This document describes the logon methods supported by Alibaba Cloud IDaaS (EIAM), such as username and password, text message verification code, third-party logon, and MFA. It explains how to configure flexible, enterprise-grade authentication policies to enhance account security.
Logon methods
-
Three built-in logon methods
Logon method
Description
IDaaS username and password logon
Enabled by default.
Allows users to log on with the username and password stored in IDaaS. This method is unavailable for accounts that do not have a username and password, such as those imported from DingTalk.
IDaaS text message verification logon
Disabled by default and must be enabled before use.
The user's account must be linked to a phone number.
The text message content can be viewed but not modified.
Text messages are currently free of charge.
WebAuthn authenticator logon
Allows secure and convenient logon by using a hardware authenticator based on the WebAuthn protocol.
For more information, see Advanced: WebAuthn secure logon.
-
Adding logon methods
To enable other logon methods in IDaaS, you must configure an identity provider. Adding an identity provider may automatically create a corresponding logon method.
For example, when you bind DingTalk, if you select Enable DingTalk QR code logon, the DingTalk QR code logon method is automatically created and can be used immediately.
If you do not enable the logon method during the binding process, you can still enable it at any time from the identity provider page. The logon method is automatically created the first time you enable it.
The logon status on the identity provider page is synchronized with its status in the logon method list.
For example, if you disable DingTalk QR code logon in the identity provider page, the corresponding logon method is also disabled.
-
Disabling logon methods
A disabled logon method cannot be used and will not appear on the logon page.
Logon configuration
-
Configuring basic IDaaS logon settings
-
Parameter descriptions
-
skip logon page: When enabled, this feature bypasses the IDaaS logon page by redirecting users to the provider's authentication page. This applies only if a single logon method is active and it is based on either OpenID Connect (OIDC) or the Lark logon.
-
Validation rule for saving the configuration. If multiple logon methods are already enabled when you try to save the configuration, a dialog box appears with the following message:
When the skip logon page feature is enabled, only one logon method—either based on OpenID Connect (OIDC) or the Lark logon—is supported. Disable the other logon methods and save the configuration again.
In this case, you cannot save the configuration.
-
Conflict prompt for identity providers. If the skip logon page feature is enabled and you try to enable an additional logon method from the IdPs page or the page, a dialog box appears with the following message:
When the skip logon page feature is enabled, only one logon method—either based on OpenID Connect (OIDC) or the Lark logon—is supported. Disable the other logon methods, or disable the skip logon page feature and try again.
NoteThe logon page is skipped only if two conditions are met: the skip logon page feature is enabled, and only one authentication source (either Lark or an OpenID Connect (OIDC) provider) is active.
-
-
default PC logon method: Sets the logon method that is displayed by default on the IDaaS logon page for PCs. Users can switch to other available methods on the logon page.
-
default mobile logon method: Sets the logon method that is displayed by default on the IDaaS logon page for mobile apps. Users can switch to other available methods on the logon page.
-
session duration: Sets how long a logon session remains active in the browser (for example, 8 hours). After the session expires, users must log on again.
-
idle session timeout: Sets the period of user inactivity after which a session times out (for example, 2 hours). After the timeout, users must re-authenticate.
-