Connect your SASE identity provider (IdP) to your existing SSO system so that users can access office applications through the SASE client without re-entering credentials. SASE implements this using single sign-on (SSO) based on OpenID Connect (OIDC), also known as identity federation.
How it works
SASE acts as the IdP in the SSO flow. Your office application — integrated into your existing SSO system — acts as the service provider (SP). A central authentication server verifies user credentials and issues a token. The SASE IdP is mapped to the IdP of the SP, allowing users of the SASE IdP to access your office application.
When a user logs on to the SASE client, the user is associated with the SASE IdP and can then access all integrated applications without re-entering a username, password, or scanning a QR code.
The following figure shows the workflow.
Key concepts
| Term | Description |
|---|---|
| IdP | A Resource Access Management (RAM) entity that provides identity management services. |
| SP | An application that uses an IdP's identity management feature to provide services. The SP consumes user information from the IdP. |
| OIDC | An authentication protocol built on OAuth 2.0. OAuth handles authorization; OIDC adds an identity layer so clients can verify user identities and retrieve basic user information via an HTTP RESTful API. |
| OIDC token | An identity token issued by OIDC to an application. It identifies the logged-on user and can be used to retrieve basic user information. |
| Client ID | An ID generated when you register an application with an external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. It is stored in the aud field of the OIDC token. When you create an OIDC IdP in SASE, you must configure the client ID. If you use the OIDC token to get an STS token, Alibaba Cloud verifies that the aud field matches the configured client ID. |
| Issuer URL | The URL of the issuer, provided by an external IdP. It is stored in the iss field of the OIDC token. The URL must start with https, follow valid URL format, and must not contain query parameters (?), logon information (@), or fragment identifiers (#). |
Benefits
Seamless access: Users log on to the SASE client once and access all OIDC-integrated applications without re-entering credentials.
Real-time data security: All access to office applications goes through the SASE client, ensuring data security in real time.