Integrate OSP with Okta Auth0 using OAuth 2.0

You can integrate NetIQ Open Security Platform (OSP) with Okta Auth0 using the OAuth 2.0 / OpenID Connect (OIDC) standard. The integration enables single sign-on (SSO) and token-based authentication between OSP and Auth0.

In this integration, OSP acts as an OpenID Connect Client / Relying Party (RP) and Auth0 acts as the Identity Provider (IdP). Users are redirected from OSP to Auth0 for authentication and returned to OSP with OIDC tokens.

Prerequisites

Before you begin, ensure that you have the following requirements in place:

Requirement Details
OSP Version 6.x or later
Auth0 Account Tenant access with admin privileges
HTTPS Enabled Required on OSP endpoint URLs
Redirect URI Registered in Auth0 Must exactly match OSP callback endpoint
Outbound Internet Access OSP must reach *.auth0.com endpoints

Back to top

Step 1: Register an application in Auth0

Create an application in Auth0 to enable the integration with OSP.

To register an application in Auth0:

  1. Log in to the Auth0 Dashboard.

  2. Navigate to Applications > Applications > Create Application.

  3. Configure the application:

    • Name: Enter a descriptive name such as NetIQ OSP Integration.

    • Application Type: Select Regular Web Application.

  4. In the application Settings, configure the following URLs:

    • Allowed Callback URLs:

      https://<osp-host>:<port>/osp/a/<application-name>/auth/oauth2/callback

    • Allowed Logout URLs:

      https://<osp-host>:<port>/osp/a/<application-name>/auth/logout

    • Allowed Web Origins:

      https://<osp-host>:<port>

  5. Save the configuration.

  6. Note the following values for use in OSP configuration:

    • Domain (Issuer): https://<your-tenant>.auth0.com/

    • Client ID: <your-client-id>

    • Client Secret: <your-client-secret>

Back to top

Step 2: Configure post-login actions

Configure post-login actions in Auth0 to set custom claims for the preferred username and timestamps.

To configure post-login actions:

  1. In the Auth0 Dashboard, navigate to Actions > Triggers > Sign up & Login > Post Login > Add Action.

  2. Create a custom action to set the preferred username scope. Enter the following code:

    Copy code 
    /**
     * Handler that will be called during the execution of a PostLogin flow.
     * @param {Event} event - Details about the user and the context in which they are logging in.
     * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
     */
    exports.onExecutePostLogin = async (event, api) => {
      const username = event.user.username || 
                       event.user.nickname || 
                       event.user.name || 
                       event.user.email || 
                       event.user.user_id;
      
      api.idToken.setCustomClaim("preferred_username", username);
      api.idToken.setCustomClaim("nickname", username);
    };

  3. Create another custom action to set the updated timestamp. Enter the following code:

    Copy code 
    /**
     * Handler that will be called during the execution of a PostLogin flow.
     * @param {Event} event - Details about the user and the context in which they are logging in.
     * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
     */
    exports.onExecutePostLogin = async (event, api) => {
      const user = event.user;
      
      if (user && user.updated_at && typeof user.updated_at === "string") {
        const timestamp = Math.floor(new Date(user.updated_at).getTime() / 1000);
        api.idToken.setCustomClaim("updated_at", timestamp);
      }
    };

  4. Save both actions.

Back to top

Step 3: Configure Auth0 claims

Ensure that your Auth0 tokens include the required claims for OSP integration.

The following claims are typically present by default:

Claim Description
preferred_username Primary user login name
email User's email address
given_name First name
family_name Last name
nickname Display name or short name (optional)

Tip: If your OSP configuration expects a short username but Auth0 provides an email format (for example, user@domain.com), map preferred_username to another claim such as nickname or given_name inside Auth0 Rules or Actions.

Back to top

Step 4: Configure authcfg.xml in OSP

Edit the OSP configuration file to add the Auth0 OpenID data source, authentication source, and authentication contract.

To configure authcfg.xml:

  1. Locate and open the OSP configuration file. The file is typically found at:

    /opt/netiq/idm/osp/config/authcfg.xml

  2. Add the Auth0 OpenID data source:

    Copy code 
    <OpenIdDataSource
        id="ds-auth0"
        displayName="Auth0 OIDC Data Source"
        enabled="true"
        issuer="https://<your-tenant>.auth0.com/"
        clientId="<your-client-id>"
        clientSecret="<your-client-secret>"
        scope="openid profile email">
        <userInfoEndpoint>https://<your-tenant>.auth0.com/userinfo</userInfoEndpoint>
        <fetchAttributesFrom>userinfo</fetchAttributesFrom>
    </OpenIdDataSource>

  3. Add the Auth0 OpenID authentication source:

    Copy code 
    <OpenIdAuthenticationSource
        id="as-auth0"
        displayName="Authentication from Auth0"
        enabled="true">
        <Reference refId="ds-auth0" type="DataSource"/>
        <AttributeMapping>
            <AttributeMapEntry localName="username" nativeName="preferred_username"/>
            <AttributeMapEntry localName="sub" nativeName="nickname"/>
            <AttributeMapEntry localName="mail" nativeName="email"/>
            <AttributeMapEntry localName="givenName" nativeName="given_name"/>
            <AttributeMapEntry localName="surname" nativeName="family_name"/>
        </AttributeMapping>
    </OpenIdAuthenticationSource>

  4. Add the OSP authentication contract for Auth0:

    Copy code 
    <OpenIdAuthentication
        id="auth0-login"
        displayName="Auth0 Login"
        enabled="true">
        <Reference refId="as-auth0" type="AuthenticationSource"/>
    </OpenIdAuthentication>

    <AuthContract
        id="auth0-contract"
        displayName="Auth0 Login"
        uri="osp:user:auth0">
        <Reference refId="auth0-login" type="ContractExecutable"/>
    </AuthContract>

  5. Save the file.

Back to top

Step 5: Configure OAuth 2.0 application template

Configure the OAuth 2.0 protocol section to include a reference to the Auth0 authentication source.

To configure the OAuth 2.0 application template:

  1. In the authcfg.xml file, ensure the OAuth2Protocol section includes a reference to the Auth0 authentication source:

    Copy code 
    <OAuth2Protocol enabled="true">
        <OAuth2ApplicationTemplate
            displayName="OAuth Template for Auth0"
            id="oauth-auth0-template"
            accessTokenTTL="120"
            refreshTokenTTL="2592000"
            supportsAuthorizationCode="true"
            supportsRefreshTokens="true">
            <Reference refId="as-auth0" type="AuthenticationSource"/>
            <AttributeMapping>
                <AttributeMapEntry localName="username" clientName="preferred_username" accessToken="jwt"/>
            </AttributeMapping>
        </OAuth2ApplicationTemplate>
    </OAuth2Protocol>

  2. Save the file.

Back to top

Step 6: Configure logout settings

Configure logout URLs in Auth0 to ensure that users can log out properly from OSP.

To configure logout settings:

  1. In the Auth0 Dashboard, navigate to the application Settings > Logout URLs.

  2. Add the logout URL:

    https://<osp-host>:<port>/osp/a/<application-name>/auth/logout

  3. Navigate to Settings > Advanced > View advanced tenant settings > Allowed Logout URLs.

  4. Add the logout URL of NetIQ OSP. For the actual logout URL, check the log of Auth0 and replace the URL as needed.

  5. Ensure that RP-Initiated Logout End Session Endpoint Discovery is turned on.

  6. Ensure that RP-Initiated Logout End-User Confirmation is turned on.

Back to top

Step 7: Restart OSP

Restart OSP to apply the configuration changes.

To restart OSP:

Run one of the following commands:

sudo systemctl restart osp

Or:

sudo rcosp restart

Back to top

Step 8: Validate the integration

Verify that the integration between OSP and Auth0 is working correctly.

To validate the integration:

  1. Navigate to your OSP web application:

    https://<osp-host>:<port>/osp/a/<application-name>/ui

  2. The login screen should display the option to login with Auth0 (or an equivalent authentication method).

  3. Authenticate with a valid Auth0 user.

  4. Verify successful redirection and user profile mapping.

Back to top

Troubleshooting

The following table describes common issues and their resolutions:

Issue Possible Cause Resolution
Invalid redirect URI URL mismatch between Auth0 and OSP Verify the callback URL matches exactly.
invalid_client Incorrect or expired client secret Generate a new secret in Auth0 and update OSP.
Missing attributes Claims not returned by Auth0 Add claims via Rules or Actions.
Logout not working Logout URL not registered Add the logout URL to Allowed Logout URLs.
Invalid issuer Wrong Auth0 tenant domain Use the issuer from the discovery URL.
Preferred username missing Claim not available by default Use nickname or email instead.

Back to top

Auth0 endpoints

The following table describes the Auth0 endpoints used in this integration:

Endpoint Example
Issuer https://<your-tenant>.auth0.com/
Discovery (OIDC metadata) https://<your-tenant>.auth0.com/.well-known/openid-configuration
Authorization Endpoint https://<your-tenant>.auth0.com/authorize
Token Endpoint https://<your-tenant>.auth0.com/oauth/token
UserInfo Endpoint https://<your-tenant>.auth0.com/userinfo
Logout Endpoint https://<your-tenant>.auth0.com/v2/logout

Back to top

See also: