SSO Management¶
Guance supports SSO management based on SAML, OIDC/ Oauth2.0 protocols, allowing enterprises to manage employee information in their local IdP (identity provider). There is no need for user synchronization between Guance and the enterprise's IdP, and enterprise employees can log in and access Guance with specified roles.
In SSO Management, you can:
- Configure single sign-on based on corporate domain
- Configure a more refined single sign-on scheme based on corporate domain with role mapping enabled
User SSO¶
Guance supports single sign-on configuration based on corporate domains. As long as an employee’s email matches the unified identity authentication domain suffix of the company, they can directly log in to Guance via this email and access the system according to the configured permissions.
- Navigate to Management > Member Management > SSO Management > User SSO;
- Select SAML or OIDC as needed;
- Start configuring.
Note
- You can create multiple SSO IDP configurations; each workspace SSO configuration is limited to no more than 10;
- If multiple workspaces are simultaneously configured with the same identity provider SSO single sign-on, users can log in via SSO to the workspace and switch between different workspaces by clicking the workspace option in the top-left corner to view data.
SAML¶
Input Field | Description |
---|---|
Identity Provider | Platform that provides identity management services for managing user identities and authentication information. Define the name here. |
Metadata Document | XML document provided by the IdP (identity provider). |
Notes | Custom-added descriptive information used to record relevant explanations about the identity provider. |
Access Restrictions | Verifies whether the login email domain suffix matches the configured domain. Only matching emails have permission to access the SSO login link. User accounts can be dynamically created upon first login without needing to be pre-created in the workspace. |
Role Authorization | Assign roles to SSO accounts logging in for the first time; accounts logging in subsequently are unaffected. For details on role permissions, refer to Role Management. |
Session Persistence | Set the idle persistence time and maximum persistence time for SSO login sessions. Sessions will expire after the timeout period. |
Obtain Entity ID and Assertion Address¶
After successfully adding the identity provider, click the Update button on the right side to obtain the Entity ID and Assertion Address, then complete the corresponding SAML configuration according to the requirements of the identity provider.
Field | Description |
---|---|
Login Address | Guance SSO login address generated from the metadata document uploaded by the user. Each login address is limited to accessing one workspace. |
Metadata | Guance SSO metadata file generated from the metadata document uploaded by the user. |
Entity ID | Guance SSO login entity ID generated from the metadata document uploaded by the user. Used to identify the service provider (SP) in the identity provider (IdP), such as << custom_key.brand_name >>>. |
Assertion Address | Guance SSO login assertion target address generated from the metadata document uploaded by the user. Used by the identity provider (IdP) to call and complete single sign-on. |
Session Persistence¶
When configuring SSO single sign-on, you can set a uniform login persistence time for enterprise members logging in via SSO, including "idle session persistence time" and "maximum session persistence time."
- Idle session persistence time: Supported range is 180~1440 minutes, default value is 180 minutes.
- Maximum session persistence time: Supported range is 0~7 days, where 0 indicates never expiring, default value is 7 days.
Example Explanation
After updating the SSO login persistence time:
- Already logged-in members: Their login session expiration time remains unchanged.
- Newly logged-in members: The latest login persistence time settings take effect.
For example: - Initially, when configuring SSO, the idle session expiration time was set to 30 minutes. Member A logs in at this point, and their idle session expiration time is 30 minutes. - The administrator subsequently updates the idle session expiration time to 60 minutes. Member A's idle session expiration time remains 30 minutes, while Member B, who logs in afterward, will have an idle session expiration time of 60 minutes, and so on.
OIDC¶
Navigate to Management > Member Management > SSO Management > OIDC > Create Identity Provider, which defaults to standard OIDC configuration. If you are not using a standard OIDC configuration, you can switch pages to configure.
Connection Configuration¶
Input Field | Description |
---|---|
Identity Provider Name | Name of the platform providing identity management services. |
Notes | Custom-added descriptive information used to record relevant explanations about the identity provider. |
Identity Provider URL | Full URL of the identity provider, also the service discovery address. For example: https://guance.example.com Note: If the link cannot be accessed, check the legality of the URL or try again later. |
Client ID | Unique identifier provided by the authentication service to identify the client application. |
Client Secret | Used together with the client ID to authenticate the client application. |
Authorization Request Scope | Scope of the authorization request. Defaults include openid , profile , and email . You can add additional claims like address and phone as needed. |
Mapping Configuration¶
To achieve SSO login, it is necessary to map the account information from the identity provider (IdP) to the Guance account information. The main fields are as follows:
- Username: Required; the "username" field from the identity provider, for example
referred_username
; - Email: Required; the "email" field from the identity provider, for example
email
; - Phone Number: Optional; the "phone number" field from the identity provider, for example
phone
.
Login Configuration¶
Field | Description |
---|---|
Access Restrictions | Verifies whether the login email domain suffix matches the configured domain. Only matching emails have permission to access the SSO login link. User accounts can be dynamically created upon first login without needing to be pre-created in the workspace. |
Role Authorization | Assign roles to SSO accounts logging in for the first time; accounts logging in subsequently are unaffected. For details on role permissions, refer to Role Management. |
Session Persistence | Set the idle persistence time and maximum persistence time for SSO login sessions. Sessions will expire after the timeout period. |
User-side OIDC Configuration Considerations
- Authorization Mode: Only supports
authorization_code
authorization mode; its return type must becode
; id_token
Signature Algorithm: Currently only supportsHS256
;-
code
Exchangetoken
Authentication Method:- Default support:
client_secret_basic
- Custom method support:
client_secret_post
,client_secret_basic
,none
- Default support:
-
scope
Scope:-
Default scope: openid profile email phone
-
Custom requirement: Must include
openid
, others can be customized, but the returned result must containemail
, optionally returningphone_number
.
-
Non-Standard OIDC Configuration¶
Understanding Non-Standard OIDC Configuration?
Non-standard configuration usually occurs because the customer uses Oauth2 for identity authentication. However, the Oauth2 protocol does not specify an interface for obtaining account information, leading to significant differences in this step since successful mapping depends on this information. Additionally, due to inconsistent interface design rules among customers, there may be discrepancies in the case style of parameters, making it non-standard.
- Navigate to Management > Member Management > SSO Management > OIDC > Create Identity Provider;
- Click the upper-right corner to switch into the standard OIDC configuration page:
Connection Configuration¶
Input Field | Description |
---|---|
Identity Provider Name | Name of the platform providing identity management services. |
Configuration File Upload | Download the template, fill in the relevant information, and upload it. |
Notes | Custom-added descriptive information used to record relevant explanations about the identity provider. |
Login Configuration¶
Input Field | Description |
---|---|
Access Restrictions | Verifies whether the login email domain suffix matches the configured domain. Only matching emails have permission to access the SSO login link. User accounts can be dynamically created upon first login without needing to be pre-created in the workspace. |
Role Authorization | Assign roles to SSO accounts logging in for the first time; accounts logging in subsequently are unaffected. |
Session Persistence | Set the idle persistence time and maximum persistence time for SSO login sessions. Sessions will expire after the timeout period. |
Obtain URLs¶
After successfully adding the identity provider, you can obtain the Callback URL and Initiate Login URL.
Field | Description |
---|---|
Callback URL | The callback address agreed upon in the OIDC protocol after authentication is successful, used to receive the authentication response from the identity provider. |
Initiate Login URL | The entry address from Guance to start the OIDC login process, provided by the identity provider. |
After obtaining these two URLs, provide them to the identity provider.
SSO List¶
Enable Role Mapping¶
You can enable or disable role mapping for a single identity provider (IDP):
- Enable role mapping:
- SSO user accounts will be dynamically assigned roles based on the
attribute fields
andattribute values
provided by the identity provider that match the role mapping rules. - If no role mapping rule is matched, the user account will be deprived of all roles and will not be able to log in to access the workspace.
- SSO user accounts will be dynamically assigned roles based on the
- Disable role mapping: SSO login users will continue to retain previously assigned roles, unaffected by changes in assertions on the identity provider side.
Enable/Update/Delete/Import/Export SSO¶
After adding an identity provider, you can enable or disable the current SSO configuration as needed. Once enabled, the following operations are supported:
- Update SSO configuration: Updates will affect the login experience of existing SSO members, so proceed with caution.
- Delete SSO configuration: Deletion will remove the current SSO configuration, and all related members will no longer be able to log in via this SSO configuration, so proceed with caution.
- Import/Export Identity Providers: Support importing and exporting identity provider configurations for quick replication across multiple workspaces.
Note:
- When exporting files, the file name cannot be the same as any existing identity provider in the current workspace.
- Exported files must conform to JSON format standards.
View SSO Members¶
- Member Count: Displays the total number of members who have logged in via SSO.
- Member List: Clicking on the member count allows you to view the specific list of authorized SSO members.
Login Verification¶
- Email login to Guance SSO page: https://auth.guance.com/login/sso;
- Enter the email address configured during SSO creation to access all authorized workspaces under that identity provider;
- Login address;
- Enter username, password, etc.;
- Login success.
Note
- If the workspace has enabled role mapping but the current user does not match a role or the role mapping is disabled, a message indicating "no access permission" will appear;
- If the workspace deletes the identity provider, users selecting SSO login will not see unauthorized workspaces.
Email Notifications¶
When enabling, configuring, or deleting SSO, the Owner and Administrator of the workspace will receive relevant email notifications.
Audit Events¶
Enabling, configuring, or deleting SSO operations will generate audit events.