Configure third-party login (office scenario)
Third-party login configuration includes the following:
Configure common parameters—Ensure secure user login with third-party authentication.
Configure SMS notification parameters—Enable the management platform to interoperate with an SMS gateway.
Configure a third-party login server—Enable third-party login.
Configure WeCom login—Enable users to log in by scanning a QR code with WeCom.
Configure DingTalk login—Enable users to log in by scanning a QR code with DingTalk.
ARM hosts do not support Third-party login configuration.
Configure common parameters
Common parameters ensure secure user login with SMS authentication. Before you can enable third-party authentication, you must configure third-party server parameters to set up a connection with a third-party authentication server.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for Common Parameters.
Click OK.
Parameters
SMS Template: Configure an SMS template based on which the system generates SMS messages to send one-time passwords to users. Fill in the message template signature [xxxx] according to the format required by the SMS platform, and the template signature is optional. The SMS template must contain string <VERIFYCODE>.
Resend In: Set the interval for the system to send a new one-time password. The default is 60 seconds.
Verification Code Validity Period: Set the validity period of one-time passwords. The system can send a new one-time password after the old one expires. The default is 120 seconds.
Apply To: Select the users to which SMS authentication is applied:
All Links: Enable SMS authentication for all users.
Gateway Login: Enable SMS authentication for users who log in through a gateway.
Direct Connection: Enable SMS authentication for directly connected users.
Auth User Type: Select an authentication user type from the Local User, Domain User, and LDAP User options.
Configure SMS balance alert parameters
The system supports sending an SMS balance alert to the administrators when the SMS balance drops below the alarm threshold.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for SMS Balancer Alert.
Configure the SMS balancer alert parameters, and then click OK.
To reset the SMS balancer alert parameters, click Reset for SMS Balancer Alert.
To enable SMS balancer alerts, click Enable for SMS Balancer Alert.
Parameters
Balance Alert Threshold: Set the SMS balance alarm threshold. The default is 1000.
Send Alert At: Set the time when the system sends a low SMS balance message.
Administrator Phone Number: Enter the comma-separated phone numbers of the administrators to receive low SMS balance messages. The string cannot exceed 512 characters.
Configure SMS notification parameters
Perform this task to configure SMS platform parameters. If one-time password is also enabled for WeCom or DingTalk, users can perform 2FA by using a one-time password during client login.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure & Enable for SMS Notification Parameters.
Configure the SMS notification parameters, and then click SMS Test to verify connectivity.
Click OK.
Parameters
SMS Type: Select a platform to send the SMS messages. Options include Jixintong SMS Platform, and Common SMS Platform. The Jixintong SMS platform is a third-party SMS platform and requires separate registration and deployment. For more information, access the official website of Jixintong.
If you select Jixintong SMS Platform, configure the following parameters:
Login Name: Enter the login name for accessing the SMS platform.
Login Password: Enter the password for accessing the SMS platform.
HTTP Proxy: Set whether to enable HTTP proxy. If you enable HTTP proxy, configure the IP address, port number, username, and password of the HTTP proxy.
If you select Common SMS Platform, configure the following parameters:
SMS Code: Select an encoding type. Options include UTF-8 and GBK.
Send Type: Select a message sending mode. Options include HTTP Request (POST) and Command.
Request URL: Enter the request URL for the common SMS platform to send messages. This parameter is required when the send type is HTTP Request (POST). When the system generates an alarm, the common SMS platform sends an HTTP request to this request URL to send SMS notifications. To obtain the exact address and address format, contact the SMS provider. Example: http://192.168.0.1:80/sendSms?userName=a&pwd=b&mobile={Mobile}&content={Content}, where {Mobile} represents the phone numbers to receive alarm messages and {Content} represents alarm message contents.
Configure a third-party login server
To use third-party login, you must first configure a third-party login server for processing third-party login authentication requests.
|
|
Before you configure a third-party login server, deploy a third-party login server. |
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for Third-Party Login Server Configuration.
Configure the third-party login server parameters, and then click Test Connectivity.
Click OK.
Parameters
Private Network Protocol: Select a protocol for accessing the network where the management platform resides.
Private Network Host IP: Enter the IP address used by the third-party login server on the network where the management platform resides.
Private Network Port: Enter the port number used by the third-party login server on the network where the management platform resides.
Public Network Protocol: Select a protocol for accessing the Internet.
Public Network Host IP: Enter the IP address used by the third-party login server on the Internet.
Public Network Port: Enter the port number used by the third-party login server on the Internet.
Configure WeCom login
Configure WeCom login to enable users to log in to the client by scanning a QR code with WeCom or submitting a one-time password for 2FA.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for WeCom Login.
Configure the WeCom login parameters.
Click OK.
Parameters
|
|
Access the WeCom console to obtain a corporation ID, application secret, and application agent ID. |
Corporation ID: Enter a corporation ID for Workspace in the WeCom console.
Secret: Enter an application secret.
AgentId: Enter an application agent ID.
Code Scanning Login: Select whether to enable code scanning login for WeCom. If you select Enabled, a user can directly log in to the Workspace client by scanning a QR code with WeCom.
Code Scanning 2FA: Select whether to enable code scanning 2FA for WeCom. If you select Enabled, a user can log in to the Workspace client only after performing the following tasks:
Enter a correct username and password.
Scan a QR code with WeCom .
You cannot enable both code scanning and one-time password for 2FA.
Random Code 2FA: Select whether to enable one-time password 2FA for WeCom. If you select Enabled, a user can log in to the Workspace client only after entering a correct username and password, and the one-time password from WeCom or SMS one-time password.
Configure DingTalk login
Configure DingTalk login to enable users to log in to the client by scanning a QR code with DingTalk or submitting a one-time password for 2FA.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for DingTalk Login.
Configure the DingTalk login parameters.
Click OK.
Parameters
|
|
Access the DingTalk console to obtain an application ID, application secret, and application agent ID. |
QR Code Login Configuration: Configure the AppId and AppSecret parameters after enabling code scanning login.
AppId: Enter an application ID.
AppSecret: Enter an application secret.
Internal Application Configuration
AgentId: Enter the agent ID of an H5 micro application.
AppSecret: Enter the application secret of an H5 micro application.
AppKey: Enter the application key of an H5 micro application.
CorpId: Enter a corporation ID for Workspace in the DingTalk console.
Code Scanning Login: Select whether to enable code scanning login for DingTalk. If you select Enabled, a user can directly log in to the Workspace client by scanning a QR code with DingTalk.
Code Scanning 2FA: Select whether to enable code scanning 2FA for DingTalk. If you select Enabled, a user can log in to the Workspace client only after performing the following tasks:
Enter a correct username and password.
Scan a QR code with DingTalk.
You cannot enable both code scanning and one-time password for 2FA.
Random Code 2FA: Select whether to enable one-time password 2FA for DingTalk. If you select Enabled, a user can log in to the Workspace client only after entering a correct username and password, and the one-time password from DingTalk or SMS one-time password.
Configure super SIM login
Perform this task to enable users to log in to the client by using their phone numbers.
Procedure
From the left navigation pane, select Users > Auth Collaboration > Secondary Auth > Third-Party Login Configuration.
Click Configure for Super SIM Login.
Enable Super SIM Login, and configure parameters as described in "Parameters."
Click OK.
Parameters
|
|
To obtain an application ID and application key, visit the website at https://dev.10086.cn. Request a template ID by sending an email to the administrator. |
TemplateId: Enter an authentication message template ID.
AppId: Enter an application ID.