Managing Domain¶
This article introduces how sub-administrators manage the domains and configure single sign-on (SSO) of the current OU in EnOS Application Portal Admin Console.
Note
The management tasks that sub-administrators can perform are subject to the authorization from OU administrators. For more information, contact your OU administrator.
Prerequisites¶
Before you start, make sure that:
You have permission to manage domains. For more information about the permission to manage domains, contact your OU administrator.
This OU enables SSO function. For more information on SSO function, contact your system administrator.
Creating a Domain¶
Select Domain Configuration from the left navigation pane of EnOS Application Portal Admin Console.
Select Add Domain and enter the following information on the popup window.
Field
Description
Name
Enter the domain name. The domain name cannot be changed.
URL
Enter the URL address of the domain.
Auto-Import Users
Enable the function to automatically create a domain account and assign roles or user groups to the account when a user logs in to Application Portal via SSO for the first time.
Roles
After enabling Auto-Import Users, select the roles to automatically assign to the domain user from the dropdown list.
User Groups
After enabling Auto-Import Users, select the user groups to automatically assign to the domain user from the dropdown list.
Description
Enter the description of the domain.
Select Submit.
After creating a domain, you can create domain accounts for the domain. For more information on creating domain accounts, see Creating a User.
Updating Domain Information¶
Select Domain Configuration from the left navigation pane of EnOS Application Portal Admin Console.
Select the Edit
of the target domain from the domain list.Edit the URL, auto-import function, and description of the domain on the popup window.
Select Submit.
Deleting a Domain¶
Select Domain Configuration from the left navigation pane of EnOS Application Portal Admin Console.
Select the Delete
of the target domain from the domain list.Select OK on the popup window. If there are domain accounts of the domain, you need to remove the domain accounts before deleting the domain.
Configure Single Sign-On¶
Domains within an OU support SAML and OAuth 2.0 protocols by default. By configuring Single Sign-On (SSO), you can enable users in this OU to authenticate through a third-party Identity Provider (IdP) for seamless login.
Enable Single Sign-On¶
In the left navigation bar of EnOS Application Portal Admin Console, select Domain Configuration.
In the domain list, find the domain that needs SSO configuration, and click the Configure Single Signed-On
button in the operations column to enter the configuration page.Toggle the switch next to Single Sign-On(SSO) is disabled for this domain to enable SSO.
Based on the protocol type supported by your IdP, select the SSO Protocol as SAML or OAuth 2.0, and then follow the configuration steps for the corresponding protocol.
SAML Single Sign-On Configuration¶
On the SSO configuration page, select SSO Protocol as SAML.
In the IdP Metadata field, choose one of the following ways to provide the IdP metadata information:
URL: Enter the online metadata file URL provided by the IdP.
Upload File: Upload the metadata XML file obtained from the IdP.
In the Client ID field, enter the application Client ID generated after registering EnOS Application Portal in the IdP. EnOS will use this ID for authentication when accessing authorization endpoints as a client.
In the Logout Redirect URI field, enter the URL address to which users should be redirected after logging out of the Application Portal.
Configure Attribute Mappings. The system will automatically identify available attribute fields based on the metadata. Select and map the required user attributes in the table below:
Attribute Mapping Field
Description
Username (Required)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Username’ field in EnOS.
Email (Required)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Email’ field in EnOS.
Phone (Optional)
Select the field from the IdP attributes used to store the user’s phone number.
First Name (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the first name part of the ‘Nickname’ field in EnOS.
Last Name (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the last name part of the ‘Nickname’ field in EnOS. The first name and last name are concatenated to form the ‘Nickname’.
Company (Optional)
Select the field from the IdP attributes used to store the user’s company name.
Department (Optional)
Select the field from the IdP attributes used to store the user’s department name.
Position (Optional)
Select the field from the IdP attributes used to store the user’s job title.
Role (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Role’ field in EnOS. For the permissions to work, you need to create roles in EnOS that exactly match those passed from the IdP afterward.
User Group (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the ‘User Group’ field in EnOS. For the permissions to work, you need to create user groups in EnOS that exactly match those passed from the IdP afterward.
Select Save to complete the configuration.
OAuth 2.0 Single Sign-On Configuration¶
On the SSO configuration page, select SSO Protocol as OAuth 2.0.
In the Login Redirect URI field, obtain the redirect address provided by EnOS. When you register an application for EnOS Application Portal in the IdP, this URL must be provided so that the IdP can send the authorization code to EnOS after the user completes authentication.
In the Logout Redirect URI field, enter the URL address to which users should be redirected after logging out of the Application Portal.
Configure client information. Obtain the following information from the IdP and fill it into the corresponding fields:
Field
Description
Client ID (Required)
Credentials used by the client for authentication. After you register an application for EnOS Application Portal in the IdP, the IdP will generate a client ID.
Client Secret (Required)
The secret paired with the Client ID. EnOS uses the Client ID and secret to authenticate when accessing the authorization endpoints.
Client Authentication Method (Required)
The method by which EnOS proves its identity to the IdP, ensuring only registered legitimate clients can obtain tokens or access protected resources. Supports Basic or POST.
Authorization Scope (Required)
Specifies the resource permissions or user information scope requested by EnOS (e.g., openid, email, profile), with multiple values separated by spaces.
Issuer
Whether to Provide Issuer URL. If ‘Yes’ is selected, enter the Issuer URL. If ‘No’ is selected, you must manually enter the endpoint information below.
Authorization Endpoint (Required when Issuer is No)
The HTTP URL where users authenticate (e.g., login page address). Upon successful user authentication, an authorization code will be sent to EnOS.
Token Endpoint (Required when Issuer is No)
The endpoint where EnOS exchanges authorization codes or other credentials. The token endpoint validates the request and returns tokens and other information.
UserInfo Endpoint (Required when Issuer is No)
The endpoint where EnOS uses tokens to retrieve user identity information, provided by the IdP.
UserInfo Authentication (Required when Issuer is No)
The method by which the IdP delivers user data to the UserInfo endpoint, including Header, Form, and Query.
Signature Algorithm
The encryption algorithm used to verify the security of tokens or information exchange.
Configure Attribute Mappings. Select and map the required user attributes in the table below:
Application Portal Field
Description
Username (Required)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Username’ field in EnOS.
Email (Required)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Email’ field in EnOS.
Phone (Optional)
Select the field from the IdP attributes used to store the user’s phone number.
First Name (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the first name part of the ‘Nickname’ field in EnOS.
Last Name (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the last name part of the ‘Nickname’ field in EnOS. The first name and last name are concatenated to form the ‘Nickname’.
Company (Optional)
Select the field from the IdP attributes used to store the user’s company name.
Department (Optional)
Select the field from the IdP attributes used to store the user’s department name.
Position (Optional)
Select the field from the IdP attributes used to store the user’s job title.
Role (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the ‘Role’ field in EnOS. For the permissions to work, you need to create roles in EnOS that exactly match those passed from the IdP afterward.
User Group (Optional)
Specifies a field from the user attributes provided by the IdP to be used as the ‘User Group’ field in EnOS. For the permissions to work, you need to create user groups in EnOS that exactly match those passed from the IdP afterward.
Select Save to complete the configuration.
Note
The assignment of roles and user groups is based on the user attributes passed from the IdP. Please ensure that the names of the roles and user groups created in the Application Portal are exactly the same as those configured in the IdP so that the permission policies can take effect in EnOS.