DocsICP FilingConsole
官方文档
首页

Configure IDaaS authentication and authorization

更新时间:
复制 MD 格式
产品详情
我的收藏

IDaaS authentication and authorization lets you use a single set of identity credentials, such as a username and password or multi-factor authentication (MFA), to access your applications and services without logging in to each one separately.

Important

This topic applies to Standard Edition and Professional Edition instances of Cloud-native Gateway.

Prerequisites

  • You have activated Alibaba Cloud IDaaS.

  • You have created an OAuth 2.0 application. For more information, see OAuth 2.0 Template Guide.

Create an authentication rule

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the ID of the gateway.

  4. In the left-side navigation pane, choose Security Management > Global Authentication.

  5. In the upper-left corner, click Create Authentication. In the resulting panel, configure the authentication and authorization parameters and click OK.

    The following table describes the IDaaS authentication and authorization parameters for Cloud-native Gateway.

    Parameter

    Description

    Authentication Name

    A name for the authentication rule.

    Authentication Type

    Select the IDaaS authentication method.

    Logon URL

    The URL of the user logon page for your IDaaS instance.

    Redirect URL

    The URL to which users are redirected after successful authorization. This URL must be the same as the one configured in Alibaba Cloud IDaaS.

    Client-ID

    The application ID that was assigned when you registered the OAuth 2.0 application in Alibaba Cloud IDaaS.

    Client-Secret

    The application secret that was assigned when you registered the OAuth 2.0 application in Alibaba Cloud IDaaS.

    Cookie-Domain

    The domain for the cookie. After a user is successfully authenticated, the cookie is sent to this domain to maintain the logon session. For example, if you set Cookie-domain=a.example.com, the cookie is sent to the a.example.com domain. If you set Cookie-domain=.example.com, the cookie is sent to all subdomains of example.com.

    Authorization

    Authorization supports Whitelist and Blacklist.

    • Whitelist: Requests that match the specified hosts and paths can bypass authentication. All other requests require authentication.

    • Blacklist: Requests that match the specified hosts and paths require authentication. All other requests can bypass authentication.

    Click Rule Condition to set the request domain name and path.

    • Domain Name: The domain name of the request (host).

    • Path: The API path of the request.

View authentication rule details

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the ID of the gateway.

  4. In the left-side navigation pane, choose Security Management > Global Authentication.

  5. On the Global Authentication page, click the name of an authentication rule or click Details in the Actions column to view its Authentication Configuration and Authorization Information.

    The details page contains three sections: Basic information (name, source), Authentication configuration (including fields such as User Logon URL, Redirect URL, Client-ID, Client-Secret, and Cookie-Domain), and Authorization information. Authorization rules, which can be configured in whitelist or blacklist mode, determine which requests are checked. Conditions in separate rows are linked by OR, while multiple conditions within the same row are linked by AND. You can click Add Authorization Information to define match conditions based on the request domain name and path.

In the Authorization Information section, click Add Authorization Information. In the dialog box that opens, enter a Request Domain Name and Request Path, select a Match Mode, and click OK to add the authorization rule.

Verify the result

Return to the Global Authentication page and verify that the new authentication rule is listed.

Related operations

You can also manage gateway authentication rules in the following ways:

  • Enable an authentication rule: On the Global Authentication page, find the target authentication rule and click Enable in the Actions column.

  • Disable an authentication rule: On the Global Authentication page, find the target authentication rule and click Close in the Actions column.

  • Edit an authentication rule: On the Global Authentication page, find the target authentication rule and click Edit in the Actions column.

  • Delete an authentication rule: On the Global Authentication page, find the target authentication rule and click Delete in the Actions column.

Note

You can delete an authentication rule only if it is disabled.

Related documents

Previous:Configure OIDC authenticationNext:Configure custom authentication and authorization