Authentication management - Secure Access Service Edge - Alibaba Cloud Documentation Center

Authentication management controls how users log on to the SASE App. Connect enterprise identity providers (IdPs) such as Okta, Azure Active Directory (AD), and self-developed systems using the OpenID Connect (OIDC) protocol to enable single sign-on (SSO), and configure device-based automatic logon for managed endpoints.

Use cases

Your enterprise uses multiple applications with different identity sources, and you want users to log on to the SASE App using their existing enterprise credentials.
Your enterprise manages users through an OIDC-compatible IdP and wants to use it as the authentication source for the SASE App.
IT administrators want managed endpoints to open the SASE App and connect automatically, without requiring users to enter credentials each time.

Prerequisites

Before you begin, make sure you have:

An identity source created and enabled. For setup instructions, see Identity synchronization.
(For OIDC extension) An LDAP identity source connected and enabled. See Connect to an LDAP identity source for connection steps. For security best practices, see Secure LDAP user access with SASE.
SASE App version 4.8.5 or later installed on enterprise endpoints.

An OIDC authentication source has no organizational structure capabilities. Associate it with an identity source that has organizational structure support, such as an LDAP identity source.

Add an extension authentication source

Extension authentication sources support two types: OIDC and device authentication.

OIDC: Uses the standard OIDC authorization code flow for federated authentication. Any IdP that supports this flow — including Okta, Azure AD, or a self-developed system — can act as an IdP for SASE, enabling users to log on to the SASE App via SSO.
Device authentication: Associates device information with an identity source. Combined with a logon-free policy, this enables managed endpoints to connect automatically without user interaction.

Steps

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Authentication Management tab, click Extended Authentication Source.
On the Extended Authentication Source page, click Add Extended Authentication Source.

In the Add panel, configure the extension authentication source using the following table. If you select OIDC, configure the following fields. You can find most of these values at your IdP's OIDC discovery endpoint (also called the "well-known URL", typically at https://<your-idp-domain>/.well-known/openid-configuration). If you select Device authentication, configure the following:

Click Download Import Template and fill in the device information for devices that will use the logon-free feature. The template includes these fields: Name, Phone Number, Email, Device MAC Address, Device SN, and Device Hostname.
Drag the completed file into the upload area, or click to browse and select it.
Under Associated IdP, select the identity source to associate with this device authentication source.

Configuration item	Description
Authentication source name	A name for the extension authentication source. Must be 2–100 characters and can contain letters, digits, Chinese characters, hyphens (-), and underscores (_).
Description	A description of the configuration. This text appears as the logon title in the SASE client, helping users identify the authentication source at logon.
Extended authentication source configuration > Authentication source type	Select OIDC or Device Authentication. Device authentication enables the client logon-free feature.

Field	Description
Authorization mode	Defaults to Authorization Code and cannot be changed.
Client ID	The application identifier registered in your IdP. This is the `client_id` value from your OIDC application settings.
Client secret	The application key from your IdP. This is the `client_secret` value. Keep it secure — if you suspect it has been compromised, delete the old key and add a new one.
Scopes	The authorization scopes to request from your IdP's authorization endpoint. They represent the requested authorization scope.
Issuer	The OIDC issuer URL from your IdP. This is the `issuer` field in your IdP's well-known configuration. SASE parses this discovery endpoint to automatically retrieve all other endpoint information.
Associated IdP	Select the LDAP identity source to associate with this OIDC authentication source. Only LDAP identity sources are supported.

Click OK.

For OIDC type only: Copy the value of SASE Authorization Callback RedirectURI and configure it in your OIDC service. This step is required before users can complete OIDC authentication.

Configure a logon-free policy

The logon-free feature lets users open the SASE App without entering credentials. Depending on the scope you choose, devices connect using either the device owner's identity or an anonymous identity.

Important

When the All Devices scope is selected, devices connect with an anonymous identity. Data protection and endpoint mitigation policies still apply. Use Authenticated Devices if you need identity-based policy enforcement.

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Authentication Management tab, click Single Sign-On Policy.

In the Client Auto-Sign-In Policy panel, enable the policy and configure the settings.

Configuration item	Description
Enable client auto-sign-in	Turns on the logon-free policy.
Scope of automatic sign-in	All Devices: All devices in the platform's endpoint list, including manually imported company devices. Devices connect with an anonymous identity — no logon is required. Custom identity source authentication must also be enabled. Go to Terminal Management > Terminals to view endpoint details. Authenticated Devices: Devices with device authentication configured in the extension authentication source. Devices connect using the owner's identity — no logon is required.
Automatic sign-in status	Shows the devices on which the policy is currently in effect. Click the device count to go to the Terminals page and view details.

Click OK.
On the Authentication Management tab, enable the appropriate identity sources:
- Enable the custom identity source.
- If your enterprise uses an enterprise architecture identity source, enable it as well.
- If your enterprise uses an OIDC extension authentication source, enable it on the Authentication Management tab.
When you activate SASE, a custom identity source is generated automatically. To create one manually, see Configure an SASE identity source.
On a device within the logon-free scope, download and install the SASE App.
Open the SASE App, enter the enterprise verification identity, and click Confirm. The app logs on automatically.

Enable authentication status

Identity sources and OIDC extension authentication sources you create appear in the authentication source list. Enable an authentication source to make it available on the SASE App logon page, and adjust the display order to control how options appear to users.

On the Authentication Management tab, find the identity source.
In the Authentication status column, turn on the switch.

To adjust the display order on the SASE App logon page, drag the icon on the left side of the list.

You can only reorder identity sources that have authentication status enabled. Users can only log on using an identity source if its authentication status is enabled.

What's next

To create user groups outside your enterprise organizational structure, see User group management.
For end-to-end configuration examples for the logon-free feature, see Best practices for SASE client logon-free.