Updated on 2026-02-24 GMT+08:00

Third-party SSO Authentication

Scenarios

Workspace supports multiple third-party authentication sources, including individual social authentication, enterprise social authentication, and enterprise authentication sources, providing simpler and more convenient login modes and better user experience for enterprise users. As an administrator, you can add, modify, and delete authentication providers.

Switchover between OAuth2.0, LDAP, and SAML 2.0 is currently unavailable, and they cannot be enabled at the same time.

Data

Table 1 lists the configuration data required for this operation.

Table 1 Required data

Protocol

Parameter

Description

Example Value

OAuth 2.0

View Type > Visual

APP ID

Application (client) ID obtained when an application is created on the third-party authentication source platform.

  • Azure: Obtain the value of Application (client) ID in the name of the application created on the Azure platform.
  • DINGTALK: Obtain the value of Appkey in the name of the application created on the DINGTALK platform.

Obtain the configuration as required. For details, submit a service ticket.

ed2a****0feb

APP Secret

client_secret obtained when an application is created on the third-party authentication source platform.

Azure: Obtain the value of Client Credentials in the name of the application created on the Azure platform. Click Add a certificate or secret. On the displayed Client Secrets page, click New client secret to create.

DINGTALK: Obtain the value of APP Secret in the name of the application created on the DINGTALK platform.

Obtain the configuration as required. For details, submit a service ticket.

VdS8****lpoA

Authentication Success Check Field

Azure configurations: "displayName" or

"userPrincipalName"

DINGTALK: nick

NOTE:

The user created on the Azure platform must be the same as the Workspace user. Otherwise, the verification fails.

displayName

Validation Field Separator Configuration

Truncation rules:

1. Scanning starts from back to front, and splitting is performed at the position where the separator field appears for the first time. The front part is used.

2. The default separator is @.

3. The separator can only be a letter, digit, or any of the special characters in parentheses (.-_$#@>).

Example: test#EXT#&te@teleperformance.com

The separators are @ and #EXT#.

test is returned after separation.

Azure Tenant ID

Directory (tenant) ID of the login tenant.

Azure: Obtain the value of Directory (tenant) ID in the name of the application created on the Azure platform.

Obtain the configuration as required. For details, submit a service ticket.

NOTE:

This parameter is mandatory when the third-party source is set to AZURE.

feff****eed9

Domain Name Mapping

In multi-domain interconnection scenarios:

  1. Select the desired domain name from the drop-down list.
  2. Enter the domain name mapped to the third-party platform.
    NOTE:
    • The domain name to map is a custom one of the third-party authentication service.
    • The domain name to map is valid only when the selected domain name is an AD domain name and you selected third-party SSO and OAuth 2.0.

wks001.vdesktop.com

OAuth 2.0

View Type > JSON

JSON file configuration

Submit a service ticket for technical support.

-

SAML2.0

Identity Provider Name

The name is user-defined and can contain 1 to 64 characters of letters, digits, and hyphens (-).

Defined by the tenant administrator.

Access Server Address

Internet access address or Direct Connect access address. The value contains 1 to 255 characters and cannot be empty.

Obtain the value from the Workspace console.

IDP Metadata

Metadata file of the identity provider (IDP), which contains the IDP configuration information, including the IDP's entity ID, supported authentication methods, and signature certificate. The file must be a valid UTF-8-encoded XML file no larger than 1 MB.

Provided by the tenant administrator.

User ID

The user ID is in URL format, and the value must be the same as the Workspace username.

Provided by the tenant administrator.

LDAP

Server Address

IP address of the authentication server.

Set this parameter to the IP address used for setting up the LDAP server.

10.134.151.140

Port

Port used by the authentication server to communicate with Workspace.

Set this parameter to the port used for setting up the LDAP server.

636 or 389

Base DN

LDAP root directory.

Set this parameter to the root directory collected from the LDAP server.

DC=huawei,DC=com

Administrator DN

DN of the administrator of the LDAP authentication server.

Set this parameter to the administrator account created when setting up the LDAP server.

CN=manager,DC=huawei,DC=com

Administrator Password

Password of the administrator of the LDAP authentication server.

Set this parameter to the password of the administrator created when setting up the LDAP server.

NOTE:

Password for accessing the LDAP server.

-

User Query Base

Directory where the user is located upon LDAP creation.

Set this parameter to the name of the directory used for creating a user.

cn=users

SSL/TLS Certificate Verification

  • Enable: LDAPS is used to set up an LDAP server.
  • Disable: LDAP is used to set up an LDAP server.

Enable

Certificate Upload

After SSL/TLS certificate verification is enabled, you need to upload a certificate.

Set this parameter to the certificate used when a user sets up an LDAP server and enables LDAPS.

-

Procedure

(Optional) Configuring the Auth URL whitelist

Enable OAuth 2.0. To configure a third-party authentication source, configure a whitelist on the third-party authentication platform first.

  1. Log in to the console.
  2. In the navigation pane, choose Tenant Configuration > Basic Settings.

    The Basic Settings page is displayed.

  3. In the Network Configuration area, obtain the IP addresses of Internet access and Direct Connect.

    If the network configuration mode of the tenant is set to either Internet access or Direct Connect, select desired configuration.

  4. Click Redirect URls in the name of the application created on the Azure platform, and add the IP addresses of Internet access and Direct Connect obtained in 3 to the whitelist.

Configuring third-party SSO authentication

After third-party SSO is enabled, the username created on the interconnected platform must be the same as the Workspace username. Otherwise, the verification fails.

  1. Log in to the console.
  2. In the navigation pane, choose Tenant Configuration > Authentication Configuration > Primary Authentication, and click Modify.
  3. Select Third-party SSO authentication for Primary Authentication Type.

    • If Protocol is OAuth 2.0, perform 4.
    • If Protocol is LDAP, perform 5.

  4. Set View Type to Visual and configure OAuth 2.0 parameters according to Table 1.
  5. Configure LDAP parameters according to Table 1.
  6. Click Save.