Identity as a Service:SSO configuration for self-developed applications

​

Parameter

Description

Example

Basic configuration (Required)

Logon

Redirect URI

The whitelist of Redirect URIs. When the application requests to log on, it carries the redirect_uri parameter. This value must be in the whitelist for IDaaS to initiate a redirection after authentication is complete.

http://www.xxxx/oidc/sso

http://www.xxxx/oidc/sso2

Authorization scope

For more information, see SSO overview.

All Users

Advanced configurations (optional)

User information

scopes

The identity information of a user that can be obtained using the UserInfo Endpoint.

• openid

• email

• phone

• profile

Multi-select: OpenID

Multi-select emails

Multiple profile selection

access_token

validity period

The access_token is used to request IDaaS APIs. The default validity period is 20 minutes, the minimum is 5 minutes, and the maximum is 24 hours. After it expires, you must use a refresh_token to refresh it or log on again.

20 minutes

id_token

validity period

The id_token is used to identify the user. It is in JWT format and allows the application to use a public key to verify the user's identity. After it expires, you must use a refresh_token to refresh it or log on again.

For the format of the id_token, see various tokens in IDaaS.

10 hours

refresh_token

validity period

It is used to obtain a new access_token and id_token. After the refresh_token expires, the user needs to log on again.

30 days

Extended id_token

fields

You can extend the payload field in the id_token to return the user's non-sensitive basic information, which avoids repeated calls to the user information endpoint. Note: The fields added to the payload are publicly visible. Use them as needed.

-

SSO initiator

The OIDC protocol naturally supports application-initiated SSO.

If you select Support portal-initiated and application-initiated, you must fill in the next field: Portal logon initiation address.

You can initiate this from the portal or the application.

Logon initiation address

The application address that is accessed when IDaaS initiates an SSO request. When this address receives a request, it should immediately initiate an /authorize authorization port request.

http://www.xxxx/oidc/login

id_token signature algorithm

The signature for the id_token uses an asymmetric algorithm. Currently, only the RSA-SHA256 algorithm is supported.

SHA256

Logoff callback address

The whitelist of application callback addresses after logging off from IDaaS. The application can carry this when initiating an SLO request.

http://www.xxxx.com

Parameter

Description

Example

Issuer

The field in the id_token that marks the source of the token. It is also the baseUrl for the following interfaces.

https://xxxxx.aliyunidaas.com/oidc1

Discovery

Discovery

Used to obtain information about the endpoints, supported patterns, and parameters that are currently supported by IDaaS. It is publicly accessible.

https://xxxxx.aliyunidaas.com/oidc1/.well-known/openid-configuration

Authorization

Authorization

The endpoint where the application requests SSO.

https://xxxxx.aliyunidaas.com/oidc/authorize

Token

Token

The interface address where the application, after obtaining the authorization code code during the single sign-on process, initiates a request from the backend to exchange it for a token.

https://xxxxx.aliyunidaas.com/oauth2/token

Token revocation

Revocation

The endpoint that is used to revoke an issued token.

https://xxxxx.aliyunidaas.com/oauth2/revoke

Public key endpoint for signature verification

JWKS

The public key endpoint used to verify the id_token and complete the SSO flow. The public key may be rotated.

https://xxxxx.aliyunidaas.com/oidc1/slo

User information

Userinfo

The endpoint for obtaining basic user information using an access_token after logon.

https://xxxxx.aliyunidaas.com/oidc1/userinfo

End session endpoint

SLO

The user logs off from the primary logon state of IDaaS.

-