# idaas-auth

Part of **IDAAS**

# IDaaS Authentication Console Guide

## Operations Overview

| Operation | Console Entry Path | Prerequisites | Description |
|----------|-------------------|--------------|-------------|
| Configure Account Lockout and IP Access Control | Security Settings > Logon/Sign-up > Logon, Security Settings > IP Access Control, Applications > Application List > Details > IP Whitelist Configuration | Access to the IDaaS console, Administrative privileges, Knowledge of client IP addresses | Set account lockout after failed attempts and manage IP blacklists/whitelists for enhanced security. |
| Enable Risk Control | Console > IDaaS > Risk Management > Risk Control | Administrator account access to the CIAM platform | Configure IP-, account-, and password-based risk controls including CAPTCHA, rate limiting, and password policies. |
| Two-Factor Authentication | Console > Application List > Configure Secondary Authentication | Text message gateway configured, Alibaba Cloud SMS activated, Gateway setup completed (~5 min) | Force-enable SMS-based secondary authentication for a specific application. |
| SMS Authentication Gateway Setup | Settings > Security Settings > SMS Configuration > SMS Gateway | Administrator access, SMS provider API credentials, SMTP account (optional) | Configure an SMS gateway with provider details and test delivery. |
| Social Media Logon | Console > CIAM > Authentication Sources > Add Identity Provider | Admin access, Social platform developer account (e.g., WeChat), AppID/AppSecret | Register a social identity provider (e.g., WeChat) and assign it to an application. |
| SSO for Redash v9 | EIAM > Application Management > Applications > Add Application > Marketplace > Redash-v9 New Version | IDaaS console access, Redash admin account, Redash service address, Organization ID | Configure SAML 2.0 SSO between IDaaS and Redash v9. |
| Node Events | Console > Identity & Access Management > Node Events | Admin privileges, CIAM instance created, Third-party system ready | Create node events to automate interactions during registration, logon, or authentication flows. |
| Flow Interaction (Webhook) | Console > IDaaS > CIAM > Flows > Select Flow > Configure Node Event | IDaaS CIAM instance, Third-party webhook endpoint, ClientID/ClientSecret | Integrate third-party systems via webhook at specific flow checkpoints. |

## Operation Steps

### Configure Account Lockout and IP Access Control

**Navigation**: Security Settings > Logon/Sign-up > Logon, Security Settings > IP Access Control, Applications > Application List > Details > IP Whitelist Configuration

**Prerequisites**:
- Access to the IDaaS console
- Administrative privileges to configure security settings
- Knowledge of client IP addresses for whitelist/blacklist configuration

1. Navigate to **Security Settings** in the left navigation panel  
   - Element: **Security Settings** (menu) — left navigation panel

2. Click **Logon** under Logon/Sign-up  
   - Element: **Logon** (menu) — left navigation panel  
   - Notes: Set the account to lock for 30 minutes after 6 incorrect password attempts.

3. Go to **Security Settings > IP Access Control**  
   - Element: **Security Settings** (menu) — left navigation panel

4. Add IP addresses to the blacklist  
   - Element: **IP Access Control** (menu) — left navigation panel  
   - Notes: Access from blacklisted IPs will be blocked automatically.

5. Navigate to **Applications > Application List**  
   - Element: **Applications** (menu) — left navigation panel

6. Select an application and open its **Details**  
   - Element: **Application List** (link) — main content area

7. Go to the **IP Whitelist Configuration** tab  
   - Element: **IP Whitelist Configuration** (tab) — main content area  
   - Notes: Only allow API requests from whitelisted IP addresses.

### Enable Risk Control

**Navigation**: Console > IDaaS > Risk Management > Risk Control

**Prerequisites**:
- Administrator account access to the CIAM platform

1. Log on to the CIAM platform  
   - Element: **Log on** (button) — top-right corner

2. Navigate to **Risk Management**  
   - Element: **Risk Management** (menu) — left navigation panel

3. Select a risk control feature card (e.g., **IP failure count**)  
   - Element: **IP failure count** (panel) — main content area  
   - Notes: The card name varies depending on the feature being configured.

4. Click **Configure** on the selected card  
   - Element: **Configure** (button) — card footer

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Time range | dropdown | Yes | 5 minutes, 10 minutes, 15 minutes, 30 minutes | The time frame for counting authentication failures or attempts. |
| Authentication failure count | number_input | Yes | — | The maximum number of allowed authentication failures before triggering a CAPTCHA or lockout. |
| Frequency count | number_input | Yes | — | The maximum number of authentication attempts allowed within the specified time range. |
| Lock time range | dropdown | Yes | 5 minutes, 10 minutes, 15 minutes, 30 minutes, 60 minutes | The duration for which the account is locked after exceeding the limit. |
| Verification count | number_input | Yes | — | The number of allowed verification attempts for an SMS or email code within a single logon flow. |
| Password history | number_input | Yes | — | The number of unique recent passwords that a user cannot reuse. |
| Password validity period | dropdown | Yes | 10 days, 30 days, 60 days, 180 days, 360 days | The length of time a password is valid before requiring a change. |
| Minimum length | number_input | Yes | — | The minimum number of characters required for a password. |
| Password complexity | checkbox | No | Must contain uppercase letters, Must contain lowercase letters, Must contain digits (0-9), Must contain special characters (!@#$%&*~), Cannot contain the username, Cannot contain the pinyin of the user's name, Cannot contain the phone number, Cannot contain the email prefix | Enforced requirements for password strength during registration and changes. |
| Enable | toggle | No | On, Off | Enables or disables the selected risk control feature. |
| Blacklist IP list | text_input | Yes | — | A comma-separated list of IP addresses to be blocked from all application requests. |
| IP whitelist | text_input | Yes | — | A comma-separated list of IP addresses allowed to access the application. |

### Two-Factor Authentication

**Navigation**: Console > Application List > Configure Secondary Authentication

**Prerequisites**:
- Text message gateway configured in IDaaS
- Alibaba Cloud Short Message Service (SMS) activated
- Gateway configuration completed (approx. 5 minutes)

1. Go to **Application List**  
   - Element: **Application List** (link) — left navigation panel

2. Select the target application from the list  
   - Element: **Select the application** (dropdown) — main content area

3. Click **Configure Secondary Authentication**  
   - Element: **Configure Secondary Authentication** (button) — top-right corner  
   - Notes: This action forcibly enables secondary authentication for the selected application.

### SMS Authentication Gateway Setup

**Navigation**: Settings > Security Settings > SMS Configuration > SMS Gateway

**Prerequisites**:
- Administrator access to the CIAM console
- An SMS service provider account with API credentials
- An SMTP account with credentials

1. Go to **Settings > Security Settings > SMS Configuration > SMS Gateway**  
   - Element: **Settings** (menu) — left navigation panel

2. Select your SMS service provider  
   - Element: **SMS service provider** (dropdown) — main content area

3. Enter a display name for the gateway  
   - Element: **Gateway name** (text_input) — main content area

4. Enter the API endpoint URL  
   - Element: **SMS URL** (text_input) — main content area

5. Enter the API account credential  
   - Element: **API account** (text_input) — main content area

6. Enter the API password credential  
   - Element: **API password** (text_input) — main content area

7. Enter the sender name/title  
   - Element: **SMS title** (text_input) — main content area

8. Optionally enter an extension field  
   - Element: **API extension field** (text_input) — main content area

9. Enable custom SMS templates (if needed)  
   - Element: **Enable SMS gateway custom template** (checkbox) — main content area

10. Send a test SMS to verify  
    - Element: **Send test SMS** (button) — top-right corner  
    - Notes: Enter a phone number and confirm delivery.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| SMS service provider | dropdown | Yes | — | Select your SMS service provider from the list. |
| Gateway name | text_input | Yes | — | A display name for this SMS gateway. |
| Gateway description | text_input | No | — | An optional description for this SMS gateway. |
| SMS URL | text_input | Yes | — | The API endpoint URL provided by your SMS service provider. |
| API account | text_input | Yes | — | The API account credential for your SMS service provider. |
| API password | text_input | Yes | — | The API password credential for your SMS service provider. |
| SMS title | text_input | Yes | — | The sender name or title displayed on the SMS message. |
| API extension field | text_input | No | — | An optional extension field required by some SMS providers. |
| Enable SMS gateway custom template | checkbox | No | — | Turn on to customize the content of SMS templates for this gateway. |

### Social Media Logon

**Navigation**: Console > CIAM > Authentication Sources > Add Identity Provider

**Prerequisites**:
- Administrator access to the CIAM console
- A developer account on the social platform (e.g., WeChat Open Platform)
- AppID and AppSecret from the social platform's developer portal

1. Go to **Authentication Sources**  
   - Element: **Authentication Sources** (link) — left navigation panel

2. Select **WeChat** as the identity provider type  
   - Element: **WeChat** (radio) — identity provider selection dropdown

3. Enter AppID, AppSecret, and Authorization domain  
   - Element: **AppID** (text_input) — form fields in registration section  
   - Notes: Copy values from the WeChat Open Platform developer portal

4. Click **Submit**  
   - Element: **Submit** (button) — bottom of the form

5. Verify the identity provider status is **enabling**  
   - Element: **enabling** (status_label) — identity provider list

6. Navigate to **Application Management**  
   - Element: **Application Management** (link) — left navigation panel

7. Import the WeChat identity provider into the application  
   - Element: **import** (button) — login method configuration section

8. Save the configuration  
   - Element: **Save** (button) — bottom of the form

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| AppID | text_input | Yes | — | The App ID from your WeChat Open Platform app |
| AppSecret | text_input | Yes | — | The App Secret from your WeChat Open Platform app |
| Authorization domain | text_input | Yes | — | The authorized domain configured in your WeChat Open Platform app |

### SSO for Redash v9

**Navigation**: EIAM > Application Management > Applications > Add Application > Marketplace > Redash-v9 New Version

**Prerequisites**:
- Access to the IDaaS console
- Administrator account for Redash
- Redash instance service address
- Organization ID (default: 'default' if not set)

1. Log on to the IDaaS console  
   - Element: **IDaaS console** (link) — top navigation

2. Navigate to **EIAM** and select the target IDaaS instance  
   - Element: **EIAM** (menu) — left navigation panel

3. Click **Manage** in the Actions column  
   - Element: **Manage** (button) — Actions column

4. Go to **Application Management > Applications > Add Application > Marketplace**  
   - Element: **Add Application** (button) — main content area

5. Search for **Redash-v9 New Version** and click **Create**  
   - Element: **Redash-v9 New Version** (link) — search results

6. Confirm application name and click **Add Now**  
   - Element: **Add Now** (button) — bottom of form

7. Go to **Logon > Single Sign-On** tab  
   - Element: **Single Sign-On** (tab) — top navigation

8. Enable SSO and enter Redash parameters  
   - Element: **Enable SSO** (checkbox) — SSO configuration section  
   - Notes: Redash Service Address must not end with a forward slash (/)

9. Copy the **SamlMetaEndpoint.idp** value  
   - Element: **SamlMetaEndpoint.idp** (text_input) — application configuration section  
   - Notes: This value will be used in Redash as SAML Metadata URL

10. Log in to Redash with an administrator account  
    - Element: **Settings** (menu) — left navigation pane

11. Click the **General** tab  
    - Element: **General** (tab) — top of page

12. Select **SAML Enabled**  
    - Element: **SAML Enabled** (checkbox) — Authentication section

13. Enter SAML parameters and click **Save**  
    - Element: **Save** (button) — bottom of form  
    - Notes: SAML NameID Format must be `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Redash Service Address | text_input | Yes | — | The service address of your Redash instance. Cannot end with a forward slash (/). |
| Organization | text_input | No | — | The organization ID. Default is 'default' if not set during installation. |
| Application Account | text_input | No | — | Specifies the account used for logon. If not available, IDaaS email address is used. |
| Authorization Type | dropdown | Yes | Manual Authorization, All Users | Selects who can access the application after SSO. |
| SAML Metadata URL | text_input | Yes | — | Get this value from the application configuration on the IDaaS SSO page. Redash uses this URL to parse the SSO address, send a SAML Request, and initiate SSO. |
| SAML Entity ID | text_input | Yes | — | The service address of Redash. |
| SAML NameID Format | text_input | Yes | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | Enter `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. |

### Node Events

**Navigation**: Console > Identity & Access Management > Node Events

**Prerequisites**:
- Administrator privileges
- A CIAM instance already created
- Third-party system configured and accessible

1. Navigate to **Node Events**  
   - Element: **Node Events** (link) — left navigation panel

2. Click **Create Node Event**  
   - Element: **Create Node Event** (button) — top-right corner

3. Select the **Flow Type**  
   - Element: **Flow Type** (dropdown) — main content area  
   - Notes: Available options: User registration, Logon, Authentication

4. Choose **Built-in** or **Custom** event source  
   - Element: **Built-in Events** (radio) — main content area

5. Configure input and output parameters  
   - Element: **Input Parameters** (text_input) — main content area  
   - Notes: Use the provided form fields to define data mapping between CIAM and the third-party system

6. Click **Save**  
   - Element: **Save** (button) — bottom of the form  
   - Notes: After saving, the node event will be applied to the selected flow

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Flow Type | dropdown | Yes | User registration, Logon, Authentication | Specifies which identity flow the node event will be applied to |
| Event Source | dropdown | Yes | Built-in, Custom | Determines whether to use a pre-defined event or create a custom one |
| Input Parameters | text_input | No | — | Defines the data sent to the third-party system during the interaction |
| Output Parameters | text_input | No | — | Defines the data received from the third-party system and how it is processed |

### Flow Interaction (Webhook)

**Navigation**: Console > IDaaS > CIAM > Flows > Select Flow > Configure Node Event

**Prerequisites**:
- An Alibaba Cloud IDaaS instance with CIAM enabled
- A third-party system that exposes an endpoint to receive webhook requests
- The webhook address, authorized address, ClientID, and ClientSecret for your third-party system

1. Navigate to **Flows**  
   - Element: **Flows** (menu) — left navigation panel  
   - Notes: Refer to the 'Supported flows' section for available options.

2. Select the node event to configure  
   - Element: **Select node event** (dropdown) — main content area

3. Enter configuration details  
   - Element: **Basic information** (text_input) — main content area  
   - Notes: Includes name, description, webhook address, authorized address, ClientID, and ClientSecret.

4. Click **Save**  
   - Element: **Save** (button) — bottom-right corner

5. Toggle the node event to **Enabled**  
   - Element: **Enabled** (toggle) — top-right corner of the node event card  
   - Notes: When enabled, CIAM sends a request to the configured webhook address at that point in the flow.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Name | text_input | Yes | — | A human-readable name for the event |
| Description | text_input | No | — | Optional description for the event |
| Webhook address | text_input | Yes | — | The endpoint on your third-party system that receives the CIAM request |
| Authorized address | text_input | Yes | — | The authorized address for your third-party system |
| ClientID | text_input | Yes | — | The client identifier for authentication with your third-party system |
| ClientSecret | text_input | Yes | — | The client secret for authentication with your third-party system |

## FAQ

Q: Where do I configure account lockout rules?
A: Go to Security Settings > Logon/Sign-up > Logon in the IDaaS console. You can set the number of failed attempts and lock duration there.

Q: Can I modify SMS gateway settings after creation?
A: Yes, you can edit the SMS gateway configuration at any time via Settings > Security Settings > SMS Configuration > SMS Gateway.

Q: What happens if I leave the Organization field blank when setting up Redash SSO?
A: The system defaults to "default". Ensure this matches your Redash installation’s organization setting.

Q: Do social login configurations require approval from the social platform?
A: Yes, you must first register your app on the social platform (e.g., WeChat Open Platform) and obtain AppID and AppSecret before configuring in IDaaS.

Q: Are node events applied immediately after saving?
A: No, you must explicitly toggle the node event to **Enabled** for it to take effect in the authentication flow.

## Pricing & Billing

### Billing Model
Per-request pricing for SMS verification codes; all other authentication features (risk control, 2FA, SSO, social login, node events, flow interaction) are included in the standard IDaaS service at no additional cost.

### Price Reference
| Tier | Price |
|------|-------|
| SMS verification code | 0.05 / |

### Free Tier
Monthly free quota of 1000 SMS messages.

### Billing Notes
- SMS is billed per message sent; each verification attempt counts as one message.
- Other authentication features (including TOTP, WebAuthn, SAML SSO, risk policies) incur no extra charges.
- Quota limits apply: SMS messages limited to 1000 characters per message; node events capped at 100 per CIAM instance; webhook calls limited to 100 per minute per flow.