Service Settings

OneAccess can interconnect with applications through OAuth2, SAML, OIDC, and CAS. It also provides OTP services. View the parameters of these services when you interconnect OneAccess with different applications.

Configuring OTP

An OTP is generated by a virtual MFA device in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can be hardware- or software-based. Currently, OneAccess only supports software-based virtual MFA devices, which are application programs running on mobile devices such as smart phones.

OneAccess supports OTP configuration. You can also configure the OTP parameters to your virtual MFA device. For details, see the documentation of the virtual MFA device.

Log in to the administrator portal.
On the top navigation bar, choose Settings > Service Settings.

On the Service Configuration page, click OTP. In the displayed dialog box, set the following parameters.

**Table 1** Parameter configuration
Parameter	Description
Encryption Algorithm	Default algorithm: HMACSHA1. This parameter can be modified.
Code Digits	Default value: 6. This parameter cannot be modified.
Generation Period (s)	Default value: 30. This parameter cannot be modified.
Time Offset	Default value: 0. This parameter can be modified.
Base Time	Default value: GMT. This parameter cannot be modified.
MFA Authentication with Password	If you enable this option, users need to enter an OTP code in addition to their usernames and passwords during OTP login. By default, this option is disabled.

Click Save to complete the OTP configuration.

To use OTP login for an application, ensure that you have enabled OTP authentication for PC or mobile devices on the login configuration page of the application.

Configuring IDP

To establish a SAML-based trust relationship with an application, upload the metadata of the IDP to the SP server. For details about how to upload the metadata, see the documentation provided by the SP.

Log in to the administrator portal.
On the top navigation bar, choose Settings > Service Settings.

On the Service Configuration page, click IdP. In the displayed dialog box, set the following parameters.

**Table 2** IdP service parameters
Parameter	Description
IdP EntityId	Unique identifier of the IDP.
SSO URL	URL for SSO.
IdP Logout URL	URL for SLO.
IdP Certificate	A public key certificate used for signature verification. The signing certificate in the metadata file is used by applications during user access to ensure that assertions are credible and complete.
Assertion Request Time Window	Default value: 2 minutes. You can select a different value from the drop-down list. The value ranges from 1 to 5 minutes.
Session Validity Period	Default value: 30 minutes. The value ranges from 1 to 480.
Request Signature	By default, this option is enabled.
Assertion Signature	By default, this option is enabled.
Assertion Encryption	By default, this option is enabled.

Click Download IdP Metadata in the upper right corner to save and upload the data to the SP server.
Click Save.

Configuring OIDC

To establish an OIDC- or OAuth2-based trust relationship with an application, obtain the required port information.

Log in to the administrator portal.
On the top navigation bar, choose Settings > Service Settings.

On the Service Configuration page, click OIDC. In the displayed dialog box, view the following parameters.

Parameter	Description
Authentication URL	Interface for authenticating users during application access. The default value is used.
Token URL	Interface for obtaining user tokens. The default value is used.
User Information	Only the default value can be used.
Refresh Token URL	Interface for refreshing user tokens. The default value is used.

Click OIDC Settings in the upper right corner to download OIDC data.

Configuring CAS

To establish a CAS-based trust relationship with an application, view and configure CAS information.

Log in to the administrator portal.
On the top navigation bar, choose Settings > Service Settings.

On the Service Configuration page, click CAS. In the displayed dialog box, view and modify the following parameters.

**Table 3** Parameter description
Parameter	Description
Server Prefix	Prefix of the CAS server URL. The value is automatically generated by the system and cannot be modified.
Login URL	URL for CAS request authorization. The URL is automatically generated by the system and cannot be modified.
Validate URL V3	URL for ticket verification. V3 URL is recommended. The URL is automatically generated by the system and cannot be modified.
Logout URL	URL for logging out of CAS. The URL is automatically generated by the system and cannot be modified.
ST Validity Period	Validity period of a returned ST. Set a validity period from 3 to 15 minutes.

Click Save.

Configuring API Authentication

To register open APIs with OneAccess, view the API authentication settings and configure them for interaction with your applications.

Log in to the administrator portal.
On the top navigation bar, choose Settings > Service Settings.

On the Service Configuration page, click API Authentication. In the displayed dialog box, view the following parameters.

Parameter	Description
Signature Algorithm	Only the default value can be used.
Public Key	Public key for signature verification. Only the default value can be used.
Encryption Algorithm	Only the default value can be used.
Algorithm Key	Key used by the encryption algorithm. Click Reset to set a key.
Validity Period	Validity period of access_token and id_token. The default value is 30 minutes. You can adjust this period up to a maximum of 43200 minutes (30 days).