Skip to main content

Auth0 OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to Auth0 with its OIDC solution.

Prerequisites

  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Auth0.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to {provider}.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application

  3. In the New Application form, on the General tab, set the following configurations:

    Name 

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Auth0-OIDC.

    Type 

    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    auth0_oidc_001.png

  4. Select the OIDC Configuration tab, and set the following configurations:

    Login 

    Login URL 

    Optional. Enter the login URL for your Auth0 instance.

    Redirect URLs

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    You can register more than one redirect URL (Redirect_uri).

    For Auth0, it should be: https://{tenant URL}.us.auth0.com/login/callback

    Client Settings 

     

    Application Type 

    Set to Web application.

    Grant Type 

    Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.

    Authentication Method 

    Set to Basic – Basic authentication method that transmits the client secret in clear text. To ensure the security of the client secret, use HTTPS to encrypt the communication.

    Scopes and Claims 

    Scopes 

    Select the following scopes:

    • openid – Set by default. Allow access to the user's identity information like the username and email address.

    • profile – Allow access to user's profile information like postal address and phone number.

    • email – Allow access to user's email address.

    Session 

    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

    auth0_oidc_002.png

  5. Save your changes.

  6. Edit the configured OIDC application and select the Advanced tab.

  7. Copy the UID and Secret values.

    You will need these for the Auth0 configuration.

    auth0_oidc_003.png

Auth0 configuration

In this section, you will configure the Auth0 application that supports OIDC.

  1. Log in to Auth0 dashboard.

  2. From the left navigation, go to Authentication > Enterprise and click OpenID Connect.

    auth0_oidc_004.png

  3. Click Create Connection.

    auth0_oidc_005.png

  4. Set the following configurations.

    Connection name

    Set the identifier of the connection.

    For example, Arculix.

    Issuer URL

    Enter the well-known endpoint URL in this format:

    https://oidc.acceptto.com/<organization>/oauth2/v1/.well-known/openid-configuration

    Client ID

    Paste the Arculix UID you copied earlier from the OIDC application in Arculix.

    auth0_oidc_006.png

  5. Click Create.

  6. On the Login Experience Customization page, do the following:

    1. In the Identity Provider domains, add the Arculix IdP domain.

    2. Select the Display connection as a button check box.

    3. Save your changes.

    auth0_oidc_007.png

  7. Select the Settings tab, and do the following:

    1. Set the Type to Back Channel.

    2. In the Client Secret field, paste the Arculix Secret you copied earlier from the OIDC application in Arculix.

    3. Save your changes.

  8. Select the Applications tab and move the slider to enable the application to use the Arculix connection.

    auth0_oidc_008.png

Test your OIDC application integration

  1. Go to the login URL for your Auth0 application and click Continue with Arculix.

    auth0_oidc_009.png

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code

  3. After successful authentication, select your preferred MFA method to approve access to the Auth0 application.

    Select MFA method

  4. Finally, you'll be redirected to the Auth0 application home page.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: