Configuring OAuth 2.0 Authentication

Safe Mobile Workforce enables you to use OAuth 2.0 protocol for user authorization. OAuth 2.0 provides specific authorization flows for Web applications, desktop applications, mobile phones, and living room devices. Safe Mobile Workforce Secure Access includes the Authorization Server, which is required for OAuth 2.0 authentication.

Before you can configure OAuth 2.0 authentication settings, you must configure Secure Access Settings in Mobile Client tab. Refer to Configuring Mobile Client Settings.

Use the Advanced tab in System Settings to configure OAuth 2.0 Authentication settings for Safe Mobile Workforce.

Procedure

On the System Settings screen, click the Advanced tab.
Select Enable OAuth 2.0 Authentication

Configure the following options:

Client ID and Client Secret: The Safe Mobile Workforce server ID and secret code generated by the Authorization Server. The Client ID represents Safe Mobile Workforce in Authorization Server and the secret code is required by the Authorization Server for access authorization.

Use the following command on the command console on Secure Access to get the Client ID and Client Secret:

/vmi/authorizationService/manage.py create_app "Trend Micro Safe Mobile Workforce" https://{your secure access address:port}/api/v1/portal/oauth

Note

Replace {your secure access address:port} with Secure Access IP address and port number.

Authorization URI: The Authorization URI for the users to provide certificate authorization.
Token URI: The Token URI for the Safe Mobile Workforce to get access token and refresh token from the Authorization Server. An access token has a limited lifetime. If Safe Mobile Workforce needs access to Authorization Server beyond the lifetime of a single access token, it obtains a refresh token. The refresh token allows Safe Mobile Workforce to obtain new access tokens.
Account Information URI: The Account Information URI is generated by the Authorization Server and includes the user account information for authentication.

Client Certificate: Client certificate is used to create a mutual authentication SSL connection to Authorization Server or Identity Provider (IdP). Generate, and then upload the client certificate file here.

Use the following command to generate the client certificate file:

/vmi/authorizationService/manage.py init_cert

The Authorization Server generates the client certificate file at the following location:

/etc/pki/vmi/client.pass.p12

Note

Safe Mobile Workforce only supports .p12 and .pfx client certificate file types.

Certificate Password: Type the following client certificate password: vmi
Verify authorization server certificate: Select this option if you want to verify the CA certificate, and then upload the CA certificate in the Certificate Authority field. The CA Certificate is available at the following location:

/vmi/testcert/root.crt

Certificate Authority: Certificate Authority is used to avoid man-in-the-middle (MitM) attack and verify Authorization Server certificate.

Note

Safe Mobile Workforce only supports .pem CA certificate file types.

Note

The Authorize URI, Token URI and Account Information URI fields are automatically filled with the relevant information.

(Optional) Click Test Connection to verify your settings.
Click Save.

What to do next

Generate individual certificates for mobile users for enrollment. See Generating Client Enrollment Certificate.

$('#title').html($('meta[name=description]').attr('content'));