This topic describes how to enable organization authentication. Once enabled, organization members must sign in through the organization-specific URL. Supported authentication methods include password/verification code, SAML, Google, and Microsoft.
Prerequisites
When configuring organization authentication, if you choose the SAML authentication method, you need to refer to Configure IdP to complete the federated identity authentication configuration.
Considerations
- When configuring SAML authentication for the first time, configure at least one additional authentication method to prevent sign-in failures caused by an incorrect SAML configuration.
- You can sign in to an organization through its organization-specific URL. Alternatively, you can sign in to the OB Cloud website with a personal account and complete organization authentication when switching organizations.
- When a user signs in through an organization-specific URL:
- Ensure that the user has an OB Cloud account.
- If the user signs in using password/verification code, Google, or Microsoft, or uses SAML without a domain allowlist configured, ensure that the user has joined the organization.
- Organization-level multi-factor authentication (MFA) is triggered only when users sign in using a password or verification code. To use MFA with SAML authentication, configure MFA in the identity provider.
Procedure
Log in to the OceanBase Cloud console.
From the organization drop-down list in the upper-left corner, select an organization to go to its project information page.
In the left-side navigation pane, click Organization Settings.
Turn on Organization Authentication, and complete the following configuration:
Custom URL: Specify an organization-specific sign-in URL. Enter a suffix for the organization sign-in page URL. Once organization authentication is enabled, members can use this URL to sign in to the organization. The suffix must be 3 to 64 characters in length and can contain only letters, digits, and underscores (_).
Notice
After the URL takes effect, it cannot be modified. To change the URL, disable organization authentication and reconfigure it.
Select one or more authentication methods. All organization members must authenticate using at least one of the following methods: Password/Verification Code, Google, Microsoft, or SAML.
- Password/Verification Code: Members can sign in using an account password or verification code.
- Google: Members can sign in using a Google account.
- Microsoft: Members can sign in using a Microsoft account.
- SAML: After federated authentication is configured, members can authenticate through a third-party identity provider.
If you select SAML, configure federated authentication as follows:
Configure the identity provider.
Sign in to the identity provider console, create a SAML application, and enter the ACS URL and SP Entity ID provided by OB Cloud in the application configuration.
For information about creating a SAML application, see Configure an IdP.
Obtain the identity provider information.
After you create and configure the SAML application in the identity provider console, the application automatically generates an IdP SSO URL and an IdP X.509 Certificate. Download or save this information, and then enter or upload it on this page. OB Cloud supports automatic configuration by uploading a metadata XML file, as well as manual configuration.
For information about obtaining the IdP SSO URL and IdP X.509 Certificate, see Configure an IdP.
Optional: Configure a domain allowlist.
After a domain allowlist is configured, the system checks members against the allowlist. A matched member is automatically added to the current organization and assigned the default role upon their first single sign-on. Unmatched members must be manually invited through OB Cloud. The default role takes effect only when the domain list is not empty.
- In Email Domain, add the domains that are allowed to sign in. Separate multiple domains with semicolons (;) or line breaks.
- In Organization Role, select a role for allowlisted members. For more information about roles, see Role Permission List.
Click OK. Organization members can then sign in using the configured organization-specific URL.
Related operations
- Edit organization authentication: After organization authentication is enabled, click Edit to modify configuration settings other than the URL. To change the URL, disable organization authentication and reconfigure it.
- Disable organization authentication: You can disable organization authentication when it is no longer required. After it is disabled, the configured authentication methods and organization-specific URL are deleted, and members can no longer use organization authentication. This operation cannot be undone. Proceed with caution.
