Third-party SSO Authentication
Scenario
Workspace supports multiple third-party authentication sources, including individual social authentication, enterprise social authentication, and enterprise authentication sources, providing simpler and more convenient login modes and better user experience for enterprise users. As an administrator, you can add, modify, and delete authentication providers.
Currently, switchover between OAuth2.0, LDAP, and two-factor authentication (TFA) is unavailable, and they cannot be enabled at the same time.
Data
Table 1 lists the configuration data required for this operation.
Protocol |
Parameter |
Description |
Example Value |
---|---|---|---|
OAuth 2.0 View Type > Visual |
APP ID |
Application (client) ID obtained when an application is created on the third-party authentication source platform. Azure: Obtain the value of Application (client) ID in the name of the application created on the Azure platform. DINGTALK: Obtain the value of Appkey in the name of the application created on the DINGTALK platform. Obtain the configuration as required. For details, submit a service ticket. |
ed2a****0feb |
APP Secret |
client_secret obtained when an application is created on the third-party authentication source platform. Azure: Obtain the value of Client Credentials in the name of the application created on the Azure platform. Click Add a certificate or secret. On the displayed Client Secrets page, click New client secret to create. DINGTALK: Obtain the value of APP Secret in the name of the application created on the DINGTALK platform. Obtain the configuration as required. For details, submit a service ticket. |
VdS8****lpoA |
|
Authentication Success Check Field |
Azure configurations: "displayName" or "userPrincipalName" DINGTALK: nick
NOTE:
The user created on the Azure platform must be the same as the Workspace user. Otherwise, the verification fails. |
displayName |
|
Validation Field Separator Configuration |
Truncation rules: 1. Scanning starts from back to front, and splitting is performed at the position where the separator field appears for the first time. The front part is used. 2. The default separator is @. 3. The separator can only be a letter, digit, or any of the special characters in parentheses (.-_$#@>). |
Example: test#EXT#&te@teleperformance.com The separators are @ and #EXT#. test is returned after splitting. |
|
Azure Tenant ID |
Directory (tenant) ID of the login tenant. Azure: Obtain the value of Directory (tenant) ID in the name of the application created on the Azure platform. Obtain the configuration as required. For details, submit a service ticket.
NOTE:
This parameter is mandatory when the third-party source is set to AZURE. |
feff****eed9 |
|
OAuth 2.0 View Type > JSON |
JSON file configuration |
Submit a service ticket for technical support. |
- |
LDAP |
Server Address |
IP address of the authentication server. Set this parameter to the IP address used for setting up the LDAP server. |
10.134.151.140 |
Port |
Port used by the authentication server to communicate with Workspace. Set this parameter to the port used for setting up the LDAP server. |
636 or 389 |
|
Base DN |
LDAP root directory. Set this parameter to the root directory collected from the LDAP server. |
DC=huawei,DC=com |
|
Administrator DN |
DN of the administrator of the LDAP authentication server. Set this parameter to the administrator account created when setting up the LDAP server. |
CN=manager,DC=huawei,DC=com |
|
Administrator Password |
Password of the administrator of the LDAP authentication server. Set this parameter to the password of the administrator created when setting up the LDAP server.
NOTE:
Password for accessing the LDAP server. |
- |
|
User Query Base |
Directory where the user is located upon LDAP creation. Set this parameter to the name of the directory used for creating a user. |
cn=users |
|
SSL/TLS Certificate Verification |
|
Enable |
|
Certificate Upload |
After SSL/TLS certificate verification is enabled, you need to upload a certificate. Set this parameter to the certificate used when a user sets up an LDAP server and enables LDAPS. |
- |
Procedure
(Optional) Configuring the Auth URL whitelist
Enable OAuth 2.0. To configure a third-party authentication source, configure a whitelist on the third-party authentication platform first.
- Log in to the console.
- In the navigation pane, choose Tenant Configuration > Basic Settings.
The Basic Settings page is displayed.
- In the Network Configuration area, obtain the IP addresses of Internet access and Direct Connect.
If the network configuration mode of the tenant is set to either Internet access or Direct Connect, select desired configuration.
- Click Redirect URls in the name of the application created on the Azure platform, and add the IP addresses of Internet access and Direct Connect obtained in 3 to the whitelist.
Configuring third-party SSO authentication
After third-party SSO is enabled, the username created on the interconnected platform must be the same as the Workspace username. Otherwise, the verification fails.
- Log in to the console.
- In the navigation pane, choose Tenant Configuration > Authentication Configuration > Primary Authentication, and click Modify.
- Select Third-party SSO authentication for Primary Authentication Type.
- Set View Type to Visual and configure OAuth 2.0 parameters according to Table 1.
- Configure LDAP parameters according to Table 1.
- Click Save.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot