Connecting a self-developed application to a centralized single sign-on (SSO) system requires configuring both sides of the integration: IDaaS (the identity provider) and your application (the service provider). This page covers what to configure on each side when using the OpenID Connect (OIDC) protocol.
IDaaS-side configuration
Most deployments only require the basic configuration: set the Logon Redirect URI and leave all other settings at their defaults.
Basic configuration
| Parameter | Description | Example |
|---|---|---|
| Logon Redirect URI | Whitelist of redirect URIs. When your application requests sign-in, it includes a redirect_uri parameter. IDaaS only redirects users to URIs on this whitelist after authentication completes. Add one URI per line. | http://www.example.com/oidc/sso |
| Authorization scope | The set of users who can access this application via SSO. See SSO overview for available options. | All Users |
Advanced configuration (optional)
| Parameter | Description | Example |
|---|---|---|
| User information scopes | The user identity claims returned by the UserInfo endpoint. Select one or more: openid, email, phone, profile. | openid, email, profile |
| Access token expiration | How long an access_token is valid. Use the access token to call IDaaS APIs. Default: 20 minutes. Minimum: 5 minutes. Maximum: 24 hours. After it expires, use a refresh token to get a new one, or prompt the user to sign in again. | 20 minutes |
| ID token expiration | How long an id_token is valid. The ID token is a JWT that identifies the user; your application verifies it using a public key. Default: 10 hours. After it expires, use a refresh token to get a new one, or prompt the user to sign in again. | 10 hours |
| Refresh token expiration | How long a refresh_token is valid. Use the refresh token to get new access tokens and ID tokens. Default: 30 days. After it expires, the user must sign in again. | 30 days |
| Extended ID token fields | Additional payload fields to include in the id_token. Use this to return non-sensitive user information directly in the token, reducing calls to the UserInfo endpoint. Fields added to the payload are publicly visible — add only non-sensitive data. | — |
| SSO initiator | Controls who can start the SSO flow. OIDC supports application-initiated SSO by default. Select Support portal-initiated and application-initiated to also allow the portal to start the flow. If you select this option, fill in the Logon initiation address field. | Application and portal |
| Logon initiation address | The application URL that IDaaS calls when initiating a portal-initiated SSO request. When this URL receives a request, it must immediately send an /authorize request to the authorization endpoint. | http://www.example.com/oidc/login |
| ID token signature algorithm | The algorithm used to sign the id_token. IDaaS uses an asymmetric algorithm; only the RSA-SHA256 algorithm is supported. | SHA256 |
| Logoff callback address | Whitelist of URLs to redirect users to after they sign out of IDaaS. Your application can include one of these URLs in a single logout (SLO) request. | http://www.example.com |
Application-side configuration
Your application integrates with IDaaS using standard OIDC endpoints. All endpoints share the same issuer URL as their base.
| Endpoint | Description | Example URL |
|---|---|---|
| Issuer | The token issuer identifier and base URL for all endpoints listed below. Appears as the iss claim in the id_token. | https://xxxxx.aliyunidaas.com/oidc1 |
| OpenID Connect Discovery | Returns the current IDaaS configuration: supported endpoints, flows, and parameters. Publicly accessible. Use this to discover all other endpoint URLs dynamically. | https://xxxxx.aliyunidaas.com/oidc1/.well-known/openid-configuration |
| Authorization endpoint | Where your application sends the user to begin SSO. The user authenticates here and receives an authorization code. | https://xxxxx.aliyunidaas.com/oidc/authorize |
| Token endpoint | Where your application exchanges the authorization code for tokens. Make this request from your backend, not the browser. | https://xxxxx.aliyunidaas.com/oauth2/token |
| Token revocation endpoint | Revokes an issued access_token or refresh_token before it expires. | https://xxxxx.aliyunidaas.com/oauth2/revoke |
| JWKS endpoint | The public key set used to verify the id_token signature. Keys may be rotated; fetch this endpoint dynamically rather than caching the keys permanently. | https://xxxxx.aliyunidaas.com/oidc1/slo |
| UserInfo endpoint | Returns basic user information for the authenticated user. Call this with a valid access_token after sign-in. | https://xxxxx.aliyunidaas.com/oidc1/userinfo |
| End session endpoint | Terminates the user's primary IDaaS session (single logout). | — |
What's next
To implement the full OIDC sign-in flow in your application code, see Connect a self-developed application for SSO.