Manage identity providers

更新时间:
复制 MD 格式

Agent Identity supports integration with OpenID Connect (OIDC)-compatible identity providers (IdPs). The agent uses a JSON Web Token (JWT) obtained from the user's IdP to call the Agent Identity API. The Agent Identity service validates the inbound JWT based on the configured IdP information. After the validation succeeds, the service returns a Workload Access Token, which allows the agent to perform subsequent operations, such as obtaining an OAuth2 access token for a target resource.

Scenarios

You can configure an identity provider for inbound authentication in the following scenarios.

  • The agent needs to interact with a user to provide features and call an MCP server or other resources, such as Alibaba Cloud OpenAPI, on behalf of the user.

  • User identities are managed by an OIDC-compatible IdP, such as Alibaba Cloud, DingTalk, WeChat, Lark, Entra ID, Okta, Ping Identity, or an enterprise's internal IdP.

Prerequisites

  1. Create an OAuth 2.0/OIDC application in your identity provider and obtain the following information. You will use this information to create an identity provider in Agent Identity:

    • OIDC metadata address

    • Allowed target audience

    For more information about how to configure common identity providers, see Tutorials for setting up typical identity providers.

  2. We recommend that you assign the AliyunAgentIdentityFullAccess permission to the Resource Access Management (RAM) user or role that manages identity providers.

Create an identity provider

  1. Log on to the Agent Identity console. In the navigation pane on the left, choose Inbound > Identity Providers.

  2. On the Identity Providers page, click Create Identity Provider.

  3. On the Create Identity Provider page, configure the following parameters:

    1. Identity provider name

    2. Description (Optional): A description of the identity provider.

    3. OIDC metadata address: Obtain this from your IdP. The format is typically https://<YOUR-IDP-FQDN>/.well-known/openid-configuration.

    4. Allowed target audience: Obtain this from the id_token issued by the IdP. This is usually the application ID of the OAuth/OIDC application registered with the IdP. You can set multiple audiences. Enter each value on a new line. Select one of the following settings:

      • Allow all audiences: Agent Identity does not validate the audience (aud) field in the inbound JWT. This setting poses a security risk. We recommend that you use it only in test environments.

      • Specify audience whitelist: Agent Identity validates the audience (aud) field in the inbound JWT. Validation succeeds only if the value of the aud field matches a value in the whitelist.

  4. Click Create Identity Provider.

Note

If the provided OIDC metadata address is not accessible over the public network, an Unreachable OAuth2 discovery error is reported when you create the identity provider. In this case, access the metadata address in a browser to verify its accessibility. If you cannot access it, contact the IdP administrator to troubleshoot the issue.

Delete an identity provider

  1. Log on to the Agent Identity console. In the navigation pane on the left, choose Inbound > Identity Providers.

  2. On the Identity Providers page, find the target identity provider and click Delete Identity Provider in the Actions column.

  3. In the Delete Identity Provider dialog box, enter the name of the identity provider, and then click Delete Identity Provider.