Help Center/ OneAccess/ Best Practices/ Application Integration/ SSO Access to Applications Through OIDC
Updated on 2024-12-30 GMT+08:00
View PDF
Share

SSO Access to Applications Through OIDC

Introduction

OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. For details, see OpenID Connect Introduction.

This section describes how to integrate an application with OneAccess using the OIDC protocol.

Configuration Process

Prerequisites

You have permissions to access the administrator portal.

Adding an Application

Add an application in the administrator portal, and configure authentication information to establish a trust on it.

  1. Log in to the administrator portal.
  2. On the top navigation bar, choose Resources > Applications.
  3. Click Add Custom Application in the Custom Applications section, set the logo and application name, and click Save.

Configuring the Application

Configure the application in OneAccess so that users can log in to the application through OneAccess. For details, see authentication configuration, mapping configuration, and user authorization.

  • Authentication configuration
    1. Click the application added in Adding an Application and click the application icon on the application information page.
    2. In the General Information area, click next to Authentication to enable authentication, select OIDC, and click Save.

      The protocol cannot be changed once specified.

      Figure 1 Selecting an authentication protocol
    3. In the General Information area, click Configure next to Authentication to access the parameter configuration page.

      To avoid information leakage, do not include sensitive information in the configuration parameters.

      Table 1 Authentication parameters

      Parameter

      Description

      Redirect URL

      (Required) Callback URL to be visited after successful authorization. Enter a trusted domain name for receiving and processing authorizations, for example, the domain name of the application home page (https://xxx.xxx.xxx.com). Separate domain names using commas (,).

      Logout URL

      (Optional) Logout URL to be visited after a user logs out of their session.

      Authorization Code

      Enabled by default. This mode is the most widely used authentication mode and is suitable for applications whose frontend and backend are separated. For details about the authorization code mode, see Introduction.

      Implicit Authentication

      Disabled by default. This mode does not require an authorization code and is suitable for applications that do not have a backend.

      Token Signature Algorithm

      Algorithm used to sign tokens. By default, RS256 is used. The algorithm should match the encryption algorithm used in the system.

      Access Token Validity Period

      Validity period of the access token in seconds. The default value is 7200 seconds, that is, 2 hours.

      Refresh Token Validity Period

      Validity period of the refresh token. The default value is 0, indicating that the refresh token is not supported. When the access token of a user expires, the user can use their refresh token to obtain a new access token.

      NOTE:

      The prerequisite for automatic token update is that the validity period of the refresh token is longer than that of the access token.
  • (Optional) Mapping configuration
    On the Authentication Integration page, click the Mappings tab, and click Add Mapping to add an attribute mapping.
    Table 2 Mapping parameters

    Parameter

    Description

    Application Attribute

    (Required) User attribute that OneAccess will return to the application after successful authentication.

    Mapping Type

    (Required) The mapping type determines the returned attribute value.
  • User authorization

    In the left pane, choose Authorization > Application Accounts. Then click the button for adding accounts to authorize specific users to access the application. To authorize access using a policy, see the descriptions about the application account authorization policy in Configuring an Application.

    For details about how to configure login, access control, and object models, see Configuring an Application.

Establishing a Trust Between the Application and OneAccess

Configure authorization information for OneAccess in the application to establish a trust on OneAccess.

  1. Obtain the Client ID and ClientSecret of the application in OneAccess.

    Click the application added in Adding an Application, click the application icon on the application information page, and obtain the Client ID and ClientSecret.

    • To obtain a ClientSecret, click Enable to generate one.
    • ClientSecret is an important credential used to verify the identity of a developer. Do not provide the ClientSecret to other developers or store it in code.
    • If you reset the ClientSecret, the new ClientSecret takes effect immediately, and all interfaces that use the old ClientSecret become invalid. Exercise caution when performing this operation.
    • OneAccess does not store the ClientSecret. Keep it properly after obtaining it.
    Figure 2 Obtaining the Client ID and ClientSecret

  2. Obtain the authentication information in OneAccess.

    1. Log in to the administrator portal.
    2. In the top navigation pane, choose Settings > Service Settings.
    3. Click OIDC.
    4. On the OIDC page displayed, check the authentication address, and click OIDC Settings in the upper right to check the authentication parameters.

  3. Obtain the authorization information of the application. For details, see the application provider's documentation.

Logging In as a User

Log in to the user portal as one of the authorized users, and click the target application to check whether you can access it.

Parent topic: Application Integration