Control: Third-Party Identity Providers (IDP)

Control supports optional Workspot Client authentication via some third-party OIDC (OpenID Connect) identity providers, initially Google Identity and Okta. Once enabled, Client users must authenticate with the identity provider before using Workspot desktops and apps.

How it Works

Identity providers are configured in Control (and with your identity provider). Once configured, they are assigned to RD gateways and gateway clusters. Sessions passing through these gateways require third-party authentication.

Different gateways can require different authentication, allowing mixed installations and non-disruptive site upgrades.

End-User Session Flow:

When launching a Workspot desktop or app from the Client, if the Gateway used by the desktop/app requires third-party authentication, the Client will renew the token if necessary and pass it on to the Gateway.
If all is well, the RD Gateway connects the Client to the desktop/app.

Configuring in Control

Identity Providers are configured in Workspot Control on the "Settings > Identity Providers" page.

This page summarizes the existing named identity provider rules and lets you add, edit, or delete them.

Adding an Identity Provider Rule

Click the "Add Identity Provider" Button and fill in the pop-up form.

Name: Choose a descriptive name for this rule.
Identity Provider: Currently Okta or Google Identity.
Authentication Authority and Client ID: These values are obtained from your identity provider's console. See the Examples section.
Automatically Test Authentication: TBD.
Click "Save."
A green banner at the top of the "Identity Provider" page will announce that the operation succeeded.

Assigning Identity Provider Rules to Gateways

The "Add/Edit Gateway" pages have a menu for the Authentication Method, currently AD, Azure AD, and the Identity Provider rules you have defined. Only one of these can be active at a time on a given gateway or gateway cluster.