Authentication management - Secure Access Service Edge - Alibaba Cloud Documentation Center

This document describes the authentication management feature of the SASE App. This feature helps you log on to and use applications more easily and securely. You can use flexible identity management, automatic logon policies, and enterprise identity providers (IdPs) such as Okta, Azure Active Directory (AD), and self-developed systems to implement single sign-on (SSO) to the SASE App through the OpenID Connect (OIDC) protocol. This provides a seamless and more secure access experience.

Scenarios

Your enterprise is connected to multiple applications, and each application has a different identity source. This requires users to log on to the SASE App using different identity sources.
Your enterprise manages users with an OIDC authentication source and wants to use it for all OIDC-compatible applications to enable logon to the SASE App.
In an environment where enterprise endpoints are centrally managed, IT administrators want employees to automatically log on when they open the SASE App without manually entering their credentials. This improves efficiency and the user experience.

Prerequisites

You must create and enable an identity source before you can enable its authentication status. For more information, see Identity synchronization.
To use the OIDC protocol to extend a Lightweight Directory Access Protocol (LDAP) identity source, you must first connect to an LDAP identity source and enable it. For best practices on connecting to LDAP, see Secure LDAP user access with SASE.
Note
Because an OIDC authentication source does not have organizational structure capabilities, you must associate it with an identity source that does.
The SASE App installed on enterprise endpoints must be version 4.8.5 or later.

Create an extension authentication source

Extension authentication sources support OIDC and device authentication. OIDC authentication uses the standard OIDC authorization code flow for federated authentication. Any IdP that supports SSO with this flow, such as Okta, Azure AD, or a self-developed system, can act as an IdP for SASE. This allows users to log on to the SASE App. For device authentication, you can upload device information. When combined with a logon-free policy, this enables automatic client logon.

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Authentication Management tab, click Extended Authentication Source.
On the Extended Authentication Source page, click Add Extended Authentication Source.

In the Add panel, add an extension authentication source as described in the following table.

Configuration item	Description
Authentication Source Name	The name of the extension identity source. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	The description of the configuration. This description appears as the logon title in the SASE client to help you identify the identity source during logon.
Extended Authentication Source Configuration > Authentication Source Type	Set Authentication Source Type to OIDC or Device Authentication. Device authentication is used for the client logon-free feature. OIDC Authorization Mode: Defaults to Authorization Code and cannot be changed. Client ID: The identifier for requests sent to SASE. This is the application identifier in your IdP. Client Secret: The key for requests sent to SASE. This is the application key in your IdP. Important Keep the Client Secret secure. If you suspect it has been compromised, delete the old key and add a new one for rotation. Scopes: The scopes included when requesting the authorization endpoint. They represent the requested authorization scope. Issuer: The OIDC Issuer discovery endpoint. Parse the discovery endpoint to automatically obtain endpoint information. Device Authentication Click Download Import Template and fill in the information for devices that will use the logon-free feature (Name, Phone Number, Email, Device MAC Address, Device SN, and Device Hostname). Drag the file or click to browse for a local file to upload the template to SASE.
Associated IdP	The type of associated identity source you can select depends on the authentication source type. OIDC type: Select a created LDAP identity source. Only LDAP identity sources are supported. Device authentication type: Select a created identity source.

Click OK.
If you select OIDC as the authentication source type, you must also copy the value of SASE Authorization Callback RedirectURI and configure it in your OIDC service.

Configure a logon-free policy and log on to the client

After you enable the client logon-free feature, users can run the client without logging on. Devices that are not attached to an identity source connect with an anonymous identity. Data protection and endpoint mitigation policies still apply.

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Authentication Management tab, click Single Sign-On Policy.

In the Client Auto-Sign-In Policy panel, enable the policy, configure the logon-free scope, and view the devices to which the policy applies.

Configuration item	Description
Enable Client Auto-Sign-In	Enables the client logon-free policy.
Scope of Automatic Sign-In	All Devices: Refers to all devices in the platform's endpoint list, including manually imported company devices. After the policy takes effect, these devices connect with an anonymous identity without requiring a logon. You must enable custom identity source authentication. In the navigation pane on the left, choose Terminal Management > Terminals to view enterprise endpoint information. Authenticated Devices: Refers to all devices for which device authentication has been configured in the extension authentication source. After the policy takes effect, these devices connect using the owner's identity without requiring a logon.
Automatic Sign-In Status	The devices on which the policy is currently in effect. You can click the device count to go to the Terminals page and view information about the effective devices.

Click OK.
On the Authentication Management tab, enable the custom identity source.
Note
After you activate SASE, a custom identity source is automatically generated. To create a custom identity source, see Configure an SASE identity source.
- If your enterprise uses an enterprise architecture identity source, you must also enable that identity source.
- If your enterprise uses an OIDC extension authentication source, you must also enable that authentication source on the Authentication Management tab.
On a device within the logon-free scope, download and install the SASE App.
Open the SASE App, enter the enterprise verification identity, and then click Confirm. The SASE App logs on automatically.

Enable authentication status

Identity sources and OIDC extension authentication sources that you created are displayed in a list. You can manage the authentication status of the identity sources and adjust their display order on the SASE App logon page.

On the Authentication Management tab, find the identity source that you created.
In the Authentication Status column, turn on the switch to enable the authentication status.
You can adjust the display order of identity sources on the SASE App logon page.
You can make adjustments by dragging the icon on the left side of the list.

Note

You can adjust the display order only for identity sources whose authentication status is enabled.
You can use an identity source to log on to the SASE App only if its authentication status is enabled.

References

To create user groups outside your enterprise organizational structure, see User group management.
For more information about client logon-free operations, see Best practices for SASE client logon-free.