This topic describes the multiple logon methods supported by Alibaba Cloud IDaaS (EIAM), including password, text message verification, third-party application logon (such as WeChat and DingTalk), and multi-factor authentication (MFA). These methods help administrators flexibly configure enterprise-level identity authentication policies and improve account security.
Logon methods
Three built-in logon methods in IDaaS
Logon method
Description
IDaaS username password logon
By default, this feature is enabled.
You can log on by using the username and password stored in IDaaS. If you do not have a username or password (for example, if you have just imported from DingTalk), you cannot use this method.
IDaaS text message verification code logon
This method is disabled by default and needs to be manually enabled.
A mobile phone number must be bound to the account.
The SMS message can be viewed but cannot be modified.
No SMS fee is charged for the current version.
WebAuthn authenticator logon
Based on the WebAuthn protocol, this method allows you to securely and conveniently log on using hardware identity.
For more information, see Advanced: WebAuthn secure logon.
Add logon methods
Other logon methods provided in IDaaS need to be enabled based on identity provider configurations. When an administrator adds an identity provider, related logon capabilities may be automatically added as logon methods.
For example, when binding DingTalk, if the administrator selects to enable DingTalk QR code logon, the DingTalk QR code logon method will be automatically created and can be used directly.
If the feature is not enabled during binding, you can still enable it at any time in the identity provider menu. After the first enablement, the corresponding logon method will be automatically created.
The logon status in the identity provider menu will remain consistent with the status in the logon method menu.
For example, when you disable DingTalk QR code logon in the identity provider menu, the corresponding status in the logon method menu will also be disabled.
Disable logon methods
After a logon method is disabled, it cannot be used and will not be displayed on the logon page.
Logon configuration
Configure basic parameters for IDaaS logon.
Parameter descriptions:
Skip logon page: When this feature is enabled, there is only one logon method, which is either an authentication method based on the OpenID Connect (OIDC) protocol or the Lark logon method. When users access the IDaaS logon page, they are directly redirected to the authentication interface of that logon method.
Save configured rules. If multiple logon methods are enabled, a dialog box will appear with the following message:
In this case, the configuration cannot be saved successfully.
If multiple logon methods are not enabled, the configuration will be saved successfully.
Identity provider conflict prompt. If the Skip Logon Page feature is already enabled, and you attempt to enable multiple logon methods in the IdPs menu or in , the system will display the following dialog box:
NoteThe logon page will be skipped only when the following conditions are met simultaneously: only one authentication source (Lark or OIDC) is enabled, and the Skip logon page feature is enabled. Otherwise, even if the Skip logon page feature is enabled, it will not take effect.
PC Primary Authentication Method: Sets the default logon method displayed on the IDaaS logon page for PC. Users can manually switch to other active methods on the logon page.
Prioritized Authentication Method for Mobile Apps: Sets the default logon method displayed on the IDaaS logon page for the App. Users can manually switch to other active methods on the logon page.
Session Validity Period: Specifies the duration for which the logon session is maintained in the browser (e.g., 8 hours). After this period, users must log in again to ensure security.
Idle Session Timeout Period: Defines the session timeout duration after user inactivity (e.g., 2 hours). Once this period expires, users must reauthenticate to prevent unauthorized access.