Updated on 2024-10-23 GMT+08:00

Third-party SSO Authentication

Scenario

Workspace supports multiple third-party authentication sources, including individual social authentication, enterprise social authentication, and enterprise authentication sources, providing simpler and more convenient login modes and better user experience for enterprise users. As an administrator, you can add, modify, and delete authentication providers.

Currently, switchover between OAuth2.0, LDAP, and two-factor authentication (TFA) is unavailable, and they cannot be enabled at the same time.

Data

Table 1 lists the configuration data required for this operation.

Table 1 Required data

Protocol

Parameter

Description

Example Value

OAuth 2.0

View Type > Visual

APP ID

Application (client) ID obtained when an application is created on the third-party authentication source platform.

Azure: Obtain the value of Application (client) ID in the name of the application created on the Azure platform.

DINGTALK: Obtain the value of Appkey in the name of the application created on the DINGTALK platform.

Obtain the configuration as required. For details, submit a service ticket.

ed2a****0feb

APP Secret

client_secret obtained when an application is created on the third-party authentication source platform.

Azure: Obtain the value of Client Credentials in the name of the application created on the Azure platform. Click Add a certificate or secret. On the displayed Client Secrets page, click New client secret to create.

DINGTALK: Obtain the value of APP Secret in the name of the application created on the DINGTALK platform.

Obtain the configuration as required. For details, submit a service ticket.

VdS8****lpoA

Authentication Success Check Field

Azure configurations: "displayName" or

"userPrincipalName"

DINGTALK: nick

NOTE:

The user created on the Azure platform must be the same as the Workspace user. Otherwise, the verification fails.

displayName

Validation Field Separator Configuration

Truncation rules:

1. Scanning starts from back to front, and splitting is performed at the position where the separator field appears for the first time. The front part is used.

2. The default separator is @.

3. The separator can only be a letter, digit, or any of the special characters in parentheses (.-_$#@>).

Example: test#EXT#&te@teleperformance.com

The separators are @ and #EXT#.

test is returned after splitting.

Azure Tenant ID

Directory (tenant) ID of the login tenant.

Azure: Obtain the value of Directory (tenant) ID in the name of the application created on the Azure platform.

Obtain the configuration as required. For details, submit a service ticket.

NOTE:

This parameter is mandatory when the third-party source is set to AZURE.

feff****eed9

OAuth 2.0

View Type > JSON

JSON file configuration

Submit a service ticket for technical support.

-

LDAP

Server Address

IP address of the authentication server.

Set this parameter to the IP address used for setting up the LDAP server.

10.134.151.140

Port

Port used by the authentication server to communicate with Workspace.

Set this parameter to the port used for setting up the LDAP server.

636 or 389

Base DN

LDAP root directory.

Set this parameter to the root directory collected from the LDAP server.

DC=huawei,DC=com

Administrator DN

DN of the administrator of the LDAP authentication server.

Set this parameter to the administrator account created when setting up the LDAP server.

CN=manager,DC=huawei,DC=com

Administrator Password

Password of the administrator of the LDAP authentication server.

Set this parameter to the password of the administrator created when setting up the LDAP server.

NOTE:

Password for accessing the LDAP server.

-

User Query Base

Directory where the user is located upon LDAP creation.

Set this parameter to the name of the directory used for creating a user.

cn=users

SSL/TLS Certificate Verification

  • Enable: LDAPS is used to set up an LDAP server.
  • Disable: LDAP is used to set up an LDAP server.

Enable

Certificate Upload

After SSL/TLS certificate verification is enabled, you need to upload a certificate.

Set this parameter to the certificate used when a user sets up an LDAP server and enables LDAPS.

-

Procedure

(Optional) Configuring the Auth URL whitelist

Enable OAuth 2.0. To configure a third-party authentication source, configure a whitelist on the third-party authentication platform first.

  1. Log in to the console.
  2. In the navigation pane, choose Tenant Configuration > Basic Settings.

    The Basic Settings page is displayed.

  3. In the Network Configuration area, obtain the IP addresses of Internet access and Direct Connect.

    If the network configuration mode of the tenant is set to either Internet access or Direct Connect, select desired configuration.

  4. Click Redirect URls in the name of the application created on the Azure platform, and add the IP addresses of Internet access and Direct Connect obtained in 3 to the whitelist.

Configuring third-party SSO authentication

After third-party SSO is enabled, the username created on the interconnected platform must be the same as the Workspace username. Otherwise, the verification fails.

  1. Log in to the console.
  2. In the navigation pane, choose Tenant Configuration > Authentication Configuration > Primary Authentication, and click Modify.
  3. Select Third-party SSO authentication for Primary Authentication Type.

    • If Protocol is OAuth 2.0, perform 4.
    • If Protocol is LDAP, perform 5.

  4. Set View Type to Visual and configure OAuth 2.0 parameters according to Table 1.
  5. Configure LDAP parameters according to Table 1.
  6. Click Save.