All Products
Search
Document Center

Identity as a Service:Endpoints

Last Updated:Nov 28, 2024

This topic describes endpoints and how to configure and use endpoints in Identity as a Service (IDaaS).

Overview

Endpoints are used by IDaaS Employee Identity and Access Management (EIAM) instances to access networks. Endpoints in IDaaS are divided into dedicated endpoints and shared endpoints. You can use a shared endpoint free of charge. If you want to use a dedicated endpoint, you must purchase one. For more information, see Billing of dedicated endpoints.

Dedicated endpoint

A dedicated endpoint is an exclusive endpoint for an EIAM instance. The dedicated endpoint of an EIAM instance is an elastic network interface (ENI) of a virtual private cloud (VPC). You can configure security group rules or network settings for the ENI. This way, the EIAM instance can access a private network or access the Internet by using the dedicated endpoint.

Dedicated access to a private network

After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can synchronize the data of Active Directory (AD) domains, Lightweight Directory Access Protocol (LDAP) servers, and applications, and enable the AD authentication and LDAP authentication features, without the need to enable Internet-facing ports.

The following sections describe network access in different scenarios. In the following examples, an AD domain server is used.

The AD domain server and ENI belong to the same Alibaba Cloud VPC

If your AD domain server and the ENI of your EIAM instance belong to the same Alibaba Cloud VPC, you must implement access control by using the following method:

Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.

image..png

The AD domain server and ENI belong to different Alibaba Cloud VPCs

If your AD domain server and the ENI of your EIAM instance belong to different Alibaba Cloud VPCs, you must implement access control by using the following methods:

  • Connect the two Alibaba Cloud VPCs by using a Cloud Enterprise Network (CEN) instance.

  • Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.

image..png

The AD domain server belongs to a data center or a third-party cloud service provider

If the AD domain server belongs to a data center or a third-party cloud service platform, you must implement access control by using the following methods:

  • Connect the Alibaba Cloud VPC to the data center or cloud service platform to which the AD domain server belongs by using a leased line, such as a VPN gateway.

  • Configure the firewall of the AD domain server to allow access from the IP address of the ENI.

image..png

Dedicated access to the Internet

After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can associate an Elastic IP Address (EIP) with the ENI of the EIAM instance or associate an Internet NAT gateway with your Alibaba Cloud VPC. This way, the EIAM instance can use a public IP address to access the Internet. You can specify the public IP address as the trusted IP address in WeCom to meet your requirements for WeCom access.

Shared endpoint

A shared endpoint is the default endpoint that an EIAM instance uses to access the Internet. All EIAM instances can use the shared endpoint. You can use a shared endpoint to access only the Internet.

Comparison of the two endpoint types

The following table describes the two endpoint types.

Item

Dedicated endpoint

Shared endpoint

Access to a private network over a dedicated IP address

Supported

Not supported

Access to the Internet over a dedicated IP address

Supported

Not supported

Access to the Internet over a shared IP address

Not supported

Supported

Owner of the endpoint resources, such as ENIs and security groups

Your Alibaba Cloud account

The IDaaS team

Available by default

No

Yes

Free of charge

No

Yes

Supported modules of endpoints

The following table describes the supported modules of endpoints. By default, each module uses a shared endpoint. You can switch to a dedicated endpoint based on your business requirements.

Module

Dedicated endpoint for access to a private network

Dedicated endpoint for access to the Internet

Shared endpoint for access to the Internet

DingTalk inbound identity provider (IdP)

Not supported

Not supported

Supported

DingTalk outbound IdP

Not supported

Not supported

Supported

AD inbound IdP

Supported

Supported

Supported

LDAP inbound IdP

Supported

Supported

Supported

WeCom inbound IdP

Not supported

Supported

Not supported

Marketplace application

Not supported

Not supported

Supported

Security Assertion Markup Language (SAML) application

Not supported

Not supported

Supported

OpenID Connect (OIDC) application

Not supported

Not supported

Supported

Self-developed application

Not supported

Not supported

Supported

Create a dedicated endpoint

In the left-side navigation pane of the EIAM page for an IDaaS EIAM instance, click Branding. On the Branding page, click the Network Access Endpoint tab.

Step 1: Create a service-linked role

Before you go to the Network Access Endpoint tab or create a dedicated endpoint, make sure that a service-linked role for IDaaS is created. For more information, see Service-linked role for IDaaS EIAM instances. Only Resource Access Management (RAM) users to which the AliyunIDaaSEiamFullAccess policy is attached or Alibaba Cloud accounts can create the service-linked role.

Step 2: Upgrade or scale up the EIAM instance

You can create a dedicated endpoint only if the remaining dedicated endpoint quota of the instance is sufficient. If the remaining dedicated endpoint quota is insufficient, you must purchase a quota to create a dedicated endpoint.

  • If your EIAM instance is a Free Edition or Trial Edition instance, upgrade the instance and increase the number of dedicated endpoints on the buy page.

  • If your EIAM instance is an Enterprise Edition instance, scale up the instance and increase the number of dedicated endpoints on the buy page. For more information, see Change the specification of an instance.

Note

Each EIAM instance supports only one dedicated endpoint.

Step 3: Select resources

On the Network Access Endpoint tab, click Add Dedicated Endpoint.

In the Add Dedicated Endpoint dialog box, configure the following parameters.

Important

After you create a dedicated endpoint, you cannot modify the settings of the dedicated endpoint, such as the region, VPC, and vSwitch. Proceed with caution.

image..png

  • Display Name: the display name of the dedicated endpoint. The name is displayed only in the IDaaS console.

  • Select Region: the region of the VPC to which you want to connect.

  • Select VPC: the VPC in the selected region. If you want to access a service, such as an AD domain, an LDAP server, or an application, over a private network, select a VPC in which the service resides or a VPC over which you can access the service.

  • Select vSwitch: the vSwitches that you want to use in the VPC. The number of available IP addresses for each selected vSwitch must be greater than two. You cannot use the 33 CIDR block. You can select up to two vSwitches.

Important

We recommend that you select two vSwitches in different zones to improve the disaster recovery capability.

After you configure the parameters, click OK and wait until the dedicated endpoint is created.

image..png

You must configure one of the following features based on your business requirements before you can use the dedicated endpoint:

Grant the private network access permissions

On the Branding page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint to which you want to grant the private network access permissions. Then, click Authorize Private Network Access.

image..png

Step 1: Obtain the access rules

In the Authorize Private Network Access dialog box, copy the value of the Authorization Object parameter. The value aggregates all dedicated private outbound IP addresses of the dedicated endpoint.

image..png

Step 2: Configure security group rules

Click Add to go to the Security Groups page of the Elastic Compute Service (ECS) console. On the Security Groups page, find and click the security group to which your server belongs to go to the details page of the security group.

Note

In this example, an AD domain server is used. You must select the security group to which the AD domain server belongs instead of the security group that is created by EIAM. For more information about the supported configuration methods, see the Access a dedicated private network section of this topic.

On the details page of the security group, click the Inbound tab on the Security Group Details tab and click Add Rule.

image..png

Configure the following parameters and save the configurations.

  • Action: Allow.

  • Priority: 1.

  • Protocol Type: Custom TCP.

  • Port Range: the range of the ports that you want to use. If you want to connect to an AD domain or LDAP server, we recommend that you enter 389 or 636.

  • Authorization Object: the private IP addresses that you copied in the previous step.

image..png

Step 3: Switch to the created dedicated endpoint

In this example, an AD domain server is used. Go to the IdPs page. Find your AD domain server and click Modify to modify the basic configurations.

image..png

In the Basic Configurations dialog box, select Dedicated Network Access Endpoint for the Network Access Endpoint parameter in the Network Configurations section. Then, select the dedicated endpoint for which you configured security group rules from the drop-down list.

Click OK. The system verifies the IDaaS EIAM instance. The system connects to the AD domain server by using the dedicated private outbound IP addresses of the dedicated endpoint, which correspond to the primary private IP address of the ENI. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.

Important

After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment. After a paid instance is released upon expiration or unsubscription, the dedicated endpoint immediately becomes unavailable and is deleted the next day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.

image..png

Configure a dedicated public outbound IP address

You can configure an Internet NAT gateway for an EIAM instance. This way, the EIAM instance can access the Internet by using a specific IP address.You can specify the IP address as the trusted IP address in WeCom to complete the verification for WeCom.

Step 1: View the VPC region of the dedicated endpoint

On the Branding page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint that you want to use to access the Internet and view the VPC region.

image..png

Step 2: Associate the NAT gateway with an EIP

Log on to the VPC console. On the Internet NAT Gateway page, select an Internet NAT gateway that resides in the same region as the dedicated endpoint. Click Associate Now to associate the Internet NAT gateway with an EIP. If no Internet NAT gateway is available, create one.

image..png

You can select an existing EIP or purchase an EIP and then associate the NAT gateway with the EIP.

image..png

After the association is successful, configure SNAT entries for the NAT gateway. Then, the dedicated endpoint can access the Internet. For more information, see Create and manage SNAT entries.

On the Network Access Endpoint tab of the Branding page, click View next to Dedicated Outbound Public IP Address to view the dedicated public IP address.

image..png

Switch to the created dedicated endpoint

In this example, an AD domain server is used. Go to the IdPs page. Find your AD domain server and click Modify to modify the basic configurations.

image..png

In the Basic Configurations dialog box, select Dedicated Network Endpoint for the Network Access Endpoint parameter in the Network Configurations section. Then, select the dedicated endpoint for which you configured a dedicated public outbound IP address from the drop-down list.

Click OK. The system verifies the IDaaS EIAM instance. The system connects to the AD domain server by using the dedicated public outbound IP addresses of the dedicated endpoint, which correspond to the public IP addresses of the ENI and Internet NAT gateway. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.

You can click View next to Dedicated Public Outbound IP Address to view the gateway IP address of the dedicated endpoint.

Important

After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment. After a paid instance is released upon expiration or unsubscription, the dedicated endpoint immediately becomes unavailable and is deleted the next day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.

image..png

Modify a dedicated endpoint

You can modify only the display name of a dedicated endpoint. If you want to modify other settings, you must delete the dedicated endpoint and create a dedicated endpoint based on your business requirements.

image..png

Delete a dedicated endpoint

A dedicated endpoint can be deleted in one of the following ways:

  • If no modules such as IdPs and applications in an instance use the dedicated endpoint, an administrator can manually delete the dedicated endpoint.

  • If a paid instance is released upon expiration or unsubscription, IDaaS automatically deletes the dedicated endpoint.

After a dedicated endpoint is deleted, IDaaS releases the following resources created by IDaaS within your account:

  • ENIs

  • Managed security groups

After a dedicated endpoint is deleted, the resources and data of the dedicated endpoint cannot be restored. The dedicated endpoint becomes unavailable after it is deleted. If you want to delete the AliyunServiceRoleForEiam service-linked role, you must delete all IDaaS EIAM instances.

Important

If you want to use a shared endpoint or another dedicated endpoint after you delete a dedicated endpoint, you must switch to the required endpoint on the IdPs or Applications page. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.