Skip to content

OIDC

This is the standard OIDC configuration by default. If your configuration is non-standard, you can switch pages to configure.

Go to Manage > Member Management > SSO Management > User SSO, select the SAML access type, and start adding an identity provider.

Configure

  1. Identity provider name: The name of the platform providing identity management services (❗️This name will serve as the IdP alias and appear on the single sign-on IdP selection interface. To ensure you can quickly locate the desired IdP for login, please provide an appropriate name).
  2. Remarks: User-defined descriptive information for recording relevant descriptions of the identity provider.
  3. Identity provider URL: The complete URL of the identity provider, also the service discovery address. For example: https://guance.example.com.
  4. Client ID: A unique identifier provided by the authentication service, used to identify the client application.
  5. Client secret: Used in conjunction with the Client ID to authenticate the client application.
  6. Authorization request Scope: The scope of the authorization request. By default, it includes openid, profile, and email. Additional claims like address and phone can be added as needed.

Mapping Configuration

To implement SSO login, field mapping between the identity provider (IdP) account information and the Guance account information is required. The main fields are as follows:

  1. Username: Required; the "username" field from the identity provider, e.g., referred_username.
  2. Email: Required; the "email" field from the identity provider, e.g., email.
  3. Phone number: Optional; the "phone number" field from the identity provider, e.g., phone.

Login Control

  1. Access restriction: Verifies whether the domain suffix of the login email matches the configured domain. Only emails that match have permission to access the SSO login link. User accounts for Guance members can be dynamically created upon first login; they do not need to be pre-created in the workspace.
  2. Role assignment: Assigns a role to the SSO account upon first login. Accounts logging in subsequently are not affected.
    • If SAML mapping is enabled in the workspace, role assignment will prioritize the mapping rules.
  3. Session persistence: Sets the inactivity timeout and maximum duration for the SSO login session.
Important considerations for user-side OIDC configuration
  • Authorization mode: Only the authorization_code authorization mode is supported; its response type must be code.
  • id_token signature algorithm: Currently, only HS256 is supported.

  • Authentication method for exchanging code for token:

    • Supported by default: client_secret_basic
    • Custom methods supported: client_secret_post, client_secret_basic, none

  • scope range:

    • Default scope: openid, profile, email, phone

    • Custom requirements: Must include openid. Others can be customized, but the response must include email, and may optionally include phone_number.

Non-Standard OIDC Configuration

How to understand non-standard OIDC configuration?

Non-standard configurations typically occur when the client side uses OAuth2 for authentication. However, the OAuth2 protocol does not specify an interface for obtaining account information, leading to significant variations in how user information is retrieved, which is crucial for successful mapping. Additionally, differing interface design rules on the client side can result in inconsistent parameter casing conventions compared to the protocol, which also constitutes a non-standard scenario.

  1. Go to Manage > Member Management > SSO Management > OIDC > Create Identity Provider.
  2. Click the button in the top right corner to switch to the standard OIDC configuration page.
  3. Identity provider name: The name of the platform providing identity management services.
  4. Configuration file upload: Click to download the template, fill in the relevant information, and then upload it.
  5. Remarks: User-defined descriptive information for recording relevant descriptions of the identity provider.
  6. Login Configuration.

Obtaining URLs

After successfully adding the identity provider, you can obtain the Callback URL and Initiate Login URL.

Field Description
Callback URL The callback address agreed upon in the OIDC protocol for receiving authentication responses from the identity provider after successful authentication.
Initiate Login URL The entry address provided by the identity provider for initiating the OIDC login flow from the Guance side.

After obtaining these two URLs, they need to be provided to the identity provider.

Login Verification

  1. Access the Guance SSO page via email login: https://auth.guance.com/login/sso.
  2. Enter the email address configured during SSO creation and select the IDP associated with the workspace you wish to log into.
  3. After successful authentication, you will be redirected to the workspace selection interface.
  4. Log in to that address.
  5. Enter your username, password, and other required information.
  6. Login is successful.

Note
  • If role mapping is enabled in the workspace but the current user does not match any role or if role mapping is disabled, an "No access permission" message will be displayed.
  • After an identity provider is deleted from a workspace, users will not see unauthorized workspaces when selecting SSO login.

Feedback

Is this page helpful? ×