Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion main/config/navigation/secure.json
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,8 @@
"group": "Cross App Access (XAA)",
"pages": [
"docs/secure/call-apis-on-users-behalf/xaa",
"docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment",
"docs/secure/call-apis-on-users-behalf/xaa/set-up-requesting-app",
"docs/secure/call-apis-on-users-behalf/xaa/set-up-resource-app",
"docs/secure/call-apis-on-users-behalf/xaa/manage-xaa-in-okta",
"docs/secure/call-apis-on-users-behalf/xaa/test-xaa-flow"
]
Expand Down
4 changes: 2 additions & 2 deletions main/docs/secure/call-apis-on-users-behalf/xaa.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ This guide assumes you use Okta as your enterprise identity provider (IdP) and h

</Callout>

Connecting third-party apps and AI agents in an enterprise creates two key problems: poor IT visibility into data sharing and repetitive consent flows for users.
Connecting third-party apps and AI agents in an enterprise setting creates two key problems: poor IT visibility into data sharing and repetitive consent flows for users.

Cross App Access (XAA) addresses these challenges by allowing IT admins to centrally define access controls for how SaaS applications, like AI agents, connect on a user's behalf. Admins manage these connections in a central dashboard, like the Okta Admin Console, which eliminates disruptive OAuth consent prompts for end-users. The result is improved organizational security, governance, and user experience.
Cross App Access (XAA) allows IT admins to centrally define access controls for how SaaS applications, like AI agents, connect on a user's behalf. Admins manage these connections in a central dashboard, like the Okta Admin Console, which eliminates disruptive OAuth consent prompts for end-users. The result is improved organizational security, governance, and user experience.

XAA implements the [Identity Assertion Authorization Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/), an in-progress OAuth extension that allows an AI agent or application (Requesting App) to obtain a secure token through the enterprise IdP. This token enables the Requesting App to call the APIs of another application (Resource App) on the end-user’s behalf. To learn more, read [How it works](#how-it-works).

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
---
description: Set up and register the Requesting App for Cross App Access (XAA).
sidebarTitle: Set up Requesting App
title: Set up Requesting App
---

import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"

<ReleaseStageNotice
feature="Cross App Access (XAA)"
stage="beta"
contact="Auth0 Support"
terms="true"
/>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">

This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant for testing. If you don't have one, read [Create and configure your Okta tenant](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment#create-and-configure-your-okta-tenant).

</Callout>

This section explains how to set up the Requesting App for Cross App Access (XAA). The Requesting App and Resource App are connected using an OIDC connection pointing to the Resource App’s Auth0 tenant. The Requesting App uses the OIDC connection to make a token exchange request via the Token Vault to obtain an access token to call the API of the Resource App. For the Resource App setup, read [Set up Resource App](/docs/secure/call-apis-on-users-behalf/xaa/set-up-resource-app).

To set up your Requesting App tenant, you need to:

1. [Create the Requesting App in Auth0](#create-the-requesting-app-in-auth0): Create and register a confident client in Auth0 and enable XAA for it.
2. [Create the Okta Workforce Enterprise connection](#create-the-okta-workforce-enterprise-connection): Federate with Okta as the enterprise IdP so your users can sign in with their Okta credentials.
3. [Create the Resource App OIDC connection](#create-the-resource-app-oidc-connection): Create and register a connection that points to the Resource App's Auth0 tenant and enable Token Vault and XAA on it.

## Prerequisites

Before getting started, configure your Okta tenant for Cross App Access:

- On the [Okta Developer website](https://developer.okta.com/signup/), sign up for an Okta Integrator Free Plan.
- In the Okta Admin Console, navigate to **Settings > Features**. Under **Early access features**, enable **Cross App Access**.

<Frame>![](/docs/images/xaa/okta_enable_xaa.png)</Frame>

You also need access to a Resource App Auth0 tenant. To set one up, read [Set Up Resource App](/docs/secure/call-apis-on-users-behalf/xaa/set-up-resource-app). From the Resource App tenant, you need:

- The Resource App tenant's issuer URL. For example, `https://<RESOURCE_APP_TENANT>.auth0.com/`
- A Client ID and Client Secret for the Requesting App registered in the Resource App tenant

## Create the Requesting App in Auth0

Create an application in your Requesting App Auth0 tenant representing the Requesting App. This must be a confidential client that can store a client secret, such as a Regular Web Application.

In the Auth0 Dashboard:

1. Navigate to **Applications > Applications** and select **Create Application**.
2. Enter a name (for example, `Agent0`) and select **Regular Web Application**.

<Frame>![](/docs/images/xaa/xaa_create_regular_web_app.png)</Frame>

3. Open the application's **Settings** and enable the **Cross App Access** toggle.

<Frame>![](/docs/images/xaa/allow_xaa_auth0_app.png)</Frame>

4. Navigate to **Advanced Settings > Grant Types** and enable the **Token Vault** grant type. This allows the application to use Token Vault to exchange tokens on the user's behalf.

Note the application's Client ID; you will need it when registering the Requesting App in Okta.

## Create the Okta Workforce Enterprise connection

Create an Okta Workforce Enterprise connection in your Requesting App Auth0 tenant so your users can sign in using their Okta credentials. This connection also enables Auth0 to store Okta tokens in Token Vault during login.

To [create an Okta Workforce Enterprise connection](/docs/authenticate/identity-providers/enterprise-identity-providers/okta), use the Okta application credentials for your Requesting App.

Once the connection is created, configure it for XAA:

1. Navigate to **Authentication > Enterprise > Okta Workforce** and select the connection.
2. Under **Settings > User Mapping**, select the **Okta Basic** template.
3. In the `userinfo_scope` property, add the `offline_access` scope so Token Vault can store a refresh token:

```json
{
"attributes": {
"name": "${context.tokenset.name}",
"email": "${context.tokenset.email}",
"username": "${context.tokenset.preferred_username}",
"federated_groups": "${context.userinfo.groups}",
"federated_locale": "${context.userinfo.locale}",
"federated_zoneinfo": "${context.userinfo.zoneinfo}"
},
"mapping_mode": "use_map",
"userinfo_scope": "openid email profile groups offline_access"
}
```

4. Enable the **Cross App Access - Requesting Application** role for this connection using the Auth0 Dashboard or Management API:

<Tabs>
<Tab title="Auth0 Dashboard">
Under **Cross App Access Roles**, toggle on **Requesting Application**. This enables your Requesting App to request ID-JAGs issued by the enterprise IdP associated with this connection.
</Tab>
<Tab title="Management API">
Make a `PATCH` request to the [`/connections/{YOUR_CONNECTION_ID}`](/docs/api/management/v2/connections/patch-connections-by-id) endpoint and set `cross_app_access_requesting_app` to `active: true`:

```bash
curl -L -X PATCH 'https://<YOUR_DOMAIN>/api/v2/connections/<YOUR_CONNECTION_ID>' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <YOUR_MANAGEMENT_API_TOKEN>' \
-d '{"cross_app_access_requesting_app": {"active": true}}'
```
</Tab>
</Tabs>

## Register the Requesting App in Okta

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">

In a production environment, the Requesting App developer registers the Requesting App in the Okta Integration Network (OIN). Enterprise customers install it from the OIN catalog during their IdP setup.

</Callout>

The Requesting App must be registered in the Okta Integration Network (OIN) to be considered a valid XAA Requesting App.

To register a new application in the OIN, read [Submission process for SSO and SCIM integrations](https://developer.okta.com/docs/guides/submit-app-overview/). Contact your Auth0 or Okta representative to accelerate this process.

After adding the integration, configure the application's sign-on policy:

1. In the Okta Admin Console, go to **Applications > Applications** and select the Requesting App.
2. Under **Sign On**, select **Edit** and add your Okta Workforce connection's **callback URL** in the **Redirect URI** field.
3. Select **Save**.

Finally, assign your test user to the Requesting App:

1. Select **Assignments > Assign > Assign to People** and select your test user.
2. Select **Save**.

## Test the Okta Workforce connection

In the Auth0 Dashboard:

1. Navigate to **Authentication > Enterprise > Okta Workforce** and select the connection.
2. Select the **Applications** tab and enable the Requesting App you created.
3. Go back to the connections list, select the three dots next to your connection, and select **Try**. You will be redirected to authenticate with your Okta tenant.

## Create the Resource App OIDC connection

The Requesting App needs a connection in its Auth0 tenant that points to the Resource App's Auth0 tenant. This is how Token Vault knows which Resource App to target when exchanging tokens, and it is where you enable the XAA Resource App role on the Requesting App side.

Use the Client ID and Client Secret that the Resource App tenant issued for your Requesting App to create an OIDC Enterprise connection in your Requesting App Auth0 tenant.

To configure the connection for XAA:

1. For **Purpose**, select **Connected Accounts for Token Vault**.
2. For the **OpenID Connect Discovery URL**, enter the discovery URL of the Resource App's Auth0 tenant: `https://<RESOURCE_APP_TENANT>.auth0.com/.well-known/openid-configuration`.
3. Enable the **Cross App Access - Resource Application** role using the Auth0 Dashboard or Management API:

<Tabs>
<Tab title="Auth0 Dashboard">
Toggle on **Enable Cross App Access Delegation**, then toggle on **Cross App Access - Resource Application**. This enables the connection to accept ID-JAGs targeting the Resource App's Auth0 tenant.
</Tab>
<Tab title="Management API">
Make a `PATCH` request to the [`/connections/{YOUR_CONNECTION_ID}`](/docs/api/management/v2/connections/patch-connections-by-id) endpoint and set `connected_accounts` with `cross_app_access: true`:

```bash
curl -L -X PATCH 'https://<YOUR_DOMAIN>/api/v2/connections/<YOUR_CONNECTION_ID>' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <YOUR_MANAGEMENT_API_TOKEN>' \
-d '{"connected_accounts": {"active": true, "cross_app_access": true}}'
```
</Tab>
</Tabs>

Once the connection is created, you are ready to test the end-to-end XAA flow. To learn more, read [Test Cross App Access (XAA) Flow](/docs/secure/call-apis-on-users-behalf/xaa/test-xaa-flow).
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
description: Learn how to set up the end-to-end test environment for the Resource App.
sidebarTitle: Set up XAA Test Environment
title: Set up Test Environment for Cross App Access (XAA)
description: Set up and register the Resource App for Cross App Access (XAA).
sidebarTitle: Set up Resource App
title: Set up the Resource App
---

import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
Expand All @@ -13,15 +13,15 @@ import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
terms="true"
/>

This section explains how to set up the end-to-end test environment for the Resource App. By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.
This section explains how to set up the Resource App for Cross App Access (XAA). By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">

This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read [Create and configure your Okta tenant](#create-and-configure-your-okta-tenant).
This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant for testing. If you don’t have one, read [Create and configure your Okta tenant](#create-and-configure-your-okta-tenant).

</Callout>

To set up your end-to-end test environment for the Resource App:
To set up the Resource App:

- Configure and register your Resource App: This includes configuring your Auth0 tenant and registering your SaaS application as a Resource App with Okta. To learn more, read [Resource App setup](#resource-app-setup).
- Configure the Requesting App to test the end-to-end: This includes registering a test Requesting App in your Auth0 tenant and updating Okta to link it with your Resource App. To learn more, read [Requesting App setup](#requesting-app-setup).
Expand Down
Loading
Loading