This topic explains how to use Agent ID in IDaaS EIAM to manage AI agent identities and permissions. It covers asset visualization, human-to-machine permission isolation, authentication method configuration, client and large language model (LLM) node integration, enterprise service access, and FAQs.
Applicability
You have created an Enterprise instance of IDaaS EIAM and enabled the M2M feature with at least two M2M application quotas. For instructions, see Create an instance and Upgrade an instance.
You have created an enterprise identity source with at least one valid account in the account list. For instructions, see Create an account.
Register an agent identity
Go to the IDaaS EIAM console .
In the navigation pane on the left, choose Agent ID Guard.
On the Agent ID Management page, click Register Agent Identity.
The system automatically creates an agent identity configuration topology diagram. The diagram supports the following nodes:
Agent node: Represents the agent identity entity. Configure authentication methods and permissions here.
Client node: Authorizes client access and controls which clients can access the agent.
Downstream resources: Select from the following nodes as needed.
Large Language Model (LLM) node: Creates API key credentials for the Large Language Model service.
Enterprise Service: An internal enterprise application that integrates with IDaaS.
Third-Party Service node: OAuth credentials or API keys for third-party applications provided by external service providers.
The topology diagram supports the following authorization relationships between nodes:
Outbound authorization: Connects the Agent node to Large Language Model (LLM), Enterprise Service, or Third-Party Service nodes to establish an outbound authorization relationship.
Inbound authorization: Connects the client node to the Agent node to establish inbound authorization.
Hover over the Agent node: click the + button on the left side of the node to add a Client node, or click the + button on the right side to add a Large Language Model (LLM), Enterprise Service, or Third-Party Service node.
Each Agent, Client, and Enterprise Service node requires one M2M application authorization.
Configure the Agent node
Configure authentication methods and permissions for the Agent node.
General configurations
In the agent identity configuration topology diagram, click the Agent node.
In the General panel, complete the following settings:
Agent ID: Generated automatically by the system. You cannot modify it.
Agent Name: Enter a custom name for display in the console.
Authentication Type: Select one of the following two methods.
Client Secret Credential: Used for client-side identity authentication when the agent accesses IDaaS. Click Add client_secret to create a new Client Secret Credential.
Certificates Credential: Click Manually Add to add the client's Public Key. The agent signs authentication information using its private key. IDaaS verifies the agent's information using the client's Public Key.
Configure Audience Identifier: Generated automatically by the system. You can modify it only during the first configuration. After configuration, you cannot modify it.
Click Next to enter the Permission Configuration page.
Permission configuration
Configure permission information:
Permission Name: Generated automatically by the system. You can modify it.
Scope Value: Used to uniquely identify this permission. The system automatically generates a default value, which you can modify as needed. We recommend that you keep the default
agent.access.Authorization Method: Choose an authorization method.
Auto-Authorize: Grants this permission to all users who can access the client. These users gain access to the agent.
Manually: Assign this permission individually to specific users.
If you select Manually, click Next. You are then directed to the Authorization Configuration panel, where you can select an authorization object:
User: Select a single user account.
Group: Select a user group. All members in the group receive the permission.
Organization: Select an organization. All members in the organization receive the permission.
Complete the permission configuration.
Configure the client node
Configure client authentication information for client access to the agent. After configuration, view the created client M2M application in the page.
Add a client node
In the agent identity configuration topology diagram, hover over the Agent node. Click the + button on the left side.
In the node type menu, select Client.
Or click the Add Node button on the page to add a Client node.
Configure the client application
Click the new client node.
In the configuration panel, choose one of the following actions:
Select an existing application: Choose an already created OIDC (M2M) application from the application list.
Create a new application: Click Create Client Application.
Create a client application
Click Create Client Application.
Configure basic application information:
Application Name: Enter a name for the client application.
Redirect URI: The default login page URL. Users are redirected to this URL for identity verification, such as entering a username and password or selecting an external identity provider. Supports HTTPS and HTTP protocols. Example:
https://example.aliyun.com/login.NoteNote that the # character and everything after it in a URI are not sent to the server. To include them, use %23 instead.
Authentication Type: Choose a client authentication method.
Client Secret Credential: Used for IDaaS to authenticate the agent. Configure this credential on the agent side.
Certificates Credential: Add the client's Public Key. IDaaS uses this public key to verify the agent's information.
Click Next to open the authorization configuration panel. Select the users allowed to use this client application. You can select users by User, Group, or Organization.
Complete client application creation.
Configure inbound authorization
Inbound authorization defines the scope of permissions that clients can request.
On the line connecting the client node and the Agent node, click Inbound Authorization.
In the inbound authorization configuration panel, click Authorize.
In the permission list, select the permissions to grant. Available permissions come from the permission list configured in the Agent node.
Configure the large language model (LLM) node
Configure credentials for large language models. After hosting LLM credentials in IDaaS, agents retrieve required credentials from IDaaS.
Add an LLM node
In the agent identity configuration topology diagram, hover over the Agent node.
Click the + button on the right side.
In the node type menu, select Large Language Model (LLM).
Configure LLM credentials
Click the new Large Language Model (LLM) node.
In the configuration panel, choose one of the following actions:
Select an existing credential. Create credentials in advance in the menu. After creation, select them here.
Add a new API key credential.
Add an API key credential
Click Add API Key Credential.
Configure credential information:
Credential Name: Displayed in the console.
Description: Description of the credential.
Business Type: The system requires Large Language Model (LLM). You cannot modify it.
API key ID: Identifier for the hosted LLM API key.
API Key: The hosted API key.
Secure Storage: Default Encrypted Credential. This setting cannot be disabled.
Complete adding the API key credential.
Configure LLM outbound authorization
LLM outbound authorization is automatic. After successful authentication, the system allows the agent to retrieve associated LLM API credentials.
Configure the enterprise service node
If your agent needs to access enterprise services, create an enterprise service node to obtain access tokens from those services. After configuration, view the created enterprise service M2M application in the page.
Each enterprise service node represents one internal enterprise application. This application must support access credentials issued by IDaaS.
General configurations
In the agent identity configuration topology diagram, click the Enterprise Service node.
In the configuration panel, choose one of the following actions:
Select an existing enterprise service. Add M2M applications in . After adding, select them here.
Add a new enterprise service application.
Add an enterprise service application
Click Add Enterprise Service Application.
Complete the following configuration information:
Application Name: Enter a name for display in the console.
Configure Audience Identifier: Configure the audience identifier for the enterprise application. You cannot modify it after configuration.
Click Next.
Permission configuration
Configure permission information:
Permission Name: Enter a display name for the permission.
Scope Value: Uniquely identifies this permission. The system generates a default value. You can modify it as needed.
Complete the configuration.
Configure enterprise service outbound authorization
Outbound authorization defines the scope of permissions for agent access to enterprise services.
On the line connecting the Agent node and the enterprise service node, click Outbound Authorization.
In the Outbound Authorization Configuration Panel, click Create Scope.
In the permission list, select the permissions to grant. Available permissions come from the permission list configured in the enterprise service node.
Complete the configuration.
Configure the third-party service node
Add a third-party service node
In the agent identity configuration topology diagram, hover over the Agent node. Click the + button on the left side.
In the node type menu, select Third-Party Service.
Or click the Add Node button on the topology page to add a Third-Party Service node.
Configure third-party service credentials
In the agent identity configuration topology diagram, click the Third-Party Service node.
In the Third-Party Service configuration panel, choose one of the following actions:
Select an existing credential. Create credentials in advance in the menu. After creation, select them here.
Add a new Third-Party Service.
Add a third-party service credential
Click Add API Key Credential.
Configure credential information:
NoteCredentials have a maximum limit. You cannot add more credentials after reaching the limit.
Credential Name: Displayed in the console.
Description: Description of the credential.
Business Type: The system requires Third-Party Service. You cannot modify it.
API key ID: Identifier for the hosted API key.
API Key: The hosted API key.
Secure Storage: Default Encrypted Credential, which cannot be disabled.
Complete adding the API key credential.
Related operations
After configuration, you can perform the following operations:
Edit a node: Click a node and modify its configuration in the configuration panel.
Delete a node: Click the delete icon in the upper-left corner of a node.
Adjust authorization: Click an authorization line to add or remove permission items.
FAQ
Why do I get an error about insufficient M2M application authorization quota?
A: Each Agent node, client node, and enterprise service node consumes one M2M application authorization quota. Confirm that your IDaaS instance has enough M2M application authorizations. Contact your administrator or upgrade your instance type if you need more quota.
What is the difference between client secret credentials and public-private key credentials?
A:
Client Secret Credential: Uses a client ID and secret for authentication. Simple to configure.
Certificates Credential: Uses asymmetric encryption. Supports more secure key management options, such as KMS or HSM. Offers higher security.
How do I get an API key for a large language model?
A: Log in to the large language model service provider's console, such as Alibaba Cloud Model Studio or OpenAI. Go to the API key management page and create or retrieve your API key.