Single sign-on (SSO) authentication allows a user to log in to multiple application systems with a single account. In addition, it also allows the user to log in to the application systems without re-entering credentials after the first login. It not only secures user login but improves login efficiency. For example, users can use WeChat accounts to access Sino Weibo and Tiktok applications.
Workspace supports SSO authentication. In the current software version, supported SSO protocol includes only OAuth 2.0, which is an open standard to provide unified authorization for third-party applications. In OAuth 2.0, the system acts as the authorization server to authorize users in the system to log in to third-party applications. After a third-party application is added to OAuth 2.0 of Workspace, Workspace automatically assigns a client ID and secret to the application. The administrator must include the client ID and secret in the configuration of the third-party application.
The SSO authentication process is as follows:
After a user selects to use Workspace to log in to a third-party application, the user is redirected to the login page of Workspace. The client ID and secret are carried in the request packet.
Workspace verifies the client ID and secret of the third-party application. (This verification is skipped at subsequent logins.) If the verification passes, the user is requested to enter the user account on Workspace.
Workspace verifies the username and password that the user entered. If the verification passes, the user is redirected to the URL of the third-party application.
From the left navigation pane, select Users > Auth Collaboration > Account Collaboration > Web Client SSO Authentication.
Enable SSO authentication, configure SSO authentication parameters as described in "Parameters."
Click OK.
SSO Authentication: Select whether to enable SSO authentication. By default, SSO authentication is disabled. After you enable SSO authentication, password policies, access policies, and other authentication configuration will not take effect.
Authentication Protocol: Select the protocol used for SSO authentication. The current software version supports only OAuth 2.0.
Authorization Mode: Specify the mode for OAuth 2.0 to assign access tokens to third-party applications. OAuth 2.0 supports authorization code mode, simple mode, password mode, and client mode. The current software version supports only authorization code mode.
Client ID: Enter the ID that Workspace assigns to a third-party application.
Client Secret: Enter the secret that Workspace assigns to the third-party application.
Authentication URL: Enter the IP address of the SSO authentication server.
Access Token URL: Enter the URL from which SSO authentication obtains the access token.
User Info URL: Enter the URL from which SSO authentication obtains user information.
User Account Field: Enter the field from which SSO authentication obtains the user account in the user information.
Logout URL: Enter the URL that SSO authentication deregisters the login for the third-party application.