenticate against the OpenID Connect authorization server.

What to do next

Go to the Identity & Access Management > Manage > Policies page and in the default access policy rule select the OpenID Connect authentication method name as the authentication method to use.