Configure SSO authentication

To use a domain name to access the authentication service, contact Technical Support. If you cannot log in to the system through SSO after SSO authentication is enabled, contact the administrator to change the login password and then try again. After you pass SSO authentication and access the SSO service, the system will save your basic information automatically.

 

CAS

OPENID

OAuth 2.0

CAS

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > SSO Authentication.

3. Enable SSO authentication, and then select the CAS protocol.

4. Enter the address of the CAS server, for example, http://{ip}/cas/auth.

5. Click OK.

OPENID

Configure OAuth 2.0 on the server

The system can provide OAuth 2.0 services. To configure OAuth 2.0 when the system is used as the OPENID server, see "Create an OAuth 2.0 service."

The redirect URL and logout redirect URL formats are as follows:

• Redirect URL: https://IP address or domain name of client/api/sso/callback?client_name=OidcClient

• Logout redirect URL: https://IP address or domain name of client/api/sso/client/logout

·          If a DNS server is configured on the client side and you want to receive requests through domain names, execute the curl -X PUT http://{IP of the system}/api/sso/client/dns?vip={OPENID client domain name} command to edit the domain name in the client backend. ·          For the configuration to take effect, make sure the system is configured with DNS configuration file /etc/resolv.conf and can resolve client domain names.

 

Configure SSO authentication settings on the client

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > SSO Authentication.

3. Enable SSO authentication, and then select the OPENID protocol.

4. Enter the client ID, client secret, and the server address, which is http://{ServerIP:Port}/.well-known/openid-configuration.

5. Click OK.

OAuth 2.0

Configure OAuth 2.0 on the server

The system can provide OAuth 2.0 services. To configure OAuth 2.0 when the system is used as the OAuth 2.0 server, see "Create an OAuth 2.0 service."

The redirect URL and logout redirect URL formats are as follows:

• Redirect URL:

• The authentication method is UNI-RZT: https://IP-Address/api/sso/callback?client_name= RztClient

• The authentication method is WST: https://IP-Address/api/sso/callback?client_name=WstClient

• Logout redirect URL: https://IP-Address/api/sso/client/logout

·          If a DNS server is configured on the client side and you want to receive requests through domain names, execute the curl -X PUT http://{IP of the system}/api/sso/client/dns?vip={OPENID client domain name} command to edit the domain name in the client backend: ·          For the configuration to take effect, make sure the system is configured with DNS configuration file /etc/resolv.conf and can resolve client domain names.

 

Configure SSO authentication settings on the client

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > SSO Authentication.

3. Enable SSO authentication, and then select OAuth2.0 as the authentication protocol.

4. Configure OAuth 2.0 authentication parameters.

Figure-1 Configuring OAuth 2.0 authentication parameters (UNI-RZT authentication)

Parameter	Description
client id	Specify the client ID assigned by the server.
client secret	Specify the client secret assigned by the server.
authURL	Specify the authorization URL, for example, http://{Server:Port}/oauth/authorize
accessToken URL	Specify the obtained token URL, for example, http://{Server:Port}/oauth/token
profileURL	Specify the user information URL, for example, http://{Server:Port}/api/user/v2/userinfo.
logoutURL	Specify the logout URL, for example, http://{Server:Port}/api/user/logout.
User Info Encryption	Select whether to encrypt user information. The configure must be the same as that on the server. ·          Yes: User information will also be encrypted. ·          No: Only user data is encrypted.

 

Figure-2 Configuring OAuth 2.0 authentication parameters (WST authentication)

Parameter	Description
client id	Specify the client ID assigned by the server.
client secret	Specify the client secret assigned by the server.
authURL	Specify the authorization URL, for example, http://{Server:Port}/oauth/authorize
accessToken URL	Specify the obtained token URL, for example, http://{Server:Port}/oauth/token
profileURL	Specify the user information URL, for example, http://{Server:Port}/api/user/v2/userinfo.
logoutURL	Specify the logout URL, for example, http://{Server:Port}/api/user/logout.

 

5. Click OK.