All Products
Search

This Product

    Identity as a Service:Configure Agent ID Guard

    Document Center

    Identity as a Service:Configure Agent ID Guard

    Last Updated:Mar 20, 2026

    This topic describes how to register an agent identity in IDaaS EIAM, configure its authentication and permissions, and set up downstream resource access through the topology diagram.

    Prerequisites

    Before you begin, make sure that you have:

    • An IDaaS EIAM Enterprise Edition instance with the machine-to-machine (M2M) feature enabled. For more information, see Create an instance and Upgrade an instance.

    • An identity provider configured with at least one valid account. For more information, see Create an account.

    Register an agent identity

    1. Log on to the IDaaS EIAM console.

    2. In the left-side navigation pane, choose Agent ID Guard.

    3. On the Agent ID Guard page, click Register Agent Identity.

    4. The system creates an Agent identity configuration topology diagram with the following node types:

      Node type Description
      Agent node The agent identity subject. Configure authentication and permissions on this node.
      Client The client access entry point. Controls which client applications can call the agent.
      Large Language Model (LLM) Hosts API Key credentials for LLM services.
      Enterprise Service Represents an internal application integrated with IDaaS.
      External Service Stores OAuth credentials or API Keys for external services.

    5. The topology diagram supports two authorization directions:

      • Outbound Authorization: Connect the Agent ID Guard node to an Large Language Model (LLM), Enterprise Service, or External Service node.

      • Inbound Authorization: Connect a Client node to the Agent ID Guard node.

    6. To add nodes, hover over the Agent ID Guard node and click + on the left for a Client node, or + on the right for an LLM, enterprise service, or third-party service node. You can also click Add Node in the toolbar.

    Important

    Each Agent, Client, and enterprise service node consumes one M2M application license.

    Configure the Agent node

    After you register an agent identity, configure authentication and permissions for the Agent node.

    1. In the topology diagram, click the Agent ID Guard node.

    2. On the General Configuration panel, configure the following settings:

      Setting Description
      Agent ID Auto-generated. Cannot be modified.
      Agent Name A custom display name.
      General Select Client Secret Credential or Certificates Credential. See the following descriptions.
      Configure Audience Identifier Auto-generated. Editable only during initial configuration. Becomes immutable after saving.

      • Client Secret Credential: Click Add client_secret to create a credential that the agent uses to authenticate with IDaaS.

      • Certificates Credential: Click Manually Add to upload the agent's public key. The agent signs requests with its private key, and IDaaS verifies the signature with the public key.

    3. Click Next to go to the Permission Configuration page.

    4. Configure the permission settings:

      Setting Description
      Permission Name Auto-generated. You can modify this value.
      Scope Value Defaults to agent.access. You can modify this value, but we recommend keeping the default.
      Authorization mode Auto-Authorize: All client application users automatically receive agent access. Manually: You must assign permissions to specific users.

    5. If you select Manually, click Next to configure the authorization scope:

      • User: Select individual user accounts.

      • Group: Select user groups. All group members receive the permission.

      • Organization: Select organizational units. All members in the unit receive the permission.

    6. Complete the permission configuration.

    Configure the Client node

    The Client node configures authentication for client applications that access the agent. After configuration, the Client M2M application appears on the Application Management > M2M Application page.

    Add a Client node

    1. In the topology diagram, hover over the Agent ID Guard node and click + on the left.

    2. In the node type menu, select Client.

    You can also add a Client node from the Add Node button in the toolbar.

    Configure the client application

    1. Click the new Client node.

    2. On the configuration panel, select an existing OpenID Connect (OIDC) M2M application, or click Create Client Application to create one.

    Create a client application

    1. Click Create Client Application.

    2. Configure the following settings:

      • Application Name: Enter a name for the client application.

      • Authorization Method: Enter the redirect URL for post-authentication callbacks. Both HTTPS and HTTP are supported. Example: https://example.aliyun.com/login.

      Note

      The # character and any content after it in a URI are not sent to the server. To include #, use %23 instead.

      • General: Select Client Secret Credential or Certificates Credential.

    3. Click Next to configure the authorization scope. Select the users who can use this client application by User, Group, or Organization.

    4. Complete the client application configuration.

    Configure Inbound Authorization

    Inbound Authorization defines the permissions that a client can request from the Agent.

    1. Click the connection line between the Client node and the Agent ID Guard node, then click Inbound Authorization.

    2. On the Inbound Authorization configuration panel, click Authorize.

    3. In the permission list, select the permissions to grant. The available permissions are defined in the Agent node's permission configuration.

    Configure the LLM node

    The LLM node hosts API Key credentials for Large Language Model (LLM) services. After you store LLM credentials in IDaaS, the agent retrieves them through IDaaS at runtime.

    Add an LLM node

    1. In the topology diagram, hover over the Agent ID Guard node and click + on the right.

    2. In the node type menu, select Large Language Model (LLM).

    Configure LLM credentials

    1. Click the new Large Language Model (LLM) node.

    2. On the configuration panel, select an existing credential from the Asset Management > Credential page, or click Add API Key Credential to create one.

    Add an API Key credential

    Note

    The number of credentials has an upper limit. You cannot add new credentials after the limit is reached.

    1. Click Add API Key Credential.

    2. Configure the credential settings:

      Setting Description
      Credential Name A display name for the credential.
      API key ID A description of the credential.
      Business Type Automatically set to Large Language Model (LLM). Cannot be modified.
      API Key The identifier of the LLM API Key to store.
      API Key Value The API Key value to store.
      Secure Storage Defaults to Default Encrypted Credential. Cannot be disabled.

    3. Complete the API Key credential configuration.

    LLM Outbound Authorization

    Outbound Authorization for LLM nodes is configured automatically. After the Agent authenticates, the system grants it access to the associated LLM API credentials. No manual configuration is required.

    Configure the enterprise service node

    Create an enterprise service node when the agent needs to access an internal application and obtain an access token. After configuration, the enterprise service M2M application appears on the Application Management > M2M Application page.

    Important

    The internal application must support access credentials issued by IDaaS. Each enterprise service node consumes one M2M application license.

    Add and configure the enterprise service

    1. In the topology diagram, hover over the Agent ID Guard node, click + on the right, and select Enterprise Service.

    2. Click the new Enterprise Service node. Select an existing M2M application from the Application Management > M2M Application page, or click Application Management to create one.

    Add an enterprise service application

    1. Click Application Management.

    2. Configure the following settings:

      • Application Name: Enter a name for the enterprise service application.

      • Configure Audience Identifier: Configure the audience identifier. After saving, this value becomes immutable.

    3. Click Next.

    Configure permissions

    1. Configure the permission settings:

      • Permission Name: Enter a display name for the permission.

      • Scope Value: A unique identifier. The system generates a default value. You can modify this value.

    2. Complete the configuration.

    Configure enterprise service Outbound Authorization

    Outbound Authorization defines the permissions the Agent has when accessing the enterprise service.

    1. Click the connection line between the Agent ID Guard node and the Enterprise Service node, then click Outbound Authorization.

    2. On the Outbound Authorization configuration panel, click Create Scope.

    3. In the permission list, select the permissions to grant. The available permissions are defined in the enterprise service node's permission configuration.

    4. Complete the configuration.

    Configure the third-party service node

    Add a third-party service node

    1. In the topology diagram, hover over the Agent ID Guard node and click + on the right.

    2. In the node type menu, select External Service.

    You can also add a External Service node from the Add Node button in the toolbar.

    Configure third-party service credentials

    1. Click the External Service node.

    2. On the configuration panel, select an existing credential from the Asset Management > Credential page, or click Add API Key Credential to create one.

    Add an API Key credential

    The number of credentials has an upper limit. You cannot add new credentials after the limit is reached.

    1. Click Add API Key Credential.

    2. Configure the credential settings:

      Setting Description
      Credential Name A display name for the credential.
      API key ID A description of the credential.
      Business Type Automatically set to External Service. Cannot be modified.
      API Key The identifier of the API Key to store.
      API Key Value The API Key value to store.
      Secure Storage Defaults to Default Encrypted Credential. Cannot be disabled.

    3. Complete the API Key credential configuration.

    Related operations

    After you complete the configuration, you can perform the following operations:

    • Edit a node: Click a node to modify its settings on the configuration panel.

    • Delete a node: Click the delete icon in the upper-left corner of a node.

    • Adjust authorization: Click a connection line between nodes to add or remove permissions.

    FAQ

    Why does the system prompt that M2M application licenses are insufficient?

    Each Agent, Client, and enterprise service node requires one M2M application license. Make sure that your IDaaS instance has sufficient licenses. To increase the license quota, contact your administrator or upgrade the instance edition.

    What is the difference between Client Secret credentials and Public/Private Key credentials?

    • Client Secret Credential: Uses a client ID and secret for authentication. Simpler to set up.

    • Certificates Credential: Uses asymmetric encryption. You can use more secure key management solutions such as Key Management Service (KMS) or Hardware Security Module (HSM) for enhanced security.

    How do I obtain an LLM API Key?

    Log on to the console of the LLM service provider, such as Alibaba Cloud Model Studio (Bailian) or OpenAI, and create an API Key on the API key management page.