EUCZero Trust Journey 2021 Day 2 - User TrustConfiguring OIDC as third-party IDP in Access (Auth0)

Configuring OIDC as third-party IDP in Access (Auth0)

WorkspaceONE Access now supports acting as a relying party in an Open ID Connect flow of authentication. (SaaS 2012 release of Access)

In this lab we will be adding Auth0 as our identity provider that we will integrate with WorkspaceONE Access.

Part 1: Sign up for Auth0 Trial

Part 2: Adding Auth0 as a third-party IDP in Workspace ONE

Part 3: Test authentication flow

Part 1: Sign up for Auth0 Trial

In this part we will be signing up for a free Auth0 trial account and setting up the the Auth0 environment.

1. Open a new browser window and navigate to

  • Type a demo email address (Do NOT use your corporate e-mail address)
  • And a password
  • Click SIGN UP

2. Specify the domain suffix that you would like to use. Ensure it is easy to remember and that you make note of it.

  • Click US for Region.
  • Click NEXT.

3. Set the Account Type option to Personal

  • and click CREATE ACCOUNT

4. You should now be in the a Auth0 Admin Console.

5. In the Auth0 Admin console navigate to User Management on the left and click Users.

  • Now click on + CREATE USER

6. Fill in the email of the unique user you have been using for the labs. (example: [email protected])

  • Then type VMware1! as the password.
  • Click CREATE at the bottom of the page.

Part 2: Adding Auth0 as a third-party IDP in Workspace ONE

In this section you will configure Auth0 to as as a third-party OIDC IDP in WorkspaceONE Access.

1. In the Auth0 Admin Console navigate to Applications > Applications and then click + CREATE APPLICATION  

2. In the Create Application pop-up window type WorkspaceONE Access as the Name for the application.

For the Application type select Regular Web Applications  

Then click CREATE

3. Click on the Settings tab and copy the Client ID and Client Secret to a notepad.

4. Still on the settings tab, scroll down until you see "Show Advanced Settings" Click it and click on Endpoints. The OAuth URLs will be displayed. Copy the OpenID Configuration into your notepad.

Configure Workspace ONE Access

5. Open a new tab in your browser and authenticate to your Workspace ONE Access tenant. Navigate to Identity & Access Management > Identity Providers and click Add Identity Provider > Create OpenID Connect IDP

5. Set the name of the Identity Provider to Auth0

Authentication Configuration: Automatic Discovery

Paste the OpenID ConfigurationURL from Auth0 into the Configuration URL

Paste the Client ID from your notepad

Paste the Client Secret from your notepad

6. Now set the User Lookup Attribute to email for both OpenID User and Workspace ONE

Click LivefireSync for the Users directory

Click All Ranges for Network

7. Set the Authentication Method name to Auth0

Copy the Redirect URI into your notepad.

Click Add to save the settings.

8. Click Identity & Access Management > Policies and click EDIT DEFAULT POLICY

9. In the Edit Policy window click Configuration then choose the policy with Web Browser Device Type and click ALL RANGES.

10. In the Edit Policy Rule pop-up change the first authentication method to Auth0 and leave the fall back method as Password (Local Directory)

Click SAVE at the bottom of the pop-up.

11. Click Next on the Configuration page and SAVE on the Summary page of the Edit Policy window.

12. Flip back to the Auth0 Admin Console and click Applications > Applications. Click on the WorkspaceONE Access application.

13. In the Settings tab of the application scroll down to Application URIs and paste the Redirect URI from Access into the Allowed Callback URLs in Auth0.

14. At the bottom of the page click SAVE CHANGES.

Part 3: Test authentication flow

Let's now test the result of our integration with Auth0 as an OIDC IDP.

1. Open a new Incognito window and browse to your Workspace ONE Access tenant. As soon as you click ENTER you will be re-directed to Auth0

Notice the URL is your unique tenant for Auth0.  

2. Enter the E-mail address of the user (NOT the admin account) and the password VMware1!  Click Continue

3. Now you should have been authenticated to your Workspace, double check your user in the top right hand corner of the Hub.

VERY IMPORTANT IF you are not planning on continuing to the bonus material please change your default access policy at this point. In order to ensure you can log back in as local administrator into Workspace ONE Access you will have to append your Access URL with /SAAS/auth/0 (Example: you will be able to log on and change the default access policy from Auth0 to Certificate (cloud deployment) with a fallback to Password (cloud deployment) with a fallback to Password (Local Directory).

This concludes the integration with Auth0 as a third party OIDC Identity Provider.

Bonus Material  1:  Just-In-Time Provisioning

In addition to the above integration Auth0 can act as a source of identity for your users and can create a user database on Access using JIT (Just-In-Time provisioning). The users get provisioned in Access as part of the initial authentication process.

1. In the Workspace ONE Access Admin console navigate to Identity & Access Management > Identity Providers and click on Auth0 the Identity Provider you created above.

2. In the Auth0 IDP settings scroll down to Just-in-Time User Provisioning and click Enable.

  • Set your Directory Name to Auth0-Directory
  • Domains: Auth0
  • User Attribute Mappings:
  • email - userName
  • name - firstName
  • nickname - lastName
  • email - email
  • email - userPrincipalName
  • sub - ExternalID
  • email - distinguishedName
  • Scroll down to the bottom of the page and click Save.

NOTE: Some of these values may need to be typed manually


NOTE: You must ensure here that you have all the attributes that are set to required in Workspace ONE Access mapped to an attribute otherwise the user provisioning will fail.

In order to find out which attributes you can use coming from Auth0 click on the specific user in Users and click on the  Raw JSON tab.

Here you will see the attributes listed.

3. Now flip back to the Auth0 Admin Console and click on User Management > Users and click + Create User. We will now create a user that is non-existant in the Workspace ONE directory.

4. Create a random user that is not in the Workspace ONE Access directory. Use the password VMware1! Click on CREATE

5. Open a new incognito window. (If a previous one was open close and re-open)

Browse to the Workspace ONE Access URL and you will be redirect to your Auth0 URL. Authenticate using the email created for the user you created above and VMware1! click Continue

6. You should now be authenticated using that unique user.

NOTE: If you are seeing errors after attempting to authenticate go back to STEP 2 in order to look at the attributes that may not be lining up correctly.

7. Switch back to the Workspace ONE Access admin console and click on Identity & Access Management > Directories and notice you now have  Auth0-Directory and the type is Just-in-Time Directory.

8. At the top navigation click on Users & Groups and click Users.

You should now be able to see the user that has been created as a result of JIT.

Bonus Material 2: Auth0 and Social Integrations  

One of the benefits of using Auth0 is that it allows for integrations with Social platforms such as Google & Facebook. In this exercise you will create the Google and & Facebook connection with Auth0 and authenticate to Workspace ONE Access using one of these social connections as your source of identity.

1. In the Auth0 admin console navigate to Authentication > Social and click CREATE CONNECTION.

2. If its not already added add Google / Gmail and Facebook. (In my case Google has already been added automatically)

  • Notice the other available connections on this page - Dropbox, Paypal, Microsoft etc...

3. Proceed with adding Facebook as a social connection and click Continue to grant access to the information listed above.

4.You will be presented with options for linking Facebook. This could either be a private facebook for enterprise or you can use the public Facebook accounts. For our example we will use the public Facebook Accounts.

  • In the User Data  section you can select which attributes you would like to sync across to Auth0. Enable Email .
  • At the bottom of the page click CREATE.

5. Now give the Default App and WorkspaceONE Access applications the permission to use this connection.

6. Now open an incognito window. (Make sure previous incognito windows have been closed). Browse to you Workspace ONE Access tenant URL.

  • You will be redirected to your unique instance of Auth0.
  • Now you will see Continue with Google and Continue with Facebook as available options here on the authentication page.
  • Click Continue with Facebook

7. Log into Facebook  (preferably a test facebook account)

  • Click Log In

8. You will now see the permission window. Click on Edit this and you will see that name and profile picture and e-mail address are the only attributes being sent as configured above.

Click Continue as Empower.

9. You should now be authenticated to the Workspace ONE Hub with the facebook user. At authentication the user get created in Auth0 then through JIT gets created in Workspace ONE Access.

10. You will note in the Auth0 Admin Console in the User Management > Users that the new user from Facebook has been created.

  • Additionally on the Workspace ONE Access side you will see the user has been created.

11. VERY IMPORTANT In order to ensure you can log back in as local administrator into Workspace ONE Access you will have to append your Access URL with /SAAS/auth/0 you will be able to log on and change the default access policy from Auth0 to Certificate (cloud deployment) with a fallback to Password (cloud deployment) with a fallback to Password (Local Directory).

In this lab you saw the power of leveraging existing identity databases (both corporate and personal) in order to provide central authentication and single-sign-on to various corporate applications using Workspace ONE Access.  

This concludes the Bonus Material for the Auth0 integration as Third-party OIDC Identity Provider.

Author: Simeon Frank


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.