lboka/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/iam/umn/iam_08_0254.html
Wei, Hongmin d48c6004e4 IAM UMN 20240116 Version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>
2024-09-09 12:18:24 +00:00

9.5 KiB
Raw Blame History

Overview of IAM User SSO via SAML

The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During identity federation, the cloud platform functions as a service provider (SP) and enterprises function as IdPs. SAML-based federation enables single sign-on (SSO), so employees in your enterprise can log in to the cloud platform as IAM users.

This section describes how to configure identity federation and how identity federation works.

Ensure that your enterprise IdP supports SAML 2.0.

Configuring Identity Federation

The following describes how to configure your enterprise IdP and the cloud platform to trust each other.

Figure 1 Configuration of IAM user SSO via SAML
  1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
    Figure 2 Exchanging metadata files
  2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
  3. Configure an external identity ID: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
    Figure 3 Mapping external identities to IAM users
  4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
  5. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
    Figure 4 SSO login model

How Identity Federation Works

Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.

Figure 5 How identity federation works

To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.

As shown in Figure 5, the process of identity federation is as follows:
  1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
  2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
  3. The browser forwards the SAML request to the enterprise IdP.
  4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
  5. The browser responds and forwards the SAML response to the cloud platform.
  6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
  7. The SSO login is successful.

The assertion must carry a signature; otherwise, the login will fail.

Parent topic: IAM User SSO via SAML