DocsICP FilingConsole
官方文档
首页

Connect to a custom identity provider

更新时间:
复制 MD 格式
产品详情
我的收藏

If your organization does not use a dedicated identity provider to manage its organizational structure, you can create a custom identity provider in SASE to establish an organizational structure. This ensures that SASE App users are authenticated, improving the security of your corporate environment. This topic describes how to configure a custom identity provider.

Limitations

You can enable only one custom identity provider at a time. To enable a new custom identity provider, you must first disable the currently active one.

Configure a custom identity provider

After you activate SASE, SASE creates a custom identity provider for you by default. If you already have a custom identity provider, skip this step.

  1. Log on to the SASE console.

  2. In the left-side navigation pane, choose Identity Authentication > Identity Access.

  3. Click the Identity synchronization tab, and then click Create IdP.

  4. In the Create IdP panel, select Custom IdP, and then click Configure.

  5. In the Basic Configurations step, configure the IdP Name and IdP Status parameters according to the following table, and then click Next.

    Parameter

    Description

    IdP Name

    The name of the custom identity provider.

    The name must be 2 to 100 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

    IdP Status

    Specifies the status of the identity provider. Valid values:

    • Enabled: You can enable the new custom identity provider if no other one is currently enabled.

    • Closed: If another custom identity provider is already enabled, you can create the new identity provider with a disabled status. You can enable it after you disable the other provider.

      Important

      Disabling the custom identity provider prevents end users from accessing internal applications with the SASE App. Proceed with caution.

    Logo

    Upload a custom logo.

  6. In the Logon Settings step, configure the logon methods.

    Parameter

    Description

    PC Logon Method

    The available methods are Logon with Account and Password and Password-free Logon.

    • For the username and password logon method, you can enable Two-factor Authentication. The following options are available:

      • OTP-based Authentication: After you enable this option, you must select an OTP Mode. The following modes are supported:

        • Allow SASE mobile client to display tokens: This is the built-in one-time password (OTP) feature of SASE, which requires employees to install the SASE App.

        • Allow third-party app tokens: Make sure that the clock of the OTP client is synchronized. This option supports standard OTP authentication software, such as the Alibaba Cloud app.

        • Allow enterprise-owned tokens: To ensure compatibility with your proprietary OTP system, contact technical support for assistance with the configuration.

      • Verification Code-based Authentication: Supports verification codes sent via text messages or emails. Make sure that you have entered a mobile phone number or email address for each user in the identity provider.

    • If you use the passwordless logon method, users must first download and log on to the SASE App, and then scan a QR code to authenticate.

    Mobile Device Logon Method

    The available methods are Logon with Account and Password and Fingerprint or Face Recognition.

    • For the username and password logon method, you can enable Two-factor Authentication. The following options are available:

      • OTP-based Authentication: To enable OTP-based Authentication on mobile devices, you must first enable it for computers and select Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens. The configuration for mobile devices is the same as for computers.

      • Verification Code-based Authentication: Before you enable Verification Code-based Authentication, make sure that you have entered a mobile phone number or email address for each user in the identity provider.

    • If you use fingerprint or face recognition authentication, you still need to enter a username and password for your initial logon to the SASE App.

  7. Click Ok to complete the configuration.

Edit a custom identity provider

On the Identity synchronization page, find the custom identity provider that you want to modify, and then click Edit in the Actions column.

Disable a custom identity provider

On the Identity synchronization tab, find the custom identity provider that you want to disable, and then turn off the switch in the IdP Status column.

Delete a custom identity provider

On the Identity synchronization page, find the custom identity provider that you want to delete, and then click Delete in the Actions column.

Note

Custom identity providers do not support automatic synchronization.

Related topics

Connect to a third-party identity provider

If your enterprise already uses an identity provider such as LDAP, DingTalk, WeCom, Lark, or IDaaS to manage its organizational structure, you can connect it to SASE to synchronize its identity data.

Configure user groups

If you need to create user groups outside your corporate organizational structure, see Manage user groups.

Previous:Identity synchronizationNext:Connect to an LDAP identity provider