OceanBase Cloud Platform (OCP) has a built-in account system. You can configure an external integration service in OCP and then log on to OCP by using single sign-on (SSO).
Prerequisites
- You have logged in to the OceanBase Cloud Platform (OCP) console and been assigned the ADMIN role.
- You have deployed the authorization service.
Considerations
- Only the authorization-code mode is supported in Open Authorization (OAuth) and OpenID Connect (OIDC).
- When you log off from OCP in an application configured with SSO based on OAuth or OIDC, only the logon state in OCP is cleared, and the logon state in the SSO system is not cleared.
Procedure
Configure SSO based on OAuth 2.0
Example: Use OAuth to integrate a third-party application to OCP and use a third-party account to access OCP.
Log on to the OCP console.
In the left-side navigation pane, choose
System Management >External Integration , and go to theSSO Integration List page.Click
Create SSO Integration in the upper-right corner. Configure gateway authentication parameters in the dialog box that appears.The following table describes parameters for SSO based on OAuth 2.0.
Parameter Description Configuration Name The configuration name will be used as a custom username for logon. Type Select OAuth2. Enable Local Logon Mode Specifies whether you can use a local username and password for logon. Client ID The ID of the third-party application, which must be consistent with that registered with the authorization server. Client Secret The secret of the third-party application. Auth URL The URL provided by the authorization server for obtaining the grant code. User Info URL The URL provided by the authorization server for obtaining user information. Token URL The URL provided by the authorization server for obtaining the access token. Redirect URL The callback URL used by the authorization server to call the OCP service. Notice
If the SSO system has a callback allowlist, you must add the redirection URL to the allowlist.
Scope The authorization scope. Separate multiple scopes with spaces. We recommend that you set the value to profile.Notice
When you configure Alibaba Cloud Object Storage Service (OSS) in a third-party application, Scope must be specified.
jwkSet URL The URL provided by the authorization server for obtaining the public key, which is used for authentication. It is an optional advanced parameter. userNameAttribute The username. It is an optional advanced parameter. Client Authentication Method The identity authentication method used by the authorization server to authenticate the client. It is an optional advanced parameter. Authorization Grant Type The authorization method of OAuth 2.0. It is an optional advanced parameter. User Info Authentication Method The identity authentication method used when the access token in the resource request is sent to the resource server. It is an optional advanced parameter. Click
Test Connection to go to the third-party logon authorization page.Enter the third-party account and password and click Third-party Sign-on to log on to OCP.
After the connection test succeeds, the user information API returns structure information. Configure the user field mapping parameters based on the returned information.
Note
The structure returned by a user information API varies based on the third-party application. To map the user information of a third-party application to the user fields in OCP, you must configure the user field mappings. User field mappings identify the OCP account used for OAuth 2.0 logon.
Click
Save .On the
SSO Integration List page, enable the created SSO integration task by referring to Enable/Disable an SSO integration task.
Configure SSO based on OIDC
Example: Use OIDC to integrate a third-party application to OCP and use a third-party account to access OCP.
Log on to the OCP console.
In the left-side navigation pane, choose
System Management >External Integration , and go to theSSO Integration List page.Click
Create SSO Integration in the upper-right corner. Configure gateway authentication parameters in the dialog box that appears.The following table describes parameters for SSO based on OIDC.
Step Parameters Configuration Name The configuration name will be used as a custom username for logon. Type Select OIDC. Client ID The ID of the third-party application, which must be consistent with that registered with the authorization server. Client Secret The secret of the third-party application, which must be consistent with that registered with the authorization server. Scope The authorization scope. Separate multiple scopes with spaces. We recommend that you set the value to profile.Notice
When you configure Alibaba Cloud Object Storage Service (OSS) in a third-party application, Scope must be specified.
Issue URL The issue URL of the authentication service. Redirect URL The callback URL used by the authorization server to call the OCP service. Notice
If the SSO system has a callback allowlist, you must add the redirection URL to the allowlist.
Data Structure Type of User Information The FLAT and NESTED structure types are supported. An independent callback allowlist is required for connection testing. Manually add an allowlist as prompted and then click
Test Connection .Enter the third-party account and password and click Third-party Sign-on to log on to OCP.
After the connection test succeeds, the user information API returns structure information. Configure the user field mapping parameters based on the returned information.
Note
The structure returned by a user information API varies based on the third-party application. To map the user information of a third-party application to the user fields in OCP, you must configure the user field mappings. User field mappings identify the OCP account used for OIDC logon.
Click
Save .On the
SSO Integration List page, enable the created SSO integration task by referring to Enable/Disable an SSO integration task.