Skip navigation
2019

For updates on this blog and other blogs, follow me on Twitter: @SteveIDM

 

We mostly talk about SAML with Workspace ONE but i'm asked occasionally if Workspace ONE Access can support OpenID Connect? The answer is yes, of course it can.  Just keep in mind before you start to configure OpenID Connect, Workspace ONE Access only supports the email, profile and user scopes.There is no support for custom scopes nor the ability to modify the attributes that are returned in the provided scopes.

 

Workspace ONE Access supports the Authorization Code Grant as well as Client Credentials. For OIDC, we only support Authorization Code.

 

Lets walk through the process to setup an OIDC Application. We are going to use the OpenID Debugger application from Auth0.

 

Create the SAAS Application

 

  1. In the Workspace ONE Administration Console, go to Catalog -> Webapps
  2. Click New
  3. Provide a Name: ie. OpenID TestApp
    Screen Shot 12-18-19 at 02.33 AM.PNG
  4. Click Next
  5. Select OpenID Connect from the Drop List
    Screen Shot 12-18-19 at 02.33 AM 001.PNG
  6. Complete the fields as per your application requirements.  The following is a sample for Auth 0 Client Connect App.
    AttributeValue
    Target URL
    This is just a web link to the target application
    https://openidconnect.net/
    Redirect URL
    If you need more than one redirect URL's you can add them later. Only one will be accepted here.
    https://openidconnect.net/callback
    Client ID
    Enter any Client ID that will be used in the calling application. Do Not Use Spaces or special characters.
    MyOIDCTester
    Client Secret
    Enter a secret that will be used by the calling application.
    ThisIsMySecretKey
    Screen Shot 12-18-19 at 02.35 AM.PNG
  7. Click next
  8. Click Save
  9. Assign this application to your users.

 

Modify the Remote App Access Client

A remote app access client will automatically get created. We will need to modify this client.

 

  1. Go to Catalog -> Settings
  2. Click on Remote App Access
  3. In the Client List, look for the Client ID that was used in the earlier step. In my example, I used "MyOIDCTester"
  4. Click on the Client ID
  5. Under Scopes, Click Edit
  6. Select Email and Profile

    Note: This will remove the Admin scope. If you really need to keep the admin scope you will need to perform this step using the API.

  7. Click Save
  8. If you want to prompt the user to authorize the user grants, you will need to do the following steps: I will skip this step for now.
    1. Click Edit beside Client Configuration
    2. Select "Prompt Users for Access"

 

Testing with the Auth0 OpenID Connect Debugger

  1. Go to https://openidconnect.net/
    Screen Shot 12-18-19 at 03.33 AM.PNG

  2. Click on Configuration
    AttributeValue
    TemplateCustom
    Discovery URL

    https://[tenant]//SAAS/auth/.well-known/openid-configuration

    ie.

    https://dsas.vmwareidentity.com/SAAS/auth/.well-known/openid-configuration

    Authorization Token Endpoint

    https://[tenant]//AAS/auth/oauth2/authorize

    ie.

    https://dsas.vmwareidentity.com/SAAS/auth/oauth2/authorize

    Token Endpoint

    Token Keys Endpoint

    https://[tenant[/SAAS/auth/oauthtoken

    ie.

    https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken

    OIDC Client IDMyOIDCTester
    OIDC Client SecretThisIsMySecretKey
    Scopeemail profile user openid
    Screen Shot 12-18-19 at 04.15 AM.PNG
  3. Click Save
  4. Click Start
  5. When prompted to Authentication, select your domain based credentials (Do no use System Domain)
  6. If you selected "Prompt Users for Access" they will be prompted and required to Allow Access:
  7. You will now see your Authorization Code in the OIDC Debugger. Click Exchange to get your Access Token.
  8. You will now see your Bearer Token, ID Token and your Refresh Token.
  9. Click Next
  10. The ID Token will contain information regarding the identity. Click "View on JWT.IO" to see your JSON Tokens.
  11. You JWT Token will be displayed with your profile and user data: