The topic describes how to configure and use custom domain names in Identity as a Service (IDaaS).
Overview
You can use a custom domain name to replace the domain name in the URL of a web page of IDaaS Employee Identity and Access Management (EIAM), such as the logon page and the application portal. This maintains the consistency of your enterprise brand.
You can configure a proxy for your domain name to manage access permissions of users. For example, you can allow only users that use specific IP addresses to log on to your application portal.
Terms
Term | Description |
initial domain name | The domain name that the system generates for an IDaaS EIAM instance when you create the instance, in the format of xxxx.aliyunidaas.com. |
custom domain name | Your own domain name that you add to access an IDaaS EIAM instance, such as login.example.com. |
default domain name | The default domain name that is used to access an IDaaS EIAM instance. You must specify the initial domain name or a custom domain name as the default domain name. If you enable the automatic redirect feature, users are automatically redirected to the default domain name when they access the initial domain name. |
Affected features
The following table describes the features that are affected by custom domain names. You can modify the related configurations before or after you configure a custom domain name based on your business requirements.
Affected object | Feature | Description |
Affected object | Feature | Description |
User portal | Logon page | The URL of the logon page contains a domain name. |
Application portal | The URL of the application portal contains a domain name. |
DingTalk as an Identity Provider (IdP) - outbound | QR code-based logon or single sign-on (SSO) to DingTalk workbench | The callback URL for DingTalk contains a domain name. Make sure that the initial domain name is used in the callback URL. |
SSO to IDaaS application portal or an application | The URL of the application homepage contains a domain name. |
WeCom as an IdP - inbound | QR code-based logon | In the URLs that are used to access the user portal, self-developed applications, OpenID Connect (OIDC) applications, and Security Assertion Markup Language (SAML) applications, and the callback URL for WeCom authorization, you must use the initial domain name. In addition, you must disable the automatic redirect feature. Otherwise, users cannot log on to IDaaS or applications by using WeCom to scan a QR code. |
OIDC applications and self-developed applications | Authorization endpoint | If your instance uses only one custom domain name, we recommend that you use the initial domain name in these endpoints. You can specify the custom domain name as the default domain name and enable the automatic redirect feature. If the automatic redirect feature is disabled, SSO may fail and users need to log on again. If your instance uses multiple custom domain names, make sure that the custom domain name in these endpoints is the same as the domain name of the logon page. Otherwise, SSO may fail and users need to log on again. |
End session endpoint |
SAML applications | IdP metadata URL | If your instance uses only one custom domain name, we recommend that you use the initial domain name in these URLs. You can specify the custom domain name as the default domain name and enable the automatic redirect feature. If the automatic redirect feature is disabled, SSO may fail and users need to log on again. If your instance uses multiple custom domain names, make sure that the custom domain name in these URLs is the same as the domain name of the logon page. Otherwise, SSO may fail and users need to log on again. |
SSO URL |
WebAuthn | Authenticator registration | A WebAuthn authenticator is valid only for the domain name for which the authenticator is registered. For example, if your register WebAuthn Authenticator A1 for Domain Name A, Authenticator A1 cannot be used for authentication when users access Domain Name B. Another WebAuthn authenticator must be registered for Domain Name B. You can have multiple authenticators for different domain names. |
Preparations
We recommend that you prepare the following items before you configure a custom domain name. This helps smooth the configuration process.
Item | Description |
Domain name | You need to prepare a dedicated domain name for your IDaaS EIAM instance. We recommend that you use a top-level domain name or a second-level domain name. |
Operation permissions on the Domain Name System (DNS) of the domain name | To verify your ownership of the domain name, you must add one or two DNS records to the DNS of your domain name. |
Internet Content Provider (ICP) number | If your domain name points to a website that is deployed on an instance located in the Chinese mainland, you must specify the ICP number of the domain name. |
Operation permissions on the proxy of the domain name | You must configure the information such as the HTTPS certificate and the origin host in the proxy. |
Instance of Trial Edition or Enterprise Edition | Only an instance of Trial Edition or Enterprise Edition can be accessed by using a custom domain name. You can enable the free trial for an instance or upgrade an instance. |
Configure a custom domain name
Log on to the IDaaS console. On the EIAM page, click the instance for which you want to add a custom domain name. In the left-side navigation pane, click Branding. On the Custom Domain Name tab, click Add Custom Domain Name to configure a custom domain name.
Important
Custom domain names may affect features such as logon, SSO, and data synchronization. Before you configure a custom domain name, take note of the affected features to prevent service interruption.
Step 1: Enter a domain name
Enter a custom domain name such as login.example.com. Each domain name is globally unique across all IDaaS EIAM instances. You need to only enter the domain name. You do not need to enter other fields such as paths or parameters. The domain name can be up to 128 characters in length and can contain lowercase letters, digits, hyphens (-), and periods (.).
Important
The IDaaS team makes efforts to ensure the security of your instance. However, if an attacker successfully implements cross site scripting (XSS) attacks on your IDaaS EIAM instance, cross-site request forgery (CSRF) attacks may be launched against different subdomains under the same domain name. We recommend that you block cross-origin resource sharing (CORS) requests initiated from a custom domain name or use an independent top-level domain name as the custom domain name.
Step 2: Add DNS records
To verify your ownership of the domain name, you must add one or two DNS records to the DNS of your domain name, such as Alibaba Cloud DNS. The record type, record name, and record value are fixed for the same IDaaS EIAM instance and the same custom domain name. If you do not have the permission to add DNS records, you can configure the custom domain name after DNS records are added by others.
For more information about how to add DNS records at different DNS service providers, see the following topics:
Step 3: Enter an ICP number
According to the Measures for the Administration of Internet Information Services, if your website is deployed on an instance located in the Chinese mainland, you must specify either the issued entity ICP number or the issued website ICP number. If you configure a custom domain name for an IDaaS EIAM instance deployed in an Alibaba Cloud region in the Chinese mainland, you must specify the ICP number for the domain name to meet compliance requirements. The ICP number is displayed on the logon page of the instance.
Step 4: Add a custom domain name
After you confirm the configurations, click Added to add a custom domain name. You must configure a proxy for the custom domain name before you can use the custom domain name.
Configure a proxy
The request from a user or an application to access an IDaaS EIAM instance by using a custom domain name is forwarded by the proxy of the domain name. You must ensure the availability of the proxy. The following section describes how to configure Alibaba Cloud DCDN for a domain name.
Alibaba Cloud DCDN
Step 1: Add a domain name
Log on to the Alibaba Cloud DCDN console. In the left-side navigation pane, click Domain Names. On the Domain Names page, click Add Domain Name. Enter a domain name in the Domain Name to Accelerate field.
After the domain name is added to DCDN, you must copy the CNAME of the domain name and add a CNAME record at your DNS provider. For more information, see Add a CNAME record for a domain name.
Step 2: Configure HTTPS
On the Domain Names page in the Alibaba Cloud DCDN console, click the domain name that you want to manage. In the left-side navigation pane of the domain name details page, click HTTPS Settings to configure the HTTPS certificate. For more information, see Configure an SSL certificate.
Step 3: Configure an origin host
In the left-side navigation pane of the domain name details page, click Origin Fetch. On the Origin Fetch tab, turn on Origin Host.
Select Origin Domain Name as Domain Type. The initial domain name of your IDaaS EIAM instance is automatically selected.
Step 4: Add an origin HTTP header
On the Custom Origin HTTP Header tab, click Add. Configure the parameters, such as the IP address, host, and token. The configuration of these parameters can prevent IP address spoofing and improve access security.
After the proxy is configured, go back to the IDaaS console. You can click Test Connectivity to simulate an access to your IDaaS EIAM instance by using the custom domain name. Domain names may be protected by access policies. For example, a domain name may be accessible only from IP addresses of an enterprise network. Therefore, the result of this test is for reference only. We recommend that you perform a test in the real environment of users.
If the domain name works as expected, you must modify the related configurations based on the affected features. Then, you can distribute the custom domain name to your users. We recommend that you enable the automatic redirect feature if your users still use the initial domain name.
Domain name status
Domain names may be protected by access policies. For example, a domain name may be accessible only from IP addresses of an enterprise network. Therefore, the Available state of a custom domain name indicates that the custom domain name feature is available for the instance but does not indicate that the instance can be accessed by using the custom domain name. You must check whether the custom domain name works as expected.
Modify the default domain name
The default domain name is the domain name that is used to access an instance by default. The default domain name has the following two functions:
If the automatic redirect feature is enabled, your users or applications are automatically redirected to the default domain name when they access the initial domain name.
The default domain name is displayed in multiple fields in the IDaaS console, such as the user portal URL and the logon URL.
Important
If you specify a custom domain name as the default domain name for an instance and the automatic redirect feature is enabled, you must manually modify the default domain name when the custom domain name is unavailable. For example, if the custom domain name that is specified as the default domain name expires, you must modify the default domain name. Otherwise, your users or applications fail to access the instance.
Enable automatic redirect
If the automatic redirect feature is enabled, your users or applications are automatically redirected to the default domain name when they access the initial domain name. They are not redirected to the default domain name if they access a custom domain name.
If only one custom domain name is configured for your instance, we recommend that you specify the custom domain name as the default domain name and enable the automatic redirect feature. This way, your users can access applications by using the SSO feature no matter whether they access the initial domain name or custom domain name, and you do not need to modify SSO-related configurations for your applications.
If multiple custom domain names are configured for your instance or the automatic redirect feature is disabled, you must modify related configurations such as SSO for your applications based on affected features. Otherwise, SSO may fail and users need to log on again, or users cannot log on to IDaaS by using WeCom to scan a QR code.
Remove a custom domain name
Before you remove a custom domain name, check whether the custom domain name is in use. For example, the custom domain name may be used by an IdP or used in SSO configurations of an application. In the dialog box for confirming the removal, the point in time when the custom domain name was last used is displayed. You can check this time to determine whether the custom domain name is in use. This time also indicates when the proxy token was last used. You can view this value on the proxy configuration page.
After a custom domain name is removed, the IDaaS EIAM instance is immediately inaccessible by using the custom domain name. We recommend that you delete the configurations described in this topic from the DNS service provider and the proxy to prevent errors in domain forwarding.
Elastic Compute Service (ECS)
Lingma
