Using Auth0 as an OpenID Connect Provider for Workspace ONE Access

January 06, 2021
 
This blog post was originally published at Steve The Identity Guy’s blog.
 

OpenID Connect logo

Using Auth0 as an OpenID Connect Provider for Workspace ONE Access

Currently today, when you are authenticating into Workspace ONE Access, we support a variety of authentication methods including SAML, Certificates, Mobile SSO, and Passwords. In this latest SAAS release, Workspace ONE Access will support OIDC with any 3rd party OIDC Provider such as Auth0.

My colleague Peter Bjork has a great video walkthrough of the OIDC Flow on VMware Tech Zone. If you jump to the 13-minute mark of the video he will walk through a basic configuration using two Workspace ONE Access environments.

In the initial release, we will only support the Authorization Code Grant flow and will support the OpenID, Profile, and Email Scopes. Workspace ONE Access can also be configured to pass-through all the claims.

In this blog, we are going to walk through how to set this up using Auth0 as 3rd Party OIDC Provider for Workspace ONE Access. If you don’t have an Auth0 tenant, you can sign up for a free trial at https://auth0.com/signup

Auth0 logo

Setting up Auth0

  1. In your Auth0 Administration Console, go to Applications.
  2. Click Create Application.
    Click Create Application.
  3. Provide a name, i.e., “Workspace ONE Access” and choose Regular Web Applications.
    Choose Regular Web Applications.
  4. Click the Settings Tab.
  5. Make note of your Client ID and Secret as we’ll need this in the next section.
    Make note of Client ID and Client Secret.
  6. Make note of your OpenID Configuration URL (Advanced Settings > Endpoints).
    Make note of OpenID Configuration URL.

Configuring Workspace ONE Access

  1. In the Workspace ONE Access Administration Console, go to Identity & Access Management -> Identity Providers.
  2. Click Add Identity Provider > Create OpenID Connect IDP.
    Add Identity Provider
  3. Provide an Identity Provider Name, i.e., “Auth0”.
  4. Under Authentication Configuration, select Automatic Discovery and paste your OpenID Configuration URL from the previous section.
    Authentication Configuration
  5. Under Client ID and Secret, paste the values from the previous section.
    Client ID and Client Secret
  6. In the User Lookup Attribute section, we need to map the correct inbound attribute from Auth0 to the correct attribute in Workspace ONE Access. I received a great tip from Peter Stromquist at Auth0 to look at the Raw JSON on a user account. You can see the values that are currently set for your user. You just have to be careful to ensure that the attribute belongs to either the User, Profile or Email scope. In my environment, it makes the most sense to map based on email:
    Map inbound attribute from Auth0 to Workspace ONE Access
  7. Based on this data, I’m going to map the email attribute in the OpenID response to the Email Attribute in Workspace ONE Access:
    Email attribute mapping
  8. Since my users are already created in Workspace ONE Access, I’m going to uncheck Just-in-Time User ProvisioningSee the Just-in-Time Provisioning section below for instructions.
  9. Select the correct directory where your users reside.
    Select the directory
  10. Select All Ranges for the Network Range.
  11. Provide a name for the Authentication Method, i.e., Auth0.
    Provide a name
  12. Copy the Redirect URI.
  13. Paste this value into the Callback URL section of the Workspace ONE Access Application in Auth0.
    Callback URL section
  14. Click Add.

Update Workspace ONE Access Policies

  1. In Workspace ONE Access, click Identity & Access Management > Policies.
  2. Edit the appropriate Access Policy.
  3. Add the “Auth0” Authentication Method and Save.
    Add the authentication method and save

Testing the Configuration

  1. Assuming you modified the default policy, launch Workspace ONE Access in an incognito window.
  2. You should automatically be redirected to Auth0.
    Log in
    Note: If you are not redirected automatically, check to see if you modified the correct policy. If you received an error, verify that your Auth0 URL’s and Client/Secret are entered correctly in Workspace ONE Access.
  3. Once you enter your credentials, you should be automatically logged into the Workspace ONE Application.
  4. You can also test this out from the Workspace ONE Intelligent Hub application. Look out for a future blog on enabling Social Logins via Auth0.

Just-in-Time User Provisioning

If you plan on creating users using JIT Provisioning, you will need to enable the Just-in-Time Provisioning Check box. Please remember that there is no lifecycle management capabilities with JIT, so you will have to develop a process for disabling/deleting users that are created in Workspace ONE.

One of the great things with OpenID Connect is that our mappings are defined based on the attributes sent in the previously mention supported scopes. You do however have to map them manually in Workspace ONE Access.

  1. Enter a name for the directory.
  2. Add ALL the mandatory attributes in Workspace ONE Access so they can be mapped accordingly to an OIDC Attribute.
    Note: Make sure you are sending a value for the ExternalID. This will be required so we can enroll devices with Workspace ONE UEM. With Auth0, they are sending a unique value in the subject.
    Add all mandatory attributes

 

Filter Tags

Workspace ONE Workspace ONE Access Blog Opinion Intermediate

Steven 'The Identity Guy' D'Sa

Read More from the Author

Hi, I’m Steven. I have more than 20 years of IT experience, including 14 years focused specifically on Identity and Access Management. I’ve spent most of my career as an Oracle Identity and Access Management Consultant, including four years as an Identity Management Architect for BlackBerry. I currently work as part of the Principal Technologies team at VMware responsible for Workspace ONE Access and the technical integrations with our Identity & Access partners.