All Products
Search

This Product

    Secure Access Service Edge:Best practices for logging on to an IDaaS application by using SASE SSO

    Document Center

    Secure Access Service Edge:Best practices for logging on to an IDaaS application by using SASE SSO

    Last Updated:Dec 20, 2024

    This topic describes how to configure single sign-on (SSO) in the Secure Access Service Edge (SASE) console and the Identity as a Service (IDaaS) console. After you configure the settings, a user can log on to the IDaaS application portal by using SASE SSO.

    SASE uses the OpenID Connect (OIDC) protocol to implement SSO between IDaaS and SASE. If the SSO service of an enterprise supports OIDC, the account system in SASE can serve as an identity provider (IdP) and can be integrated with the SSO system of the enterprise.

    Scenario

    An enterprise uses IDaaS to manage the identities and application permissions of users and connects its office applications to IDaaS for SSO. The enterprise also activates SASE to ensure the security of remote access and sensitive office data. In this case, you can use the SSO feature of SASE to connect SASE to IDaaS over OIDC. Then, after a user logs on to the SASE client, the user can access an office application in the IDaaS application portal as a user of a SASE IdP.

    Prerequisites

    Process

    image

    Step 1: Obtain the IDaaS redirect URI

    1. Log on to the IDaaS console.

    2. On the EIAM page, click the name of the created instance to go to the instance console.

    3. In the left-side navigation pane, click IdPs.

    4. On the IdPs page, click Other IdPs.

    5. In the Add IdP panel, click OIDC IdP.

    6. In the Bind OIDC Identity Provider panel, copy the IDaaS redirect URI.

      image

      We recommend that you do not close this panel because you need to perform Step 3 in this panel.

    Step 2: Configure a SASE SSO policy

    1. Log on to the SASE console.

    2. In the left-side navigation pane, choose Identity Authentication and Management > Single Sign-on.

    3. On the Single Sign-on page, click Create Policy.

    4. In the Create Policy panel, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Example

      Policy Name

      Enter the name of the policy.

      SASE_SSO_test

      Policy Status

      Specify whether to enable the policy.

      Enabled

      API access authorization

      Configure the client_id and client_secret parameters. Before you can use SSO, you must enable API access. You must configure the client_id and client_secret parameters for API authorization.

      Important

      Keep the client secret confidential. If the client secret is leaked, delete the client secret and create another client secret for rotation.

      • client_id: sase_sso

      • client_secret: 1kr6ld066******

      Redirect URL

      The Redirect URL parameter is used to specify the redirect_uri parameter in the URL of an office application. After you configure the Redirect URL parameter and create the policy, the specified URL is added to a whitelist and SASE can initiate a logon request after authentication.

      Set the Redirect URL parameter to the redirect URI that you obtained in Step 1.

      https://l6v271cn.aliyunidaas.com/login/********

    5. Click OK.

    Step 3: Bind SASE IdPs to the IDaaS instance

    1. In the Bind OIDC Identity Provider panel, configure the following parameters.

      If you close the panel in which you need to perform steps, go to the Bind OIDC Identity Provider panel by following instructions in Step 1.

      For more information, see Bind IDaaS to an OIDC IdP.

      Parameter

      Example

      Basic Information

      Nickname

      SASE

      Logon Settings

      Authentication Mode

      client_secret_post

      Client ID

      sase_sso

      Client Secret

      Client Secret: 1kr6ld066******

      Scopes

      openid,external_id

      Endpoint Configurations

      Issuer

      After you configure the Issuer parameter, you can parse the discovery endpoint to obtain endpoint information.

      Authorization Endpoint

      Token Endpoint

      Public Key Endpoint

      User Information Endpoint

    2. Click Next to go to the Select Scenario step.

      To facilitate subsequent verification, retain the default configurations in the Select Scenario step. For more information, see Select a scenario.

    3. Click Created.

    Step 4: Use SASE SSO to access IDaaS applications

    1. On the EIAM page, find the IDaaS instance that you want to manage and click the address in the User Portal column.

      image

    2. On the logon page of the user portal, find SASE in the Other login methods section.

      image

    3. Click SASE to log on to the IDaaS portal.

    4. On the application page, access IDaaS applications without entering an account and password.