You can plan user groups based on user responsibilities and grant the required permissions to the user groups. Users inherit permissions from the user groups to which they belong.
-Procedure
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- (Optional) Enter a description for the user group.
To enable users to directly view their permissions, set a description for the user group. For example, if you assign the Security Administrator role to a user group, you can set any description in the Description text box. For example: Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users. For details about the permissions for all cloud services, see Permissions
+Procedure
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- (Optional) Enter a description for the user group.
To enable users to directly view their permissions, set a description for the user group. For example, if you assign the Security Administrator role to a user group, you can set any description in the Description text box. For example: Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users. For details about the permissions for all cloud services, see Permissions.
- Click OK.
The user group is displayed in the user group list.
- - In the row containing the user group, click Manage Permissions.
- On the Permissions tab page, click Assign Permissions above the permission list.
- Specify the authorization scope. If you select Region-specific projects, select one or more projects in the drop-down list.
- Global service project: Services deployed without specifying physical regions are called global services, such as Object Storage Service (OBS), Content Delivery Network (CDN), and Tag Management Service (TMS). Permissions for these services must be assigned in the global service project.
- Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. If you want the permissions to take effect for all regions, grant them in all these regions.
- Select policies and click OK.
- In the row containing the user group, click Authorize in the Operation column.
- On the Authorize User Group page, select the permissions to be assigned to the user group. You can also click Go to Old Edition to use the old version for authorization.
If the system-defined policies do not meet your requirements, you can click Create Policy in the upper right to create custom policies for fine-grained permissions control. For details, see Creating a Custom Policy.
+Figure 1 Selecting permissions+
- Click Next.
- Specify the scope. The system automatically recommends an authorization scope for the permissions you selected. Table 1 describes all the authorization scopes provided by IAM.
+
+
+Table 1 Authorization scopes Scope
+Description
+All resources
+IAM users can use the resources in all region-specific projects and the global services in your account based on the assigned permissions.
+Region-specific projects
+IAM users can use the resources in the region-specific projects you select based on the assigned permissions.
+If some of the selected permissions belong to global services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for project-level services will apply to the region-specific projects you select.
+Global services
+IAM users can use global services based on the assigned permissions. Global services are deployed with no physical regions specified. IAM users do not need to specify a region when accessing these services, such as Object Storage Service (OBS) and Content Delivery Network (CDN).
+If some of the selected permissions belong to project-level services, the system automatically sets the authorization scope of these permissions to All resources. Selected permissions for global services will apply to the global services.
+- Click OK.
+ + \ No newline at end of file diff --git a/docs/iam/umn/en-us_topic_0046611300.html b/docs/iam/umn/en-us_topic_0046611300.html index 672f8b0a..f1e62d45 100644 --- a/docs/iam/umn/en-us_topic_0046611300.html +++ b/docs/iam/umn/en-us_topic_0046611300.html @@ -2,16 +2,57 @@-Parent topic: User and User Group Management+Parent topic: User Groups and AuthorizationChange History
-Table 1 Change history Released On
+Table 1 Change history Released On
What's New
2022-11-21
+2023-07-20
+This release incorporates the following changes:
+- Modified content in Creating a Security Administrator.
- Modified content in Creating a User Group and Assigning Permissions.
- Modified the structure and content in section Identity Providers.
2023-07-10
+This release incorporates the following change:
+Added content in Table 1.
+2023-05-26
+This release incorporates the following changes:
+- Deleted the description of the enterprise project.
- Added Table 1.
- Modified the URL of "Permission."
- Modified content in Logging In as an IAM User.
- Modified content in Changing the Login Password of an IAM User.
- Modified content in Viewing and Modifying User Information.
- Modified content in Security Settings Overview.
- Modified content in Assigning Dependency Roles.
- Modified content in Revoking Permissions of a User Group.
2023-04-04
+This release incorporates the following changes:
+- Added section Delegating Resource Access to Another Account.
- Added section Deleting or Modifying Agencies.
- Added section Table 1.
- Modified content in sections Creating an Agency (by a Delegating Party), (Optional) Assigning Permissions to an IAM User (by a Delegated Party), Switching Roles (by a Delegated Party), and Cloud Service Delegation.
- Modified content in section Table 1.
2023-02-21
+This release incorporates the following changes:
+Adjusted the structure of sections IAM Users, User Groups and Authorization, Security Settings, and Projects.
+Added section Logging In as an IAM User.
+Added section Deleting an IAM User.
+Added section Changing the Login Password of an IAM User.
+Added section Adding Users to or Removing Users from a User Group.
+Added section Deleting a User Group.
+Added section Revoking Permissions of a User Group.
+Added section Assigning Dependency Roles.
+Added section Roles.
+Modified content in section Assigning Permissions to an IAM User.
+Modified content in section Creating a User Group and Assigning Permissions.
+Modified content in section Basic Concepts.
+2022-11-21
This release incorporates the following changes:
-- Added section OpenID Connect–based Federated Identity Authentication.
- Optimized section SAML-based Federated Identity Authentication.
- Added section Virtual User SSO via OpenID Connect.
- Optimized section Virtual User SSO via SAML.
2022-10-21
@@ -22,13 +63,13 @@2020-12-30
This release incorporates the following changes:
-- Added the login failure event in IAM Operations That Can Be Recorded by CTS.
- Added descriptions about the characters types that a password must contain in Account Settings.
- Added the login failure event in IAM Operations That Can Be Recorded by CTS.
- Added descriptions about character types included in a password in section 3.5 "Account Settings."
2020-11-09
This release incorporates the following changes:
-Updated Creating a User Group and Assigning Permissions, Managing Projects, Creating a User Group, Viewing and Modifying User Group Information, Creating an Agency (by a Delegating Party), and Assigning Permissions to a User (by a Delegated Party) based on changes to the user group and agency management pages.
+Updated Creating a User Group and Assigning Permissions, Projects, Creating a User Group and Assigning Permissions, Viewing and Modifying User Group Information, Creating an Agency (by a Delegating Party), and (Optional) Assigning Permissions to an IAM User (by a Delegated Party) based on changes to the user group and agency management pages.
2020-07-21
@@ -58,13 +99,13 @@2019-03-12
This release incorporates the following changes:
-- Modified descriptions in sections Fine-Grained Policies and Creating a Custom Policy.
- Added a screenshot and modified descriptions in section Policy Syntax.
- Modified descriptions in sections Basic Concepts and Creating a Custom Policy.
- Added a screenshot and modified descriptions in section Policy Syntax.
2019-02-26
This release incorporates the following change:
-Added section Assigning Permissions to a User (by a Delegated Party).
+Added section (Optional) Assigning Permissions to an IAM User (by a Delegated Party).
2018-11-22
@@ -88,7 +129,7 @@2018-08-30
This release incorporates the following changes:
-Added the description about Session Timeout Policy in Account Settings.
+Added descriptions about session timeout settings in section 3.5 "Account Settings."
2018-08-10
@@ -100,7 +141,7 @@2018-07-30
This release incorporates the following changes:
-Added section Fine-Grained Policy Management.
+Added section Permissions.
2018-06-29
@@ -118,13 +159,13 @@2018-03-30
This release incorporates the following changes:
-Added the description for ACL validation conditions in Account Settings.
+Added descriptions about conditions for an ACL to take effect in section 3.5 "Account Settings."
2018-01-30
This release incorporates the following changes:
-- Added the immediate project deletion function in Managing Projects.
- Added a note for the "Refined permission management" table in IAM Features.
- Added the immediate project deletion function in Projects.
- Added a note for the "Refined permission management" table in IAM Features.
2018-01-18
@@ -148,34 +189,34 @@2017-09-15
This release incorporates the following changes:
-- Added the following content in Managing Projects:
- Relationship between users and projects
- Method of enabling Cloud Trace Service (CTS)
- A notice that the resources in a project will also be deleted if the project is deleted
- Naming conventions of a project name
- Modified descriptions about entering the login password and verification code during project deletion in Managing Projects.
- Added the following content in Projects:
- Relationship between users and projects
- Method of enabling Cloud Trace Service (CTS)
- A notice that the resources in a project will also be deleted if the project is deleted
- Naming conventions of a project name
- Modified descriptions about entering the login password and verification code during project deletion in Projects.
2017-08-29
This release incorporates the following changes:
-Made the following changes in Managing Projects:
+Made the following changes in Projects:
- Changed the number of projects that can be created in a region by default from 2 to 10.
- Deleted the description for the method of creating a project.
2017-08-22
This release incorporates the following changes:
-Added the following content in Managing Projects:
+Added the following content in Projects:
- Method of applying for a higher quota
- Authorizing projects
- A note that a project cannot be deleted once it is created
2017-07-27
This release incorporates the following changes:
-- Added the description for the CTS Administrator permission.
- Added the description for automatically extracting metadata and manually configuring metadata in Step 1: Create an Identity Provider.
- Added the description for the CTS Administrator permission.
- Added the description for automatically extracting metadata and manually configuring metadata in Step 1: Create an IdP Entity.
2017-05-26
This release incorporates the following changes:
-Added section Establishing a Trust Relationship.
+Added Step 1: Create an IdP Entity.
2017-05-05
@@ -187,7 +228,7 @@2017-04-27
This release incorporates the following changes:
-- Added section Creating an Agency (by a Delegating Party).
- Added section Assigning Permissions to a User (by a Delegated Party).
- Added section Creating an Agency (by a Delegating Party).
- Added section (Optional) Assigning Permissions to an IAM User (by a Delegated Party).
2017-03-30
@@ -229,14 +270,14 @@2016-09-30
This release incorporates the following changes:
-- Added the following sections:
- Permission Description
- Creating a User
- Step 1: Create an Identity Provider
- Step 2: Configure Identity Conversion Rules
- Added the following sections:
- Permission Description
- Creating a User
- Step 1: Create an IdP Entity
- Step 3: Configure Identity Conversion Rules
- Deleted the API key description.
2016-08-25
This release incorporates the following changes:
-Added section Account Settings.
+Added section 3.5 "Account Settings."
2016-03-14
diff --git a/docs/iam/umn/en-us_topic_0046611303.html b/docs/iam/umn/en-us_topic_0046611303.html index 8f7e89eb..42dd6c20 100644 --- a/docs/iam/umn/en-us_topic_0046611303.html +++ b/docs/iam/umn/en-us_topic_0046611303.html @@ -1,7 +1,7 @@Creating a User
-If you need to share resources in your account to other users, you can create users by using the console or by calling an API, and set security credentials and required permissions for the users. The users can then access the cloud system through the management console or by calling APIs.
+If you need to share resources in your account to other users, you can create users by using the console or by calling an API, and set security credentials and required permissions for the users. The users can then access the cloud platform through the management console or by calling APIs.
Procedure
- In the navigation pane, choose Users.
- On the Users page, click Create User.
- Specify the user information on the Create User page. To create more users, click Add User. You can create a maximum of 10 users at a time.@@ -47,7 +53,7 @@
Parameter
Username
Username that will be used to log in to the cloud system. This field is required.
+Username that will be used to log in to the cloud platform. This field is required.
Email Address
@@ -29,6 +29,12 @@Additional information about the user. This field is optional.
External Identity ID
+Identity of an enterprise user in IAM user SSO.
+This parameter (no more than 128 characters) is mandatory for IAM user SSO. For details, see IAM User SSO via SAML.
+
--
If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.
+If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud platform through APIs. Each user can have a maximum of two access keys.
Management console access
@@ -93,12 +99,12 @@ - For security purposes, select only one access type for each user.
- Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.
- Management console access: Users can log in to the management console using their own usernames and passwords.
- Users can log in to the cloud system using the username, mobile number, or email address.
- If users forget their password, they can reset it through email address or mobile number verification. If no email address or mobile number has been bound to users, users need to contact the administrator to reset their password.
- After you set the access type for IAM users, you cannot change it later. However, you can control their access by enabling or disabling their accounts.
- Users can log in to the cloud platform using the username, mobile number, or email address.
- If users forget their password, they can reset it through email address or mobile number verification. If no email address or mobile number has been bound to users, users need to contact the administrator to reset their password.
- After you set the access type for IAM users, you cannot change it later. However, you can control their access by enabling or disabling their accounts.
- (Optional) Click Next and add the user to one or more user groups.
- The user will inherit the permissions assigned to the user groups to which the user belongs.
- You can also create new groups as required.
- - If a user will be an administrator, add the user to the default group admin.
- You can enter a keyword to quickly find the target user group.
- You can add a user to multiple user groups.
- Click Create.
@@ -107,7 +113,7 @@If you have specified the access type as Programmatic access, you can download the access key on the Finish page.
+- Click Create.
If you have specified the access type as Programmatic access, download the access key on the Finish page.
diff --git a/docs/iam/umn/en-us_topic_0046611308.html b/docs/iam/umn/en-us_topic_0046611308.html index 1130bb9d..5edc888e 100644 --- a/docs/iam/umn/en-us_topic_0046611308.html +++ b/docs/iam/umn/en-us_topic_0046611308.html @@ -1,29 +1,26 @@ --Parent topic: User and User Group Management+Parent topic: IAM UsersAccount Settings
-+ + + +Users with Security Administrator permissions can configure a login authentication policy, password policy, and ACL to keep your user information and system secure.
--Procedure
- Set the login authentication policy.
- In the navigation pane, choose Security Settings > Login Authentication Policy.
- In the Account Lockout area, enter the idle duration, maximum number of invalid login attempts, and lockout duration.
If the number of login attempts reaches the specified upper limit within the specified duration, the user will be locked for a period of time. For example, if a user fails to log in for 3 consecutive times within 10 minutes, the user will be locked for 15 minutes. The user can log in again after 15 minutes.
- - In the Account Disabling area, select Disable account upon login if it is not used within the validity period, and set the user validity period. If the user does not access the cloud system through the management console or APIs within the validity period, the user will be disabled.
The account disabling setting is for security purposes. If a user is disabled, resources in the account will not be affected and the user can contact the administrator to enable the user again.
- - In the Session Timeout area, set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period. The timeout ranges from 15 minutes to 24 hours, and the default value is 15 minutes. If a user does not perform any operation within the specified duration, the user needs to log in again.
- In the Recent Login Information area, select Display last login information upon successful login.
Users will be able to view the login information, such as the time of the last login, on the Login Verification page.
- - In the Custom Information area, set custom information that will be displayed upon successful login.
Users will be able to view this custom information on the Login Verification page.
- - Click Save.
- Set the password policy.
- In the navigation pane, choose Security Settings > Password Policy.
- In the Password Composition & Reuse area, do as follows:
- Ensure that the password contains at least 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
- Set Minimum Number of Characters.-
By default, a password must contain at least 6 characters.
- - Select Restrict consecutive identical characters and set the maximum number of consecutive identical characters that can be contained in a password. The value ranges from 1 to 32.
- Select Disallow previously used passwords and set the number of recent passwords disallowed. The value ranges from 1 to 10.
- In the Password Expiration area, select Prompt password change 15 days before expiration and force password change upon expiration, and set the password validity period.
Users must change their password when the password has expired.
-- The password must meet the following requirements:-- Must contain 6 to 32 characters.
- Must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters (~`!?,.:;-_'"(){}[]/<>@#$%^&*+|\= and spaces).
- Cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
- Cannot contain the user's mobile number or email address.
- In the Minimum Password Age area, select Allow a password to be changed only after it is used for a specified time and set the minimum password age.
Users can change their password only when the specified period has expired.
- - Click Save.
- Set the ACL.
- In the navigation pane, choose Security Settings > ACL.
- On the ACL page, enter the allowed IP address ranges or IPv4 CIDR blocks.
- IP Address Ranges: only allow users to access the system using IP addresses in specified ranges.
- IPv4 CIDR Blocks: only allow users of specified IPv4 CIDR blocks to access the system. For example: 10.10.10.10/32.
- - The ACL takes effect only for users under your account.
- You can click Restore Defaults to restore the allowed IP address ranges to the default value, 0.0.0.0-255.255.255.255, and to clear IPv4 CIDR Blocks.
- If both IP Address Ranges and IPv4 CIDR Blocks are set, users are allowed to access the system if their IP address meets the conditions specified by either of the two parameters.
- Click Save.
Security Settings
++-
+
- Security Settings Overview
+
+ - Basic Information
+
+ - Critical Operation Protection
+
+ - Login Authentication Policy
+
+ - Password Policy
+
+ - ACL
+
+
diff --git a/docs/iam/umn/en-us_topic_0046613147.html b/docs/iam/umn/en-us_topic_0046613147.html index 010c2378..d9395726 100644 --- a/docs/iam/umn/en-us_topic_0046613147.html +++ b/docs/iam/umn/en-us_topic_0046613147.html @@ -1,41 +1,31 @@Parent topic: User GuideCreating an Agency (by a Delegating Party)
-By creating an agency, you can share your resources with another account or a cloud service (such as ECS), or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.
-Procedure
- In the navigation pane, choose Agencies.
- On the Agencies page, click Create Agency.
- Specify the agency name and type.
-
+Table 1 Agency types Agency Type
-Description
-Account
-Share resources with another account or delegate an individual or team to manage your resources.
-Cloud service
-Delegate a specific service to access or maintain your data. For example, you can create an agency to delegate ECS to call data maintenance or monitoring APIs with an access key.
-By creating an agency, you can share your resources with another account, or delegate an individual or team to manage your resources. You do not need to share your security credentials (the password and access keys) with the delegated party. Instead, the delegated party can log in with its own account credentials and then switches the role to your account and manage your resources.
+-Prerequisites
Before creating an agency, complete the following operations:
+- Understand the basic concepts of permissions.
- Determine the permissions to be assigned to the agency, and check whether the permissions have dependencies. For more details, see Assigning Dependency Roles.
- If you set Agency Type to Account, enter the domain name of an account to which you want to delegate resource access in Delegated Account.
- If you set Agency Type to Cloud service, click Select and select a cloud service.
- Set the validity period and enter a description about the agency.
- In the Permissions area, click Assign Permissions above the permission list. Then attach policies to the agency and click OK.
For details about the permissions for all cloud services, see Permissions.
+-Procedure
- Log in to the .
- On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.Figure 1 Creating an agency+
- Enter an agency name.Figure 2 Setting the agency name+
- Specify the agency type as Account, and enter the name of a delegated account.+
- Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
- Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Delegation.
- Set the validity period and enter a description for the agency.
- Click Next.
- Select the policies or roles to be attached to the agency, click Next, and select the authorization scope.+
- Assigning permissions to an agency is similar to assigning permissions to a user group. The two operations differ only in the number of available permissions. For details about how to assign permissions to a user group, see Assigning Permissions to an IAM User.
- Agencies cannot be assigned the Security Administrator role. For account security, grant permissions required to agencies based on the principle of least privilege.
- Click OK.-
After creating an agency, provide your domain name, agency name, agency ID, and agency permissions to the delegated party. The delegated party can then switch the role to your account and manage specific resources based on the assigned permissions.
- Click OK.
The agency is displayed in the agency list. The delegated account can manage resources in your account by switching the role.
Follow-up Operation
- In the agency list, click Modify in the row that contains the target agency to change the agency type, delegated account, validity period, description, and permissions.
- In the agency list, click Delete to delete the agency.
- Cloud service agencies cannot be modified.
-+ + \ No newline at end of file diff --git a/docs/iam/umn/en-us_topic_0046613148.html b/docs/iam/umn/en-us_topic_0046613148.html index 9e2c76b5..0b660a9d 100644 --- a/docs/iam/umn/en-us_topic_0046613148.html +++ b/docs/iam/umn/en-us_topic_0046613148.html @@ -1,19 +1,22 @@-Parent topic: Agency Management+Parent topic: Account DelegationSwitching Roles (by a Delegated Party)
-When an account establishes a trust relationship between itself and your account, you become a delegated party. You and all the users you have authorized can switch to the delegating account and manage resources under the account based on assigned permissions.
-Prerequisites
- A trust relationship has been established between another account and your account.
- You have obtained the name of the delegating account and the agency name.
When an account establishes a trust relationship with your account, you become a delegated party. You and all the users you have authorized can switch to the delegating account and manage resources under the account based on assigned permissions.
+-Prerequisites
- A trust relationship has been established between your account and another account.
- You have obtained the delegating account name and agency name.
Procedure
- Log in to the system as the user created in 3 of Assigning Permissions to a User (by a Delegated Party).
The user created in 3 of Assigning Permissions to a User (by a Delegated Party) can switch roles to manage resources for the delegating party.
+Procedure
- Log in to the management console using your account or log in as the IAM user created in 2.-
The IAM user created in 2 of (Optional) Assigning Permissions to an IAM User (by a Delegated Party) can switch roles to manage resources for the delegating party.
- Point to the domain name in the upper right corner of the page and choose Switch Role.
- On the Switch Role page, enter the domain name of the delegating party. +
If an agency other than the agencies created by the delegating party is displayed, it indicates that you do not have access permissions. Select the correct agency in the Agency Name drop-down list.
+- Hover the mouse pointer over the username in the upper right corner and choose Switch Role.
- On the Switch Role page, enter the domain name of the delegating party.
+- After you enter the domain name, the agencies created under this account will be automatically displayed after you click the agency name text box. Select an authorized one from the drop-down list.
- Click OK to switch to the delegating account.
+- Click OK to switch to the delegating account.
+Follow-Up Procedure
To return to your own account, hover the mouse pointer over the username in the upper right corner, choose Switch Role, and select your account.
diff --git a/docs/iam/umn/en-us_topic_0046661675.html b/docs/iam/umn/en-us_topic_0046661675.html index 08b5b604..e625ae3e 100644 --- a/docs/iam/umn/en-us_topic_0046661675.html +++ b/docs/iam/umn/en-us_topic_0046661675.html @@ -1,72 +1,33 @@-Parent topic: Agency Management+Parent topic: Account DelegationViewing and Modifying User Information
-As an administrator, you can view and modify the basic information, user groups, and logs of each user. In addition, you can change the groups to which a user belongs if the user's responsibilities have changed, or modify the login credentials of a user if the user forgets their password or access key.
-Viewing User Information
In the user list, view the detailed information about a user, including the basic information, user groups, and logs.
+You can modify the user information, including the status, access type, description, external identity ID, and belonged user group.
+If the job responsibilities of a user are changed, you can change the groups to which the user belongs to modify the user permissions. You can also change the virtual MFA device and access keys of the user by choosing More > Security Settings in the row containing the target user. If a user forgot their password or access keys, you can modify the login credentials of the user.
+-As an administrator, you can modify the basic information about an IAM user, change the security settings of the user and the groups to which the user belongs, and view or delete the assigned permissions. To view or modify user information, click Security Settings in the row containing the IAM user.
+To adjust the item columns displayed on the list, click
. The Username and Operation columns are displayed by default, and the Status column cannot be removed. You can also select Description, Last Login, Created, Access Type, Virtual MFA Device, Password Age, and Access Key (Status, Age, and AK).Modifying User Information
Click Modify in the Operation column of the row that contains the target user.- Status: A user is enabled by default after being created. You can change the status of a user to Disabled if you will no longer use it.
- Login Authentication
- Virtual MFA device: Change the login authentication mode to virtual MFA device only if the user has been bound to an MFA device. The user needs to enter an MFA verification code during login.
- SMS: Change the login authentication mode to SMS only if the user has been bound to a mobile number. The user needs to enter an SMS verification code during login.
- Email: Change the login authentication mode to email only if the user has been bound to an email address. The user needs to enter an email verification code during login.
- Email Address, Mobile Number, and Description
- Virtual MFA Device: Bind an MFA device to or unbind an MFA device from the user.
- User Groups: Add the user to or remove the user from one or more user groups. -
You can enter a keyword to quickly find the target user group.
++Basic Information
You can modify the basic information of IAM users, but cannot modify the basic information of your account. The username, user ID, and creation time can be viewed but cannot be modified.
+- Status: New IAM users are enabled by default. You can set Status to Disabled to disable an IAM user. A disabled user is no longer able to log in to the cloud platform through the management console or programmatic access.
- Access Type: You can change the access type of the IAM user.+
- Pay attention to the following when you set the access type for an IAM user:
- If you intend to enable the user to access cloud services only by using the management console, select Management console access.
- If you intend to enable the user to access cloud services only by using programmatic access, select Programmatic access.
- If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access.
- If the user needs to perform access key verification when using certain services in the console, select both Programmatic access and Management console access.
- If the access type of the user is Programmatic access or both Programmatic access and Management console access, deselecting Programmatic access will restrict the user's access to cloud services. Exercise caution when performing this operation.
- Pay attention to the following when you set the access type for an IAM user:
- Description: You can modify the description of the IAM user.
- External Identity ID: Identifies an enterprise user in federated login using SSO.
+User Groups
An IAM user inherits permissions from the groups to which the user belongs. You can change the permissions assigned for an IAM user by changing the groups to which the user belongs. To modify the permissions of a user group, see Viewing and Modifying User Group Information.
+Your account belongs to the default group admin, which cannot be changed.
+- Click Add to User Groups, and select one or more groups to which the user will belong. The user then inherits permissions of these groups.
- Click Remove on the right of a user group and click Yes. The user no longer has the permissions assigned to the group.
-Security Settings
As an administrator, you can modify the MFA device, login credential, login protection, and access keys of an IAM user on this page. If you are an IAM user and need to change your mobile number, email address, or virtual MFA device, see Security Settings.
+- MFA Authentication: You can change the multi-factor authentication (MFA) settings of an IAM user on the Security Settings page.
- Change the mobile number or email address of the user.+
The mobile number and email address of the IAM user cannot be the same as those of your account or other IAM users.
+ - Remove the MFA device from the user. For more information about MFA authentication and virtual MFA device, see MFA Authentication and Virtual MFA Device.
- Change the mobile number or email address of the user.
Setting User Credentials
In the user list, click Set Credentials in the Operation column of the row that contains the target user to change the password or manage access keys. ---
-Credential Type
-Generation Method
-Description
-Application Scenario
-Password
-Set by user
-The user can set a password by clicking on the one-time login URL sent over email.
-Resetting the password of a user who has been associated with an email address and needs to use the password to log in to the management console.
-Automatically generated
-The system automatically generates a 10-character password.
-NOTE:-You can download the password after clicking OK when the user is created.
-Resetting the password of a user who uses a development tool (such as APIs, CLI, and SDK) that supports password authentication to access the cloud system.
-Set now
-Set password for the user.
-Setting a password for a user.
-Access key
-Created by a user or security administrator
-Create or delete access keys in the Access Keys area.
-NOTE:-Each user can have a maximum of two access keys, which are valid for 360 days. To ensure account security, keep the access keys properly.
-Creating or deleting access keys of users who access the cloud system using access keys.
-- Password Reset: If you select Automatically generated or Set now, you can choose whether to require password reset when the user logs in. For security purposes, do not deselect this option.
- Login Credentials: You can change the login password of the IAM user. For more information, see Changing the Login Password of an IAM User.
- Login Protection: You can change the login verification method of the IAM user. Three verification methods are available: virtual MFA device, SMS, and email.
This option is disabled by default. If you enable this option, the user will need to enter a verification code in addition to the username and password when logging in to the console.
+ - Access Keys: You can manage access keys of the IAM user.
diff --git a/docs/iam/umn/en-us_topic_0059870089.html b/docs/iam/umn/en-us_topic_0059870089.html index 038713f0..fa1ab5e1 100644 --- a/docs/iam/umn/en-us_topic_0059870089.html +++ b/docs/iam/umn/en-us_topic_0059870089.html @@ -1,14 +1,18 @@ --Parent topic: User and User Group Management+Parent topic: IAM UsersFederated Identity Authentication
+Identity Providers
- Introduction
- - SAML-based Federated Identity Authentication
+ - Application Scenarios of Virtual User SSO and IAM User SSO
- - OpenID Connect–based Federated Identity Authentication
+ - Virtual User SSO via SAML
+
+ - IAM User SSO via SAML
+
+ - Virtual User SSO via OpenID Connect
- Syntax of Identity Conversion Rules
diff --git a/docs/iam/umn/en-us_topic_0066738518.html b/docs/iam/umn/en-us_topic_0066738518.html
index 7747fae0..5eccc77c 100644
--- a/docs/iam/umn/en-us_topic_0066738518.html
+++ b/docs/iam/umn/en-us_topic_0066738518.html
@@ -1,6 +1,6 @@
- - In the navigation pane, choose Projects.
- On the Projects page, click Create Project.
- On the Create Project page, select a region from the Region drop-down list.
- Set Project Name.@@ -8,7 +8,7 @@
- The project name format is Region Name_Project Name. Region Name cannot be modified.
- The project name can only contain letters, digits, hyphens (-), and underscores (_). The length of Region Name_Project Name cannot exceed 64 characters.
- Viewing project details
- View the projects of the corresponding region in the project list.
- Click View in the Operation column of the row that contains the target project.
View project details and the users bound to the project.
After you add a user to a user group that has been granted permissions for a specific project, the user inherits permissions of the group and is associated with the project. The user can switch to this project to access resources in it.
@@ -33,7 +33,7 @@diff --git a/docs/iam/umn/en-us_topic_0079496985.html b/docs/iam/umn/en-us_topic_0079496985.html index c931ba25..6000aee0 100644 --- a/docs/iam/umn/en-us_topic_0079496985.html +++ b/docs/iam/umn/en-us_topic_0079496985.html @@ -1,25 +1,21 @@ --Parent topic: User and User Group Management+Parent topic: User GuideManaging Users and Permissions
-As a security administrator, you can grant permissions to a user group and add users to it. The users inherit the permissions of the user group and can access the cloud system based on assigned permissions.
-- Create projects in a region to isolate resources.Figure 1 Project isolating model- -
- Plan user groups according to user responsibilities and grant the required permissions to the user groups.Figure 2 User group authorization model- -
- Create users and add them to the corresponding user groups.Figure 3 User authorization model- -
- Log in as the users and access the cloud system based on assigned permissions.
Assigning Permissions to an IAM User
+IAM users created without being added to any groups do not have permissions. You can assign permissions to these IAM users on the IAM console. After authorization, the users can use cloud resources in your account as specified by their permissions.
+An IAM user obtains permissions from the user groups to which the user belongs. After you attach policies or roles to a group and add a user to the group, the user inherits the permissions defined by the policies or roles.
+- If you do not add an IAM user to any group, the user will not have permissions for accessing any cloud services. For details on how to assign permissions to an IAM user, see Creating a User Group and Assigning Permissions and Adding Users to or Removing Users from a User Group.
- If you have been added to the default group admin, you have administrator permissions and you can perform all operations on all cloud services.
- For the system-defined permissions of all cloud services supported by IAM, see "Permissions".
- If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.
Procedure
- In the user list, click Authorize in the row that contains the target user.
- On the Authorize User page, select an authorization mode and permissions.
- Inherit permissions from user groups: Add the IAM user to certain groups to inherit their permissions.
If you select this option, select the user groups to which the user will belong.
+ - Select permissions: Directly assign specific permissions to the IAM user
If you select this option, select the permissions to be assigned and click Next in the lower right corner to select the authorization scope.
+
+ - If you add an IAM user to the default group admin, the user becomes an administrator and can perform all operations on all cloud services.
- If you add a user to multiple user groups, the user inherits the permissions that are assigned to all the groups.
- For the system-defined permissions of all cloud services supported by IAM, see Permissions.
- Inherit permissions from user groups: Add the IAM user to certain groups to inherit their permissions.
- Click OK.
You can go to the Permissions > Authorization page and view or modify the permissions of the IAM user.
+
- - \ No newline at end of file diff --git a/docs/iam/umn/en-us_topic_0079496986.html b/docs/iam/umn/en-us_topic_0079496986.html index 9c6f7f8a..301b075f 100644 --- a/docs/iam/umn/en-us_topic_0079496986.html +++ b/docs/iam/umn/en-us_topic_0079496986.html @@ -1,16 +1,14 @@ --Parent topic: User and User Group Management+Parent topic: IAM UsersAgency Management
+Agencies
diff --git a/docs/iam/umn/en-us_topic_0079497018.html b/docs/iam/umn/en-us_topic_0079497018.html index 8d187037..205917be 100644 --- a/docs/iam/umn/en-us_topic_0079497018.html +++ b/docs/iam/umn/en-us_topic_0079497018.html @@ -8,7 +8,7 @@diff --git a/docs/iam/umn/en-us_topic_0079620340.html b/docs/iam/umn/en-us_topic_0079620340.html index 832b31ba..9dfb33bc 100644 --- a/docs/iam/umn/en-us_topic_0079620340.html +++ b/docs/iam/umn/en-us_topic_0079620340.html @@ -278,7 +278,7 @@-Parent topic: User and User Group Management+Parent topic: IAM Usersdiff --git a/docs/iam/umn/en-us_topic_0079620341.html b/docs/iam/umn/en-us_topic_0079620341.html index fbabc7c8..906eed34 100644 --- a/docs/iam/umn/en-us_topic_0079620341.html +++ b/docs/iam/umn/en-us_topic_0079620341.html @@ -1,33 +1,86 @@-Parent topic: Federated Identity Authentication+Parent topic: Identity ProvidersIntroduction
-If you have an identity authentication system, you do not need to create new users in the service provider system. Instead, you can configure federated identity authentication to allow users in your identity authentication system to access cloud resources through SSO.
-The cloud system supports two types of federated identity authentication:
-- Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the system using browsers.
- API calling: Development tools (such as OpenStack Client) are used as the communication media. This authentication type enables enterprise users and common users to access the system by calling APIs.
Users in your enterprise can choose SP-initiated or IdP-initiated federated identity authentication for API calling depending on your identity provider system.
-
Without Federated Identity Authentication
- SSO not supported
Users authenticated by the identity provider of an enterprise management system cannot access the cloud system.
-Figure 1 User authentication model (1)- +
The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access through single sign-on (SSO).
+-Basic Concepts
- Identity Provider (IdP)
An IdP collects and stores user identity information, such as usernames and passwords, and authenticates users during login. For identity federation between an enterprise and the cloud platform, the identity authentication system of the enterprise is an identity provider and is also called "enterprise IdP". Popular third-party IdPs include Microsoft Active Directory Federation Services (AD FS) and Shibboleth.
+ - Service Provider (SP)
A service provider establishes a trust relationship between an IdP and itself, and uses the user information provided by the IdP to provide services. For identity federation between an enterprise and the cloud platform, the cloud platform is a service provider.
+ - Identity federation
Identity federation is a process in which a trust relationship is established between an IdP and SP to implement SSO.
+ - Single sign-on (SSO)
SSO is an access type that allows users to access a trusted SP after logging in to the enterprise IdP. For example, after a trust relationship is established between an enterprise management system and the cloud platform, users in the enterprise management system can use their existing accounts and passwords to access the cloud platform through the login link in the enterprise management system. The cloud platform supports two SSO types: virtual user and IAM user.
+ - SAML 2.0
SAML 2.0 is an XML-based protocol that uses securityTokens containing assertions to pass information about an end user between an IdP and an SP. It is an open standard ratified by the Organization for the Advancement of Structured Information Standards (OASIS) and is being used by many IdPs. For more information about this standard, see SAML 2.0 Technical Overview. The cloud platform implements identity federation in compliance with SAML 2.0. To successfully federate existing users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.
+ - OpenID Connect
OpenID Connect is a simple identity layer on top of the Open Authorization 2.0 (OAuth 2.0) protocol. IAM implements identity federation in compliance with OpenID Connect 1.0. To successfully federate existing users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.
+ - OAuth 2.0
OAuth 2.0 is an open authorization protocol. The authorization framework of this protocol allows third-party applications to obtain access permissions.
- Complex user management
The enterprise administrator has to create users in both the enterprise management system and the cloud system.
- - Complex user operations
Users have to use different accounts to log in to the enterprise management system and cloud system.
-Figure 2 User login model (1)-
With Federated Identity Authentication
- SSO supported
Users authenticated by the identity provider can access the cloud system through SSO.
-Figure 3 User authentication model (2)- +
-Advantages of Identity Federation
- Easy identity management
As an administrator, you only need to create accounts for your employees in your enterprise management system. The employees can use their own accounts to access both the enterprise management system and the cloud platform.
+ - Simplified operations
Employees can log in to the cloud platform from the enterprise management system.
+Figure 1 Advantages of identity federation
- Simplified user management
The enterprise administrator does not need to create users in the cloud system.
- - Easy user operations
Users can access the cloud system through the enterprise management system.
-Figure 4 User login model (2)+
+SSO Type
IAM supports two SSO types: virtual user and IAM user. For details about how to choose an SSO type, see Application Scenarios of Virtual User SSO and IAM User SSO.
+- Virtual user
After a federated user logs in to the cloud platform, the system automatically creates a virtual user and grants access permissions to the virtual user based on the configured identity conversion rules.
+ - IAM user
After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user.
Currently, IAM supports two federated login methods: browser-based SSO (web SSO) and SSO via API calling.
+- Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers.
- SSO via API calling: Enterprise employees call APIs using development tools (such as OpenStack Client and ShibbolethECP Client) to access the cloud platform.
+
+Table 1 Federated logins SSO Type
+Supported Protocols
+Web SSO
+API Calling
+IdP-initiated
+SP-initiated
+Multiple IdPs
+Virtual user
+SAML 2.0 and OpenID Connect
+Supported
+Supported
+Supported
+Supported
+Supported
+IAM user
+SAML 2.0
+Supported
+Supported
+Supported
+Supported
+Not supported
+Precautions
- Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
- The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following restrictions:
- Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
- Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and securityTokens) using user or agency tokens.
If a federated user needs an access key with unlimited validity, the user can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.
+
- Virtual user
- Easy identity management
diff --git a/docs/iam/umn/en-us_topic_0080335069.html b/docs/iam/umn/en-us_topic_0080335069.html index a399622b..b696a63b 100644 --- a/docs/iam/umn/en-us_topic_0080335069.html +++ b/docs/iam/umn/en-us_topic_0080335069.html @@ -6,7 +6,7 @@-Parent topic: Federated Identity Authentication+Parent topic: Identity Providersdiff --git a/docs/iam/umn/en-us_topic_0085605493.html b/docs/iam/umn/en-us_topic_0085605493.html index 10e401ef..47a1765f 100644 --- a/docs/iam/umn/en-us_topic_0085605493.html +++ b/docs/iam/umn/en-us_topic_0085605493.html @@ -3,7 +3,7 @@-Parent topic: User and User Group Management+Parent topic: IAM UsersViewing and Modifying User Group Information
As a security administrator, you can view and modify the basic information, permissions, and users of a user group. You can modify users' permissions by changing the groups to which the users belong.
Procedure
- In the navigation pane, choose User Groups.
- In the user group list, view or modify user group information.
- Viewing user group information
In the user group list, click
-
next to the target user group to view its details, including the basic information, permissions, and users. - Modifying user group informationClick Modify in the Operation column of the row that contains the target user group to go to the Modify User Group page.
- For the default user group, you can only manage its users and cannot modify its basic information or permissions.
- If the name of a user group has been configured in the identity conversion rules of an identity provider, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.
- Modifying user group information
Click Modify in the Operation column of the row that contains the target user group to go to the Modify User Group page. - For the default user group, you can only manage its users and cannot modify its basic information or permissions.
- If the name of a user group has been configured in the identity conversion rules of an IdP, modifying the user group name will cause the identity conversion rules to fail. Exercise caution when performing this operation.
- Modifying user group permissions
You can assign new permissions to or cancel the existing permissions of a user group in the policy view or project view.- Changing the authorization scope in the policy view
- Choose User Groups in the navigation pane, and click Manage Permissions in the row containing the user group you want to modify. On the Permissions tab page, select Policy View.
- Click Change Project on the right of a policy.
- On the Change Project page, select or deselect desired projects.
- Click OK.
diff --git a/docs/iam/umn/iam_01_0012.html b/docs/iam/umn/iam_01_0012.html index 69ea32ba..e98b9088 100644 --- a/docs/iam/umn/iam_01_0012.html +++ b/docs/iam/umn/iam_01_0012.html @@ -1,357 +1,518 @@-Parent topic: User and User Group Management+Parent topic: User Groups and AuthorizationIAM Operations That Can Be Recorded by CTS
-Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).
+Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).
-@@ -47,7 +53,7 @@Table 1 IAM operations that can be recorded by CTS Operation
+@@ -78,7 +84,7 @@Table 1 IAM operations that can be recorded by CTS Operation
Resource Type
+Resource Type
Trace Name
+Trace Name
Obtaining a token
+Login
token
+user
createTokenByPwd
+login
Obtaining a token
+Login failure
token
+user
createTokenByHwAccessKey
+loginfailed
Obtaining a token
+Logout
token
+user
createTokenByToken
+logout
Obtaining a token
+Changing the password at first login (by an IAM user)
token
+user
createTokenByAssumeRole
+changePassword
Login
+QR code login
user
+user
login
+scanQRCodeLogin
Login failure
+QR code login failure
user
+user
loginFailed
+scanQRCodeLoginFailed
Logout
+OIDC login
user
+user
logout
+oidcLoginSuccess
Changing the password
+OIDC login failure
user
+user
changePassword
+oidcLoginFailed
Creating a user
+SSO login
user
+user
createUser
+iamUserSsoLoginSuccess
Modifying user information
+SSO login failure
user
+user
updateUser
+iamUserSsoLoginFailed
Deleting a user
+Creating a user
user
+user
deleteUser
+createUser
Changing the password
+Modifying a user
user
+user
updateUserPwd
+updateUser
Creating an access key (AK/SK)
+Deleting a user
user
+user
addCredential
+deleteUser
Deleting an access key (AK/SK)
+Creating an access key (AK/SK)
user
+user
deleteCredential
+createCredential
Changing the email address
+Deleting an access key (AK/SK)
user
+user
modifyUserEmail
+deleteCredential
Changing the mobile number
+Changing the password
user
+user
modifyUserMobile
+updateUserPwd
Changing the password
+Successful login using cached information as a federated user
user
+user
modifyUserPassword
+federationLoginNoPwdSuccess
Uploading a profile picture
+Login failed using cached information as a federated user
user
+user
modifyUserPicture
+federationLoginNoPwdFailed
Changing the password of a user (by the administrator)
+Creating a user group
user
+userGroup
setPasswordByAdmin
+createGroup
Creating a user group
+Updating a user group
userGroup
+userGroup
createUserGroup
+updateGroup
Updating a user group
+Deleting a user group
userGroup
+userGroup
updateUserGroup
+deleteGroup
Deleting a user group
+Adding a user to a user group
userGroup
+userGroup
deleteUserGroup
+addUserToGroup
Adding a user to a user group
+Removing a user from a user group
userGroup
+userGroup
addUserToGroup
+removeUserFromGroup
Removing a user from a user group
+Unbinding a virtual MFA device
userGroup
+MFA
removeUserFromGroup
+UnBindMFA
Creating a project
+Binding a virtual MFA device
project
+MFA
createProject
+BindMFA
Modifying project information
+Creating a project
project
+project
updateProject
+createProject
Changing project status
+Deleting a project
project
+project
updateProjectStatus
+deleteProject
Creating an agency
+Modifying project information
agency
+project
createAgency
+updateProject
Modifying an agency
+Granting permissions to an agency based on project information
agency
+roleAgencyProject
updateAgency
+assignRoleToAgencyOnProject
Deleting an agency
+Canceling permissions of an agency based on project information
agency
+roleAgencyProject
deleteAgency
+unassignRoleToAgencyOnProject
Switching the role
+Creating an agency
user
+agency
switchRole
+createAgency
Registering an identity provider
+Modifying an agency
identityProvider
+agency
createIdentityProvider
+updateAgency
Updating an identity provider
+Deleting an agency
identityProvider
+agency
updateIdentityProvider
+deleteAgency
Deleting an identity provider
+Switching an agency
identityProvider
+agency
deleteIdentityProvider
+switchRole
Registering a mapping
+Registering an identity provider
mapping
+identityProvider
createMapping
+createIdentityProvider
Updating a mapping
+Updating an identity provider
mapping
+identityProvider
updateMapping
+updateIdentityProvider
Deleting a mapping
+Deleting an identity provider
mapping
+identityProvider
deleteMapping
+deleteIdentityProvider
Registering a protocol
+Updating the login authentication policy
protocol
+SecurityPolicy
createProtocol
+modifySecurityPolicy
Updating a protocol
+Updating the password policy
protocol
+SecurityPolicy
updateProtocol
+modifySecurityPolicy
Deleting a protocol
+Updating the ACL
protocol
+SecurityPolicy
deleteProtocol
+modifySecurityPolicy
Granting permissions to a user group under a domain
+Granting permissions to an agency for all projects
roleGroupDomain
+agency
assignRoleToGroupOnDomain
+updateAgencyInheritedGrants
Canceling permissions of a user group under a domain
+Removing permissions of an agency in all projects
roleGroupDomain
+agency
unassignRoleToGroupOnDomain
+deleteAgencyInheritedGrants
Granting permissions to a user group for a project
+Granting permissions to an agency for global services
roleGroupProject
+agency
assignRoleToGroupOnProject
+updateAgencyGrants
Delete permissions of a user group for a project
+Removing permissions of an agency for global services
roleGroupProject
+agency
unassignRoleToGroupOnProject
+deleteAgencyGrants
Updating the login authentication policy
+Granting permissions to a user group
domain
+assignment
updateSecurityPolicies
+createAssignment
Updating the password policy
+Removing permissions from a user group
domain
+assignment
updatePasswordPolicies
+deleteAssignment
Updating the ACL
+Registering a protocol for federated login
domain
+identityProvider
updateACLPolicies
+createProtocol
Binding a virtual MFA device
+Updating a protocol for federated login
MFA
+identityProvider
BindMFA
+updateProtocol
Unbinding a virtual MFA device
+Deleting a protocol for federated login
MFA
+identityProvider
UnBindMFA
+deleteProtocol
+Modifying the login protection configuration of an IAM user
+user
+modifyLoginProtect
+Importing a metadata file
+identityProvider
+metadataConfiguration
+Creating a virtual MFA device
+MFA
+createMFA
+Deleting a virtual MFA device
+MFA
+deleteMFA
+Creating an OpenID Connect identity provider
+identityProvider
+createOIDCConfiguration
+Modifying an OpenID Connect identity provider
+identityProvider
+updateOIDCConfiguration
+Changing the email address or mobile number
+user
+updateMobileAndEmail
+Updating user group permissions
+group
+updateGroupAssignsByRole
+Updating agency permissions
+agency
+updateAgencyAssignsByRole
+Creating a custom policy
+Policy
+createRole
+Updating a custom policy
+Policy
+updateRole
+Deleting a custom policy
+Policy
+deleteRole
+Granting permissions to an agency based on domain information
+roleAgencyDomain
+assignRoleToAgencyOnDomain
+Canceling permissions of an agency based on domain information
+roleAgencyDomain
+unassignRoleToAgencyOnDomain
+Successful initial login as a federated user
+user
+tenantLoginBySamlSuccess
+Registering a mapping
+mapping
+createMapping
+Updating a mapping
+mapping
+updateMapping
+Deleting a mapping
+mapping
+deleteMapping
+Registering a protocol
+protocol
+createProtocol
+Updating a protocol
+protocol
+updateProtocol
+Changing the mobile number using an email
+user
+changeMobileByEmail
+Changing the password using an email
+user
+updateUserPwdByEmail
+Modifying agency permissions on the console
+agency
+updateagenciesRolesByConsole
Fine-Grained Policy Management
+Permissions
-
-
- Fine-Grained Policies
+ - Basic Concepts
+
+ - Roles
- Policy Syntax
diff --git a/docs/iam/umn/iam_01_0016.html b/docs/iam/umn/iam_01_0016.html
index 3ba551ef..0fba3e0e 100644
--- a/docs/iam/umn/iam_01_0016.html
+++ b/docs/iam/umn/iam_01_0016.html
@@ -50,7 +50,7 @@
diff --git a/docs/iam/umn/iam_01_0017.html b/docs/iam/umn/iam_01_0017.html index 717bf9a6..82925bf7 100644 --- a/docs/iam/umn/iam_01_0017.html +++ b/docs/iam/umn/iam_01_0017.html @@ -149,7 +149,7 @@-Parent topic: Fine-Grained Policy Management+Parent topic: Permissionsdiff --git a/docs/iam/umn/iam_01_0023.html b/docs/iam/umn/iam_01_0023.html index 8ae054c3..3654093a 100644 --- a/docs/iam/umn/iam_01_0023.html +++ b/docs/iam/umn/iam_01_0023.html @@ -1,18 +1,18 @@-Parent topic: Fine-Grained Policy Management+Parent topic: PermissionsIdentity Management
-You can manage users in your account and their security credentials. In addition, you can configure federated identity authentication so that users in other systems can access the cloud system through SSO.
-Domain
A domain, also called an "account", is created upon successful registration with the cloud system. The domain has full access permissions for its cloud services and resources.
+You can manage users in your account and their security credentials. In addition, you can configure identity federation so that users in other systems can access the cloud platform through SSO.
+Domain
A domain, also called an "account", is created upon successful registration with the cloud platform. The domain has full access permissions for its cloud services and resources.
For security purposes, create a security administrator and grant them Security Administrator permissions to manage users and their permissions in your account.
-Figure 1 Account management module+
Figure 1 Account management model-User
You or other administrators can create users for employees, systems, or applications in IAM. The users can log in to the console or access APIs using their own identity credentials (passwords and access keys).
-Figure 2 Relationship between the account and users+
Figure 2 Relationship between an account and usersFederated User
Federated users access the cloud system through federated identity authentication.
+Federated User
Federated users access the cloud platform through identity federation.
After being authenticated by an identity provider (IdP), users can access resources in a service provider (SP) without needing re-authentication.
-- Identity provider: a system that authenticates user identities. In federated identity authentication, the identity authentication system of an enterprise, for example, the enterprise management system, is the identity provider.
- Service provider: a system that provides services.
Federated identity authentication allows users in an identity provider to access the cloud system by using the users' security credentials in the identity provider. IAM does not need to generate new security credentials for the users. In this way, SSO is implemented.
+- IdP: a system that authenticates user identities. In identity federation, the identity authentication system of an enterprise, for example, the enterprise management system, is the IdP.
- Service provider: a system that provides services.
Identity federation allows users in an IdP to access the cloud platform by using the users' security credentials in the IdP. IAM does not need to generate new security credentials for the users. In this way, SSO is implemented.
diff --git a/docs/iam/umn/iam_01_0027.html b/docs/iam/umn/iam_01_0027.html index 95f06c6b..7ac43d15 100644 --- a/docs/iam/umn/iam_01_0027.html +++ b/docs/iam/umn/iam_01_0027.html @@ -12,7 +12,7 @@diff --git a/docs/iam/umn/iam_01_0029.html b/docs/iam/umn/iam_01_0029.html index 031c3f6b..11363896 100644 --- a/docs/iam/umn/iam_01_0029.html +++ b/docs/iam/umn/iam_01_0029.html @@ -11,7 +11,7 @@- Creating a User and Adding the User to a User Group
-
- Logging In as a User
+- Logging In as an IAM User
Username
Username that will be used to log in to the cloud system, for example, Franklin. This field is required.
+Username that will be used to log in to the cloud platform, for example, Franklin. This field is required.
Email Address
@@ -29,6 +29,12 @@Additional information about the user. This field is optional.
External Identity ID
+Identity of an enterprise user in IAM user SSO.
+This parameter (no more than 128 characters) is mandatory for IAM user SSO. For details, see IAM User SSO via SAML
+- Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.
- Click Next to add the user to the admin user group.
- Click Create.
+- Click Next. A page is displayed for you to select a user group.
- Select the admin user group.
- Click Create.
diff --git a/docs/iam/umn/iam_01_0030.html b/docs/iam/umn/iam_01_0030.html index 8ed08093..db9b2f36 100644 --- a/docs/iam/umn/iam_01_0030.html +++ b/docs/iam/umn/iam_01_0030.html @@ -2,7 +2,7 @@Creating a User Group and Assigning Permissions
As a security administrator, you can create user groups and grant them permissions.
-Procedure
- Choose .
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- (Optional) Enter a description for the user group.
To enable users to directly view their permissions, set a description for the user group. For example, if you assign the Security Administrator role to a user group, you can set any description in the Description text box. For example: Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users. For details about the permissions for all cloud services, see Permissions
+Procedure
- Choose .
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- (Optional) Enter a description for the user group.
To enable users to directly view their permissions, set a description for the user group. For example, if you assign the Security Administrator role to a user group, you can set any description in the Description text box. For example: Security Administrator: Permissions for creating, deleting, and modifying users as well as granting permissions to users. For details about the permissions for all cloud services, see Permission Description.
- Click OK.
The user group is displayed in the user group list.
- In the row containing the user group, click Manage Permissions.
- On the Permissions tab page, click Assign Permissions above the permission list.
- Specify the authorization scope. If you select Region-specific projects, select one or more projects in the drop-down list.
- Global service project: Services deployed without specifying physical regions are called global services, such as Object Storage Service (OBS), and Tag Management Service (TMS). Permissions for these services must be assigned in the global service project.
- Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. If you want the permissions to take effect for all regions, grant them in all these regions.
Username
Username that will be used to log in to the cloud system. This field is required.
+Username that will be used to log in to the cloud platform. This field is required.
Email Address
@@ -29,6 +29,12 @@Additional information about the user. This field is optional.
External Identity ID
+Identity of an enterprise user in IAM user SSO.
+This parameter (no more than 128 characters) is mandatory for IAM user SSO. For details, see IAM User SSO via SAML
+--
If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud system through APIs. Each user can have a maximum of two access keys.
+If you select this option, after the user is created, you can download the access key (AK/SK) generated for the user. The user can use the access key to access the cloud platform through APIs. Each user can have a maximum of two access keys.
- Viewing user group information
- Identity Provider (IdP)
- Create projects in a region to isolate resources.
Managing Projects
+Projects
Projects are used to group and isolate OpenStack resources, including compute, storage, and network resources. A project can be a department or a project team. Resources in your account must be managed under projects. As a security administrator, you can access IAM, and create projects in a region to manage resources.
Procedure
Follow-Up Procedure
Assigning permissions for a specific project
-On the user group details page, click the Permissions tab, select Project View, click Modify Permissions in the row containing the target project, and then modify the permissions for this project. For details, see Creating a User Group.
+On the user group details page, click the Permissions tab, select Project View, click Modify Permissions in the row containing the target project, and then modify the permissions for this project. For details, see Creating a User Group and Assigning Permissions.
Related Operations
- Log in to the management console using your account or log in as the IAM user created in 2.
Management console access
diff --git a/docs/iam/umn/iam_01_0032.html b/docs/iam/umn/iam_01_0032.html index 9b49e97e..8bd3531c 100644 --- a/docs/iam/umn/iam_01_0032.html +++ b/docs/iam/umn/iam_01_0032.html @@ -1,8 +1,8 @@ -Logging In as a User
-You can log in to the cloud system as a user and access cloud services based on granted permissions.
-Context
Verify the information displayed on the Login Verification page during login if any of the following settings has been configured:- Recent Login Information: enabled on the Login Authentication Policy page
- Custom Information: set on the Login Authentication Policy page
- Login Authentication: enabled on the My Credentials page
Logging In as an IAM User
+You can log in to the cloud platform as an IAM user and access cloud services based on granted permissions.
+Background
If either of the following has been configured on Security Settings > Login Authentication Policy, you will see the Login Verification page after login:- Recent Login Information has been enabled.
- Custom Information has been configured.
Procedure
- On the Multitenant Login page, enter Domain name, Username/Email address/Mobile number, and Password, and click Log In.
- Domain Name is a username set in MyWorkplace. It is in the format "ICU + User ID + Contract instance number". ICU stands for identity for customer user.
- If this is your first login, change your initial password on the First Login page. To ensure account security, change your password periodically.
- Enter a verification code on the Login Verification page if login authentication has been enabled.
diff --git a/docs/iam/umn/iam_01_0054.html b/docs/iam/umn/iam_01_0054.html index 860b2f20..02611a47 100644 --- a/docs/iam/umn/iam_01_0054.html +++ b/docs/iam/umn/iam_01_0054.html @@ -1,26 +1,24 @@ --
-
- Auditing
+ - IAM Users
- - User and User Group Management
+ - User Groups and Authorization
- - Fine-Grained Policy Management
+ - Permissions
- - Account Settings
+ - Security Settings
- - Agency Management
+ - Projects
- - Federated Identity Authentication
+ - Agencies
+
+ - Identity Providers
- MFA Authentication and Virtual MFA Device
+ - Auditing
+
Delegating Resource Access to Another Account
-+ + + +Agency is a trust relationship between a delegating account and a delegated account. By creating an agency, you can grant permissions to another account or cloud service for resource management.
-This section uses account A and account B as an example to describe how to delegate an account to manage resources under another account.
-- Account A creates an agency to delegate resource access to account B.Figure 1 Creating an agency- -
- Account B grants user Randolph permissions for managing account A's resources.
- Create a user group (for example, Agency), and grant resource management permissions to the user group.
- Add user Randolph to user group Agency.
Figure 2 Delegating resource access-
- User Randolph of account B manages the resources in account A.
- Randolph logs in to the cloud system and switches the role to account A.
- Job switches to project A.
- Job manages the resources in account A based on assigned permissions.
Figure 3 Managing resources based on agency permissions-
Account Delegation
++- - \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0063.html b/docs/iam/umn/iam_01_0063.html index 2699c982..1aa88480 100644 --- a/docs/iam/umn/iam_01_0063.html +++ b/docs/iam/umn/iam_01_0063.html @@ -1,12 +1,13 @@ --
+
- Delegating Resource Access to Another Account
+
+ - Creating an Agency (by a Delegating Party)
+
+ - (Optional) Assigning Permissions to an IAM User (by a Delegated Party)
+
+ - Switching Roles (by a Delegated Party)
+
+
-Parent topic: Agency Management+Parent topic: AgenciesAssigning Permissions to a User (by a Delegated Party)
-When a trust relationship is established between another account and your account, you become a delegated party and you can authorize a user to manage resources for the delegating party. If another account has created multiple agencies for you, you can authorize one or more users through custom policies to manage resources specified in all or specific agencies. Each user can only switch to the agency for which the user has been granted permissions.
-Prerequisites
- A trust relationship has been established between another account and your account.
- You have obtained the name of the delegating account and the name and ID of the created agency.
(Optional) Assigning Permissions to an IAM User (by a Delegated Party)
+When a trust relationship is established between your account and another account, you become a delegated party. By default, only your account and the members of the admin group can manage resources for the delegating party. To authorize IAM users to manage these resources, assign permissions to the users.
+You can authorize an IAM user to manage resources for all delegating parties, or authorize the user to manage resources for a specific delegating party.
+-Prerequisites
- A trust relationship has been established between your account and another account.
- You have obtained the name of the delegating account and the name and ID of the created agency.
Procedure
- Create a custom policy.
This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize a user to manage resources for all agencies, go to 2.
+Procedure
- Create a user group and grant permissions to it.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- Click OK.
- In the row containing the user group, click Authorize.
- Create a custom policy.-
This step is used to create a policy containing permissions required to manage resources for a specific agency. If you want to authorize an IAM user to manage resources for all agencies, go to 1.f.
- In the navigation pane, choose Policies.
- On the Policies page, click Create Custom Policy.
- Enter a policy name.
- Select Global services for Scope.
- Select JSON.
- In the Policy Content area, enter the following content:
{ +- On the Select Policy/Role page, click Create Policy in the upper right corner of the permission list.
- Enter a policy name.
- Select JSON for Policy View.
- In the Policy Content area, enter the following content:
{ "Version": "1.1", "Statement": [ { @@ -22,21 +23,22 @@ } ] }- -- Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
- For more information about fine-grained policies, see Fine-Grained Policy Management.
- - Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from a delegating party. Do not make any other changes.
- For more information about permissions, see Permissions.
- Click OK.
-- Create a user group and grant permissions to it.
- In the navigation pane, choose User Groups.
- On the User Groups page, click Create User Group.
- Enter a user group name.
- Click OK.
The user group is displayed in the user group list.
- - Click Manage Permissions in the Operation column of the row that contains the created user group.
- On the Permissions tab page, click Assign Permissions above the permission list.
- Specify the authorization scope. If you select Region-specific projects, select one or more projects in the drop-down list.
- Global service project: Services deployed without specifying physical regions are called global services, such as OBS, CDN, and TMS. Permissions for these services must be assigned in the global service project.
- Region-specific projects: Services deployed in specific regions are called project-level services. Permissions for these services need to be assigned in region-specific projects and take effect only for the corresponding regions. If you want the permissions to take effect for all regions, grant them in all these regions.
- Select the policy created in 1 or the Agent Operator role, and click OK. The authorization is completed.
- Create a user and add the user to the user group.
- In the navigation pane, choose Users.
- On the Users page, click Create User.
- Specify the user information, select an access type, and click Next.
- In the Available User Groups area, select the user group created in 2.
- Click Create.
- Click Next.
+- Select the policy created in the previous step or the Agent Operator role and click Next.
- Custom policy: Allows a user to manage resources only for a specific agency.
- Agent Operator role: Allows a user to manage resources for all agencies.
- Specify the authorization scope.
- Click OK.
+- Create an IAM user and add the user to the user group.
- On the Users page, click Create User.
- On the Create User page, enter a username.
- For the access type, select Management console access and Set by user.
- Enable login protection and click Next.
- Select the user group created in 1 and click Create.+
After the authorization is complete, the IAM user can switch to the account of the delegating party and manage specific resources under the account.
+
Follow-up Operation
Point to the delegating account in the upper right corner of the page and choose Switch Role to switch back to your account.
+Related Operations
The delegated account or the authorized IAM users can switch their roles to the delegating account to view and use its resources.
diff --git a/docs/iam/umn/iam_01_019.html b/docs/iam/umn/iam_01_019.html index 0b6eeca2..47daa5ba 100644 --- a/docs/iam/umn/iam_01_019.html +++ b/docs/iam/umn/iam_01_019.html @@ -1,13 +1,21 @@ --Parent topic: Agency Management+Parent topic: Account DelegationFine-Grained Policies
-A fine-grained policy is a set of permissions that define operations allowed to be performed on specific cloud services. A policy can contain multiple permission sets. After a policy is attached to a user group, users in the user group inherit the permissions of the policy. IAM implements fine-grained access control based on the permissions defined by policies.
-IAM supports two types of policies:
-- System-defined policies: define the common permissions preset in the cloud system, which are typically read-only or administrator permission for different cloud services such as ECS. System-defined policies can only be used for authorization and cannot be modified.
- Custom policies: created and managed by users to supplement system-defined policies.
Basic Concepts
++Permissions
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
++Permission Type
You can grant permissions by using roles and policies.+- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. There are only a limited number of roles for granting permissions to users. When using roles to grant permissions, you also need to assign dependency roles. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and secure access control. For example, you can grant ECS users only the permissions required for managing a certain type of ECS resources.
IAM supports both system-defined policies and custom policies.
+
+System-Defined Policy
A system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and they cannot be modified. For details about the system-defined policies of all cloud services, see "Permissions".
+If there are no system-defined policies for a specific service, it indicates that IAM does not support this service.
+diff --git a/docs/iam/umn/iam_01_0430.html b/docs/iam/umn/iam_01_0430.html new file mode 100644 index 00000000..e0e21a4d --- /dev/null +++ b/docs/iam/umn/iam_01_0430.html @@ -0,0 +1,19 @@ + + + + + +-Parent topic: Fine-Grained Policy Management+Parent topic: PermissionsDeleting a User Group
+++Procedure
To delete a user group, do the following:
+- Log in to the . In the navigation pane, choose User Groups.
- In the user group list, click Delete in the row that contains the user group to be deleted.
- In the displayed dialog box, click Yes.
+Batch Deleting User Groups
To delete multiple user groups at a time, do the following:
+- Log in to the . In the navigation pane, choose User Groups.
- In the user group list, select the user groups to be deleted and click Delete above the list.
- In the displayed dialog box, click Yes.
++ diff --git a/docs/iam/umn/iam_01_0552.html b/docs/iam/umn/iam_01_0552.html new file mode 100644 index 00000000..0b87079f --- /dev/null +++ b/docs/iam/umn/iam_01_0552.html @@ -0,0 +1,27 @@ + + +++Parent topic: User Groups and Authorization+Logging In as an IAM User
++You can log in to the console as an IAM user or obtain the IAM user login link from the administrator and then use the link to log in.
++Method 1: Logging In by Clicking IAM User Login
- On the login page, enter the domain name, username/email address/mobile number, and password.
- Domain name: The name of the account that was used to create the IAM user. You can obtain the domain name from the administrator.
- Username/Email address/Mobile number: The username, email address, or mobile number of the IAM user. You can obtain the username and password from the administrator.
- Password: The password of the IAM user.
- Click Log In.+
- If you have not been added to any group, you do not have permissions for accessing any cloud services. In this case, contact the administrator and request for required permissions (see Creating a User Group and Assigning Permissions and Adding Users to or Removing Users from a User Group).
- If you have been added to the default group admin, you have administrator permissions and you can perform all operations on all cloud services.
+Method 2: Logging In Using the IAM User Login Link
You can obtain the IAM user login link from the administrator and then log in using this link. When you visit the link, the system displays the login page and automatically populates the domain name. You only need to enter your username/email address/mobile number and password.
+- Obtain the IAM user login link from the administrator.Figure 1 IAM user login link+
- Paste the link into the address bar of a browser, press Enter, and enter the IAM username/email address/mobile number and password, and click Log In.
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_06.html b/docs/iam/umn/iam_01_06.html index ecc55ceb..b5835706 100644 --- a/docs/iam/umn/iam_01_06.html +++ b/docs/iam/umn/iam_01_06.html @@ -1,25 +1,25 @@ -++Parent topic: IAM Users+User and User Group Management
+IAM Users
-
-
- Managing Users and Permissions
-
- - Managing Projects
-
- - Creating a User Group
- - Creating a User
- - Switching Projects or Regions
+ - Assigning Permissions to an IAM User
+
+ - Logging In as an IAM User
- Viewing and Modifying User Information
- - Viewing and Modifying User Group Information
+ - Deleting an IAM User
+
+ - Changing the Login Password of an IAM User
- Modifying User Permissions
+ - Switching Projects or Regions
+
diff --git a/docs/iam/umn/iam_01_0600.html b/docs/iam/umn/iam_01_0600.html index 11d8746d..2c86549e 100644 --- a/docs/iam/umn/iam_01_0600.html +++ b/docs/iam/umn/iam_01_0600.html @@ -60,7 +60,7 @@- Currently, only certain cloud services (such as OBS) support resource-based authorization. For services that do not support this function, you cannot create custom policies containing resource types.
Using Only a Custom Policy
To grant a user permissions for accessing specific services, you can create a custom policy and attach only the custom policy to the group to which the user belongs.
+Using Only a Custom Policy
To grant permissions for accessing specific services, you can create a custom policy and attach only the custom policy to the group to which the user belongs.
- The following is an example policy that allows access only to ECS, EVS, VPC, Application Operations Management (AOM), and ELB.
{ "Version": "1.1", "Statement": [ @@ -122,7 +122,7 @@
diff --git a/docs/iam/umn/iam_01_0601.html b/docs/iam/umn/iam_01_0601.html new file mode 100644 index 00000000..b424be33 --- /dev/null +++ b/docs/iam/umn/iam_01_0601.html @@ -0,0 +1,98 @@ + + + + + +-Parent topic: Fine-Grained Policy Management+Parent topic: PermissionsRoles
++Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. IAM provides a limited number of roles for permissions management.
+Services on the cloud platform interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services. For more information, see Assigning Dependency Roles.
++Role Content
When using roles to assign permissions, you can select a role and click
+
to view the details of the role. This section uses the DNS Administrator role as an example to describe the role content.{ + "Version": "1.0", + "Statement": [ + { + "Action": [ + "DNS:Zone:*", + "DNS:RecordSet:*", + "DNS:PTRRecord:*" + ], + "Effect": "Allow" + } + ], + "Depends": [ + { + "catalog": "BASE", + "display_name": "Tenant Guest" + }, + { + "catalog": "VPC", + "display_name": "VPC Administrator" + } + ] +}++Parameter Description
++
+Table 1 Parameter description Parameter
+Description
+Value
+Version
+Role version.
+1.0: indicates role-based access control.
+Statement
+Action
+Operations to be performed on the service.
+Format: "Service name:Resource type:Operation".
+DNS:Zone:*: Permissions for performing all operations on Domain Name Service (DNS) zones.
+Effect
+Determines whether to allow or deny the operations defined in the action.
+- Allow
- Deny
NOTE:+If a role grants both Allow and Deny effects for the same action, the Deny takes precedence.
+Depends
+catalog
+Name of the service to which a dependency role belongs.
+Service name. Example: BASE and VPC.
+display_name
+Name of the dependency role.
+Role name.
+NOTE:+When you assign the DNS Administrator role to a user group, you also need to assign the Tenant Guest and VPC Administrator roles to the group for the same project.
+For more information about dependencies, see "Permissions".
+++ diff --git a/docs/iam/umn/iam_01_0607.html b/docs/iam/umn/iam_01_0607.html new file mode 100644 index 00000000..aac7208a --- /dev/null +++ b/docs/iam/umn/iam_01_0607.html @@ -0,0 +1,29 @@ + + + + + +++Parent topic: Permissions+Password Policy
++The Password Policy tab of the Security Settings page provides the Password Composition & Reuse, Password Expiration, and Minimum Password Age settings.
+Only the administrator can configure the password policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
+You can configure the password policy to ensure that IAM users create strong passwords and rotate them periodically. In the password policy, you can define password requirements, such as minimum password length, whether to allow consecutive identical characters in a password, and whether to allow previously used passwords.
++Password Composition & Reuse
- Ensure that the password contains 2 to 4 of the following character types: uppercase letters, lowercase letters, digits, and special characters. By default, the password must contain at least 2 of these character types.
- Set the minimum number of characters that a password must contain. The default value is 6 and the value range is from 6 to 32.
- (Optional) Enable the Restrict consecutive identical characters option and set the maximum number of times that a character is allowed to be consecutively present in a password. For example, value 1 indicates that consecutive identical characters are not allowed in a password.
- (Optional) Enable the Disallow previously used passwords option and set the number of previously used passwords that are not allowed. For example, value 3 indicates that the user cannot set the last three passwords that the user has previously used when setting a new password.
Changes to the password policy take effect the next time you or your IAM users change passwords. IAM users created later will also adhere to the updated password policy.
++Password Expiration
Set a validity period for passwords so that users need to change their passwords periodically. The users will be prompted to change their passwords 15 days before password expiration. Expired passwords cannot be used to log in to the cloud platform.
+This option is disabled by default. The validity period ranges from 1 to 180 days.
+The changes will take effect immediately for your account and all IAM users under your account.
++ After the password expires, users need to set a new password through the URL sent by email. The new password must be different from the old password.
++Minimum Password Age
To prevent password loss due to frequent password changes, you can set a minimum period after which users are allowed to make a password change.
+This option is disabled by default. If you enable this option, you can set a period from 0 to 1440 minutes.
+The changes will take effect immediately for your account and all IAM users under your account.
+++ diff --git a/docs/iam/umn/iam_01_0653.html b/docs/iam/umn/iam_01_0653.html new file mode 100644 index 00000000..ad55d311 --- /dev/null +++ b/docs/iam/umn/iam_01_0653.html @@ -0,0 +1,18 @@ + + + + + +++Parent topic: Security Settings+Changing the Login Password of an IAM User
++As an administrator, you can reset the password of an IAM user if the user has forgotten the password and no email address or mobile number has been bound to the user.
+To reset the login password of an IAM user, click Security Settings in the row containing the user, click
+
next to Login Password in the Login Credentials area, and select a password type.+ - You can reset the password of an IAM user on the Security Settings page.
- IAM users can change their passwords on the Basic Information tab.
- Set by user: A one-time login URL will be emailed to the user. The user can then click on the link to set a password.
- Automatically generated: A password will be automatically generated and then sent to the user by email.
- Set now: You set a new password and send the new password to the user.
++ diff --git a/docs/iam/umn/iam_01_0655.html b/docs/iam/umn/iam_01_0655.html new file mode 100644 index 00000000..c416fa86 --- /dev/null +++ b/docs/iam/umn/iam_01_0655.html @@ -0,0 +1,29 @@ + + + +++Parent topic: IAM Users+User Groups and Authorization
+ +++ +++ diff --git a/docs/iam/umn/iam_01_0657.html b/docs/iam/umn/iam_01_0657.html new file mode 100644 index 00000000..75e4d3ef --- /dev/null +++ b/docs/iam/umn/iam_01_0657.html @@ -0,0 +1,17 @@ + + + + + +-
+
- Creating a User Group and Assigning Permissions
+
+ - Adding Users to or Removing Users from a User Group
+
+ - Deleting a User Group
+
+ - Viewing and Modifying User Group Information
+
+ - Revoking Permissions of a User Group
+
+ - Assigning Dependency Roles
+
+
++Parent topic: User Guide+Assigning Dependency Roles
++Cloud services interwork with each other. Roles of some services take effect only if they are assigned along with roles of other services.
++Procedure
- Log in to the as the administrator.
- In the user group list, click Authorize in the row that contains the created user group.
- On the displayed page, search for a role in the search box in the upper right corner.
- Select the target role. The system automatically selects the dependency roles.
- Click next to the role to view the dependencies.
For example, the DNS Administrator role contains the Depends parameter which specifies the dependency roles. When you assign the DNS Administrator role to a user group, you also need to assign the Tenant Guest and VPC Administrator roles to the group for the same project.
+ - Click OK.
++ diff --git a/docs/iam/umn/iam_01_0703.html b/docs/iam/umn/iam_01_0703.html new file mode 100644 index 00000000..aae4fa7b --- /dev/null +++ b/docs/iam/umn/iam_01_0703.html @@ -0,0 +1,23 @@ + + + + + +++Parent topic: User Groups and Authorization+Basic Information
++As an account administrator, both you and your IAM users can manage basic information on this page.
++ - A mobile number or an email address can be bound only to one account or IAM user.
- Only one mobile number, email address, and virtual MFA can be bound to an account or IAM user.
+Changing the Login Password, Mobile Number, Virtual MFA Device, or Email Address
The methods for changing the login password, mobile number, virtual MFA device, and email address are similar. To change the login password, do as follows:
+- Go to the Security Settings page.
- Click the Basic Information tab, and click Change in the Login Password row.
- (Optional) Select email address or mobile number verification, and enter the verification code.+
If neither email address nor mobile number is bound, no verification is required.
+ - Enter the old password and new password, and enter the new password again.+
- The password cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.
- To prevent password cracking, the administrator can configure the password policy to define password requirements, such as minimum password length. For details, see Password Policy.
- Click OK.
++ diff --git a/docs/iam/umn/iam_01_0704.html b/docs/iam/umn/iam_01_0704.html new file mode 100644 index 00000000..f6239d56 --- /dev/null +++ b/docs/iam/umn/iam_01_0704.html @@ -0,0 +1,35 @@ + + + + + +++Parent topic: Security Settings+Login Authentication Policy
++The Login Authentication Policy tab of the Security Settings page provides the Session Timeout, Account Lockout, Recent Login Information, Recent Login Information, and Custom Information settings. These settings take effect for both your account and the IAM users created using the account.
+Only the administrator can configure the login authentication policy, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
++Session Timeout
Set the session timeout that will apply if you or users created using your account do not perform any operations within a specific period.
+Figure 1 Session Timeout+
The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1 hour.
++Account Lockout
Set a duration to lock users out if a specific number of unsuccessful login attempts has been reached within a certain period. You cannot unlock your own account or an IAM user's account. Wait until the lock time expires.
+Figure 2 Account Lockout+
The administrator can set the time for resetting the account lockout counter, maximum number of unsuccessful login attempts, and account lockout duration.
+- Time for resetting the account lockout counter: The value ranges from 15 to 60 minutes, and the default value is 15 minutes.
- Maximum number of unsuccessful login attempts: The value ranges from 3 to 10, and the default value is 5.
- Lockout duration: The value ranges from 15 to 30 minutes, and the default value is 15 minutes.
+Account Disabling
Set a validity period to disable IAM users if they have not accessed the cloud platform using the console or APIs within a certain period.
+This option is disabled by default. The validity period ranges from 1 to 240 days.
+If you enable this option, the setting will take effect only for IAM users created using your account. If an IAM user is disabled, the user can request the administrator to enable their account again.
++Recent Login Information
Configure whether you want the system to display the previous login information after you log in. If incorrect login information is displayed on the Login Verification page, change your password immediately.
+This option is disabled by default and can be enabled by the administrator.
++Custom Information
Set custom information that will be displayed upon successful login. For example, enter the word Welcome.
+No information is displayed by default, and the administrator can set custom information that will be displayed.
+You and all the IAM users created using your account will see the same information upon successful login.
+++ diff --git a/docs/iam/umn/iam_01_0730.html b/docs/iam/umn/iam_01_0730.html new file mode 100644 index 00000000..6e4d3d19 --- /dev/null +++ b/docs/iam/umn/iam_01_0730.html @@ -0,0 +1,33 @@ + + + + + +++Parent topic: Security Settings+Deleting or Modifying Agencies
+++Modifying an Agency
To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.
+Figure 1 Modifying an agency+
+ - You can change the cloud service, validity period, description, and permissions of cloud service agencies, but you cannot change the agency name and type.
- Modifying the permissions of cloud service agencies may affect the usage of certain functions of cloud services. Exercise caution when performing this operation.
+Deleting an Agency
To delete an agency, click Delete in the row containing the agency to be deleted and click Yes.
+Figure 2 Deleting an agency+
+Batch Deleting Agencies
To delete multiple agencies, select the agencies to be deleted in the list and click Delete above the list.
+Figure 3 Batch deleting agencies+
+ After you delete an agency, all permissions granted to the delegated accounts will be revoked.
+++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_02_0004.html b/docs/iam/umn/iam_02_0004.html new file mode 100644 index 00000000..f27868a2 --- /dev/null +++ b/docs/iam/umn/iam_02_0004.html @@ -0,0 +1,17 @@ + + +++Parent topic: Agencies+Deleting an IAM User
+++
After an IAM user is deleted, they can no longer log in and their username, password, access keys, and authorizations will be cleared and cannot be recovered.+- Make sure that the users to be deleted are no longer needed. If you are not sure, disable them rather than delete them so that they can be enabled if any service failures occur. To temporarily disable an IAM user, see Basic Information.
- To remove an IAM user from a user group, see Adding Users to or Removing Users from a User Group.
+Deleting an IAM User
- Log in to the IAM console. In the navigation pane, choose Users.
- Click Delete in the row containing the IAM user you want to delete, and click Yes.
+Batch Deleting IAM Users
- Log in to the IAM console. In the navigation pane, choose Users.
- In the user list, select the users to be deleted and click Delete above the user list.
- In the displayed dialog box, click Yes.
++ diff --git a/docs/iam/umn/iam_03_0002.html b/docs/iam/umn/iam_03_0002.html new file mode 100644 index 00000000..a2840b53 --- /dev/null +++ b/docs/iam/umn/iam_03_0002.html @@ -0,0 +1,18 @@ + + + + + +++Parent topic: IAM Users+Adding Users to or Removing Users from a User Group
++A user inherits permissions from the groups to which the user belongs. To change the permissions of a user, add the user to a new group or remove the user from an existing group.
++Adding Users to a User Group
- In the user group list, click Manage User in the row containing the target user group.
- In the Manage User dialog box, select the usernames to be added.
- Click OK.
+Removing Users from a User Group
- In the user group list, click Manage User in the row containing the target user group.
- In the Selected Users area, click x in the row containing the usernames to be removed and click OK.
++ diff --git a/docs/iam/umn/iam_03_0004.html b/docs/iam/umn/iam_03_0004.html new file mode 100644 index 00000000..de73cae5 --- /dev/null +++ b/docs/iam/umn/iam_03_0004.html @@ -0,0 +1,19 @@ + + + + + +++Parent topic: User Groups and Authorization+Revoking Permissions of a User Group
+++Procedure
To revoke a policy or role attached to a user group, do the following:
+- Log in to the . In the navigation pane, choose User Groups.
- Click the name of the user group to go to the group details page.
- On the Permissions tab, click Delete in the row that contains the role or policy you want to delete.
- In the displayed dialog box, click Yes.
+Batch Revoking Permissions of a User Group
To revoke multiple policies or roles attached to a user group, do as follows:
+- Log in to the . In the navigation pane, choose User Groups.
- Click the name of the user group to go to the group details page.
- On the Permissions page, select the roles or policies you want to delete and click Delete above the list.
- In the displayed dialog box, click Yes.
++ diff --git a/docs/iam/umn/iam_06_0001.html b/docs/iam/umn/iam_06_0001.html new file mode 100644 index 00000000..775f1e9e --- /dev/null +++ b/docs/iam/umn/iam_06_0001.html @@ -0,0 +1,28 @@ + + +++Parent topic: User Groups and Authorization+Delegating Resource Access to Another Account
++The agency function enables you to delegate another account to implement O&M on your resources based on assigned permissions.
++ You can delegate resource access only to accounts. The accounts can then delegate access to IAM users under them.
+The following is the procedure for delegating access to resources in one account to another account. Account A is the delegating party and account B is the delegated party.
+- Account A creates an agency in IAM to delegate resource access to account B.Figure 1 (Account A) Creating an agency+ +
- (Optional) Account B assigns permissions to an IAM user to manage specific resources for account A.
- Create a user group, and grant it permissions required to manage account A's resources.
- Create a user and add the user to the user group.
Figure 2 (Account B) Authorizing an IAM user to manage delegated resources+
- Account B or the authorized user manages account A's resources.
- Log in to account B's account and switch the role to account A.
- Switch to region A and manage account A's resources in this region.
Figure 3 (Account B) Switching the role+
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_06_0004.html b/docs/iam/umn/iam_06_0004.html new file mode 100644 index 00000000..4847288e --- /dev/null +++ b/docs/iam/umn/iam_06_0004.html @@ -0,0 +1,29 @@ + + + + + +++Parent topic: Account Delegation+Cloud Service Delegation
++Services on the cloud platform interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services and perform resource O&M, create an agency for the service.
+IAM provides two methods to create a cloud service agency:
+- Creating a cloud service agency on the IAM console
Take an OBS agency as an example. The agency allows OBS to call cloud services, for example, to read monitoring data from AOM.
+ - Automatically creating a cloud service agency to use certain resources
The following takes Scalable File Service (SFS) as an example to describe the procedure for automatically creating a cloud service agency:
+- Go to the SFS console.
- On the Create File System page, enable static data encryption.
- A dialog box is displayed requesting you to confirm the creation of an SFS agency. After you click OK, the system automatically creates an SFS agency with KMS CMKFullAccess permissions for the current project. With the agency, SFS can obtain KMS keys for encrypting or decrypting file systems.
- You can view the agency in the agency list on the IAM console.
+Creating a Cloud Service Agency on the IAM Console
- Log in to the .
- On the IAM console, choose Agencies from the navigation pane, and click Create Agency.
- Enter an agency name.Figure 1 Cloud service agency name+
- Select the Cloud service agency type, and then select a service.
- Select a validity period.
- (Optional) Enter a description for the agency to facilitate identification.
- Click Next.
- Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
- Click OK.
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_07_0001.html b/docs/iam/umn/iam_07_0001.html new file mode 100644 index 00000000..cf3fea60 --- /dev/null +++ b/docs/iam/umn/iam_07_0001.html @@ -0,0 +1,55 @@ + + + + + +++Parent topic: Agencies+Security Settings Overview
++You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.
++Intended Audience
Table 1 lists the intended audience of different functions provided on the Security Settings page and their access permissions for the functions.
+ ++
+Table 1 Intended audience Function
+Intended Audience
++ +IAM users: Full access
++ +- Administrator: Full access
- IAM users: No access
+ +- Administrator: Full access
- IAM users: Read-only access
+ +- Administrator: Full access
- IAM users: Read-only access
+ +- Administrator: Full access
- IAM users: No access
+Accessing the Security Settings Page
- Log in to the IAM console as an administrator.
- In the left navigation pane, choose Security Settings.
- You and all IAM users created using your account can access the Security Settings page from the management console.
- Log in to the IAM console.
- In the left navigation pane, choose Security Settings.
++ diff --git a/docs/iam/umn/iam_07_0002.html b/docs/iam/umn/iam_07_0002.html new file mode 100644 index 00000000..e811d55b --- /dev/null +++ b/docs/iam/umn/iam_07_0002.html @@ -0,0 +1,171 @@ + + + + + +++Parent topic: Security Settings+Critical Operation Protection
++Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.
++ Federated users do not need to verify their identity when performing critical operations.
++Virtual MFA Device
An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported, and they are application programs running on smart devices such as mobile phones.
+This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see MFA Authentication and Virtual MFA Device.
++ Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.
+- Go to the Security Settings page.
- Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
- Set up the MFA application by scanning the QR code or manually entering the secret key.
You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.
+- Scanning the QR code
Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Bind Virtual MFA Device page. Your account or IAM user is then added to the application.
+ - Manually entering the secret key
Open the MFA application on your mobile phone, and enter the secret key.
++ Your account is manually added using the time-based algorithm. Ensure that automatic time setting has been enabled on your mobile phone.
+
- Scanning the QR code
- View the verification codes on the MFA application. The code is automatically updated every 30 seconds.
- On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
+Login Protection
After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.
+For the account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.
+- (Administrator) Enabling login protection for an IAM user
To enable login protection for an IAM user, go to the Users page and choose More > Security Settings in the row that contains the IAM user. In the Login Protection area on the displayed Security Settings tab, click
+ next to Verification Method, and select a verification method from SMS, email, or virtual MFA device. - Enabling login protection for your account
To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification codes, and click OK.
+
+Operation Protection
- Enabling operation protection
After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.
+The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.
+
- Go to the Security Settings page.
- On the Critical Operations tab, locate the Operation Protection row and click Enable.
- Select Enable and then select Self-verification or Verification by another person.
If you select Verification by another person, an identity verification is required to ensure that this verification method is available.
++- Self-verification: You or IAM users themselves perform verification when performing a critical operation.
- Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification are supported.
- Click OK.
- Disabling operation protection
If operation protection is disabled, you and IAM users created using your account do not need to enter a verification code when performing a critical operation.
+- Go to the Security Settings page.
- On the Critical Operations tab, locate the Operation Protection row and click Change.
- Select Disable and click OK.
- Enter a verification code.
- Self-verification: The administrator who wants to disable operation protection completes the verification. SMS, email, and virtual MFA verification are supported.
- Verification by another person: The specified person completes the verification. Only SMS and email verification are supported.
- Click OK.
+ - Each cloud service defines its own critical operations.
- When IAM users created using your account perform a critical operation, they will be prompted to choose a verification method from email, SMS, and virtual MFA device.
- If a user is only associated with a mobile number, only SMS verification is available.
- If a user is only associated with an email address, only email verification is available.
- If a user is not associated with an email address, mobile number, or virtual MFA device, the user will need to associate at least one of them before the user can perform any critical operations.
- You may not be able to receive email or SMS verification codes due to communication errors. In this case, you are advised to use a virtual MFA device for verification.
- If operation protection is enabled, IAM users need to enter verification codes when performing a critical operation. The verification codes are sent to the mobile number or email address bound to the IAM users.
+Access Key Management
- Enabling access key management
After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.
+To enable access key management, click the Critical Operations tab on the Security Settings page, and click
+
in the Access Key Management row. - Disabling access key management
After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.
+To enable access key management, click the Critical Operations tab on the Security Settings page, and click
+
in the Access Key Management row.
+Information Self-Management
- Enabling information self-management
By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.
+To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable next to Information Self-Management. Select Enable, select the information types that IAM users can modify, and click OK.
+ - Disabling information self-management
After you disable information self-management, only administrators can manage their own basic information. If IAM users need to modify their login password, mobile number, or email address, they can contact the administrator. For details, see Viewing and Modifying User Group Information.
+To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.
+
+Critical Operations
The following tables list the critical operations defined by each cloud service.
+ ++
+Table 1 Critical operations defined by cloud services Service Type
+Service
+Critical Operation
+Compute
+ +Elastic Cloud Server (ECS)
+- Stopping, restarting, or deleting an ECS
- Resetting the password for logging in to an ECS
- Detaching a disk
- Unbinding an EIP
Bare Metal Server (BMS)
+- Stopping or restarting a BMS
- Resetting the BMS password
- Detaching a disk
- Unbinding an EIP
Auto Scaling (AS)
+Deleting an AS group
+Storage
+Object Storage Service (OBS)
+- Deleting a bucket
- Creating, editing, or deleting a bucket policy
- Configuring an object policy
- Creating, editing, or deleting a bucket ACL
- Configuring access logging
- Configuring URL validation
- Creating or editing a bucket inventory
Elastic Volume Service (EVS)
+Deleting an EVS disk
+Cloud Backup and Recovery (CBR)
+- Deleting a vault
- Deleting a backup
- Restoring a backup
- Deleting a policy
- Dissociating a resource
- Accepting a backup
Network
+Domain Name Service (DNS)
+- Modifying, disabling, or deleting a record set
Virtual Private Cloud (VPC)
+- Releasing or unbinding an EIP
- Deleting a VPC peering connection
- Security group operations
- Deleting an inbound or outbound rule
- Modifying an inbound or outbound rule
- Deleting inbound or outbound rules
Elastic Load Balance (ELB)
+- Classic load balancers
- Deleting a load balancer
- Deleting a listener
- Deleting a certificate
- Disabling a load balancer
- Shared load balancers
- Deleting a load balancer
- Deleting a listener
- Deleting a certificate
- Removing a backend server
- Unbinding an EIP
- Unbind a public or private IPv4 address
- Unbinding an IPv6 address
- Removing from IPv6 shared bandwidth
Elastic IP (EIP)
+- Deleting a shared bandwidth
- Releasing or unbinding an EIP
- Releasing or unbinding EIPs
Management & Deployment
+Identity and Access Management (IAM)
+- Disabling operation protection
- Disabling login protection
- Changing the mobile number
- Changing the email address
- Changing the login password
- Changing the login authentication method
- Deleting an IAM user
- Disabling an IAM user
- Deleting an agency
- Deleting a user group
- Deleting a policy
- Deleting permissions
- Creating an access key
- Deleting an access key
- Disabling an access key
- Deleting the project
- Modifying the status of access key management
Application
+Distributed Cache Service (DCS)
+- Resetting the password of a DCS instance
- Deleting a DCS instance
- Clearing DCS instance data
Database
+RDS for MySQL
+- Resetting the administrator password
- Deleting a DB instance
- Deleting a database backup
- Switching between primary and standby DB instances
- Changing the database port
- Deleting a database account
- Deleting a database
- Unbinding an EIP
- Downloading a full backup
Databases
+Document Database Service (DDS)
+- Resetting the password
- Restarting or deleting a DB instance
- Restarting a node
- Switching the primary and secondary nodes of a replica set
- Deleting a security group rule
- Enabling IP addresses of shard and config nodes
- Restoring the current DB instance from a backup
- Restoring an existing DB instance from a backup
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_07_0003.html b/docs/iam/umn/iam_07_0003.html new file mode 100644 index 00000000..69c09c21 --- /dev/null +++ b/docs/iam/umn/iam_07_0003.html @@ -0,0 +1,35 @@ + + + + + +++Parent topic: Security Settings+ACL
++The ACL tab of the Security Settings page provides the IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints settings for allowing user access only from specified IP address ranges, IPv4 CIDR blocks, or VPC endpoints.
+Only the administrator can configure the ACL. If an IAM user needs to configure the ACL, the user can request the administrator to perform the configuration or grant the required permissions.
+Access type:+- Console Access (recommended): The ACL takes effect only for IAM users who are created using your account and have access to the console.
- API Access: The ACL controls users' API access through API Gateway and takes effect only for IAM users two hours after you complete the configuration.
+ - You can configure a maximum of 200 access control items.
+IP Address Ranges
Figure 1 IP Address Ranges+
Specify IP address ranges from 0.0.0.0 to 255.255.255.255 to allow access to the cloud platform. The default value is 0.0.0.0–255.255.255.255. If this parameter is left blank or the default value is used, your IAM users can access the management console from anywhere.
++IPv4 CIDR Blocks
Specify IPv4 CIDR blocks to allow access to the cloud platform. For example, set IPv4 CIDR block to 10.10.10.10/32.
++VPC Endpoints
Specify VPC endpoints, such as 0ccad098-b8f4-495a-9b10-613e2a5exxxx, to allow API-based access to the cloud platform. If access control is not configured, you can access APIs from all VPC endpoints by default.
++ - User access is allowed if any of IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints is met.
- To restore IP Address Ranges to the default settings (0.0.0.0–255.255.255.255) and clear the settings in IPv4 CIDR Blocks and VPC Endpoints, click Restore Defaults.
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0002.html b/docs/iam/umn/iam_08_0002.html index bff6ef61..51ed0a10 100644 --- a/docs/iam/umn/iam_08_0002.html +++ b/docs/iam/umn/iam_08_0002.html @@ -1,44 +1,25 @@ -++Parent topic: Security Settings+SAML-based Federated Identity Authentication
-+This section describes the process and configuration of SAML-based federated identity authentication between an enterprise identity provider and the cloud system.
-- - To implement federated identity authentication, ensure that your identity provider server and the cloud system use the same Universal Time Coordinated (UTC) time.
- Ensure that your identity provider system supports SAML 2.0.
-Configuring Federated Identity Authentication
To implement federated identity authentication between an identity provider and the cloud system, complete the following configuration:
-- Establish a trust relationship and create an identity provider: Exchange the metadata files of the identity provider and cloud system (see Figure 1). -
- Configure identity conversion rules: Map the users, user groups, and permissions of the identity provider to the cloud system (see Figure 2). -
- Configure a login link: Configure a login link (see Figure 3) in the enterprise management system to allow users to access the cloud system through SSO. -
-Process of Federated Identity Authentication
Figure 4 shows the interaction between an identity provider and the cloud system after a user initiates an SSO request.
- -- To view interactive requests and assertions with a better experience, you are advised to use the Google Chrome browser and install the SAML Message Decoder plug-in.
-As shown in Figure 4, the process of federated identity authentication is as follows:
-- A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud system.
- The cloud system searches for a metadata file based on the login link, and sends a SAML request to the browser.
- The browser forwards the SAML request to the enterprise identity provider.
- The user enters their username and password displayed in the identity provider system. After the identity provider authenticates the user's identity, it constructs a SAML assertion containing the user information, and sends the assertion to the browser as a SAML response.
- The browser responds and forwards the SAML response to the cloud system.
- The cloud system parses the assertion in the SAML response, and issues a token to the user after identifying the group to which the user is mapped, according to the configured identity conversion rules.
- If the login is successful, the user accesses the cloud system successfully.-
The assertion must carry a signature; otherwise, the login will fail.
-
Virtual User SSO via SAML
+- - \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0003.html b/docs/iam/umn/iam_08_0003.html index 66e5d27f..6b76b19c 100644 --- a/docs/iam/umn/iam_08_0003.html +++ b/docs/iam/umn/iam_08_0003.html @@ -1,108 +1,146 @@ --
-
- Step 1: Create an Identity Provider
+ - Overview of Virtual User SSO via SAML
- - Step 2: Configure Identity Conversion Rules
+ - Step 1: Create an IdP Entity
- - Step 3: Configure Login Link in the Enterprise Management System
+ - Step 2: Configure the Enterprise IdP
+
+ - Step 3: Configure Identity Conversion Rules
+
+ - Step 4: Verify the Federated Login
+
+ - (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP
-Parent topic: Federated Identity Authentication+Parent topic: Identity ProvidersStep 1: Create an Identity Provider
-To establish a trust relationship between an enterprise identity provider and the cloud system, upload the metadata file of the cloud system to the identity provider, and then create an identity provider and upload the metadata file of the identity provider on the IAM console.
-Prerequisites
As an enterprise administrator, you have registered an account in the cloud system and created user groups and granted them permissions in IAM.
-+ The user groups created in IAM will be used to assign permissions to identity provider users mapped to the cloud system.
-Step 1: Create an IdP Entity
+To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an IdP entity and upload the metadata file of the enterprise IdP on the IAM console.
+-Prerequisites
You have read the documentation of the enterprise IdP or have understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's metadata file and how to upload the metadata file of the cloud platform to the enterprise IdP, see the IdP help documentation.
Establishing a Trust Relationship
To establish a trust relationship between the enterprise identity provider and the cloud system, exchange their metadata files.
-- Download the metadata file of the cloud system. If both WebSSO and API calling need to be used, download the metadata files for the two functions.
- WebSSO: Visit https://auth.otc.t-systems.com/authui/saml/metadata.xml. Right-click, choose Save As, and set a file name, for example, websso-metadata.xml.
- API calling: Visit "https://Endpoint address of a region/v3-ext/auth/OS-FEDERATION/SSO/metadata", right-click on the page, choose Save As, and set a file name, for example, api-metadata-region.xml.
The cloud system provides different API gateways for users in different regions to call APIs. To allow users to access resources in multiple regions, download metadata files of all these regions.
+-Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform
The metadata file of the cloud platform needs to be configured in the enterprise IdP to establish a trust relationship between the two systems.
+- Download the metadata file of the cloud platform.
- Web SSO: Visit https://auth.otc.t-systems.com/authui/saml/metadata.xml. Right-click on the page, choose Save As, and set a file name, for example, websso-metadata.xml.
- SSO via API calling: Visit https://iam.eu-de.otc.t-systems.com/v3-ext/auth/OS-FEDERATION/SSO/metadata or https://iam.eu-nl.otc.t-systems.com/v3-ext/auth/OS-FEDERATION/SSO/metadata, right-click on the page, choose Save As, and set a file name, for example, api-metadata-region.xml.
The cloud platform provides different API gateways for users in different regions to call APIs. To allow users to access resources in multiple regions, download metadata files of all these regions.
- Upload the metadata file to the identity provider server. For details about how to upload the metadata file, see the documentation of your identity provider.
- Obtain the metadata file of the enterprise identity provider. For details about how to obtain the metadata file, see the documentation of your identity provider.
- Upload the metadata file to the enterprise IdP server. For details, see the help documentation of the enterprise IdP.
- Obtain the metadata file of the enterprise IdP. For details, see the help documentation of the enterprise IdP.
-Creating an Identity Provider
Create an identity provider and configure the metadata file in IAM.
-- Log in to the IAM console, and choose Identity Providers from the navigation pane. Then click Create Identity Provider.
- On the displayed page, enter an identity provider name, select SAML for Protocol and Enabled for Status. Then, click OK.-
The identity provider name must be unique under your account.
- - Click OK.
Configuring the Metadata File
Configure the metadata file of the enterprise IdP in the cloud system.
-IAM provides preconfigured metadata. You can directly use or modify the preconfigured metadata. If you have obtained the metadata file of your enterprise IdP, upload the file.
-For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud system.
-- For details about how to obtain the metadata file, see the documentation of the enterprise identity provider.
-- Using preconfigured metadata
- Click Modify in the row containing the identity provider.
- Click Select next to Use preconfigured metadata. The preconfigured enterprise IdPs and their metadata are displayed.
- Select an enterprise IdP, select the metadata, and click OK.
- Click Configured Metadata to view or modify the metadata.
- Uploading a metadata file
- click Modify in the row containing the identity provider.
- Click Select File and select the metadata file you have obtained.
- Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
- If the uploaded metadata file contains multiple identity providers, select the identity provider you want to use from the Entity ID drop-down list.
- If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
- Click OK.
- Manually configuring metadata
- Click Manually configure.
- In the Configure Metadata dialog box, set the metadata parameters, such as the entity ID, signing certificate, and SingleSignOnService.
-
Parameter
++Creating an IdP Entity on the Cloud Platform
To create an IdP entity on the IAM console, do as follows:
+- Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.Figure 1 Creating an IdP entity+
- Specify the name, protocol, SSO type, status, and description of the IdP entity.Figure 2 Setting IdP parameters+ +
-Table 1 Basic parameters of an IdP Parameter
Mandatory
-Description
+Description
Entity ID
+Name
Yes
-The unique identifier of an identity provider. Enter the value of entityID displayed in the identity provider metadata file.
-If the metadata file contains multiple identity providers, choose the one you want to use.
+IdP name, which must be unique globally. You are advised to use the domain name.
Protocol
+Protocol
Yes
-The SAML protocol is used for federated identity authentication between an enterprise identity provider and service provider.
+IdP protocol. The cloud platform supports SAML and OpenID Connect protocols. For details about OpenID Connect-based identity federation, see Virtual User SSO via OpenID Connect.
NameIdFormat
+SSO Type
No
-Enter the value of NameIdFormat displayed in the metadata file.
-This parameter indicates the username and ID format used for communication between the identity provider and federated users.
+IdP type. An account can have only one type of IdP. The following describes the virtual user type.
+Virtual user SSO: After a federated user logs in to the cloud platform, the system automatically creates a virtual user for the federated user. An account can have multiple IdPs of the virtual user type.
Signing Certificate
+Status
Yes
-Enter the value of <X509Certificate> displayed in the metadata file.
-A signing certificate is a public key certificate used for signature verification. For security purposes, enter a public key containing no less than 2048 bits. The signing certificate is used during federated identity authentication to ensure that assertions are credible and complete.
-SingleSignOnService
-Yes
-Enter the value of SingleSignOnService displayed in the metadata file.
-This parameter defines how SAML requests are sent during the SSO process. SingleSignOnService must support HTTP Redirect or HTTP POST.
-SingleLogoutService
-No
-Enter the value of SingleLogoutService displayed in the metadata file.
-This parameter indicates the address to which federated users will be redirected after logging out their sessions. The SingleLogoutService parameter in the metadata file must support HTTP Redirect or HTTP POST.
+IdP status. The default value is Enabled.
- Click OK.
- Click OK.
+Configuring the Metadata File of the Enterprise IdP on the Cloud Platform
Configure the metadata file of the enterprise IdP in the cloud platform. You can upload or manually edit metadata configurations in IAM. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.
++ For details about how to obtain the metadata file, see the help documentation of the enterprise IdP.
+- Upload a metadata file.
- Click Modify in the row containing the IdP.Figure 3 Modifying an IdP+
- Click Select File and select the metadata file of the enterprise IdP.Figure 4 Uploading a metadata file+
- Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
- If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
- If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
- Click OK.
- Click Modify in the row containing the IdP.
- Click OK to save the settings.
- Manually configure metadata.
- Click Manually configure.Figure 5 Manually configuring metadata+
- In the Configure Metadata dialog box, set the metadata parameters, such as Entity ID, Signing Certificate, and SingleSignOnService.
+-
Parameter
+Mandatory
+Description
+Entity ID
+Yes
+The unique identifier of an IdP. Enter the value of entityID displayed in the enterprise IdP's metadata file.
+If the metadata file contains multiple IdPs, choose the one you want to use.
+Protocol
+Yes
+Protocol used for identity federation between an enterprise IdP and SP.
+The protocol is selected by default.
+NameIdFormat
+No
+Enter the value of NameIdFormat displayed in the IdP metadata file.
+It specifies the username identifier format supported by the IdP, which is used for communication between the IdP and federated user.
+If you configure multiple values, the cloud platform uses the first value by default.
+Signing Certificate
+Yes
+Enter the value of <X509Certificate> displayed in the IdP metadata file.
+A signing certificate is a public key certificate used for signature verification. For security purposes, enter a public key containing at least 2,048 bits. The signing certificate is used during identity federation to ensure that assertions are credible and complete.
+If you configure multiple values, the cloud platform uses the first value by default.
+SingleSignOnService
+Yes
+Enter the value of SingleSignOnService displayed in the IdP metadata file.
+This parameter defines how SAML requests are sent during SSO. It must support HTTP Redirect or HTTP POST.
+If you configure multiple values, the cloud platform uses the first value by default.
+SingleLogoutService
+No
+Enter the value of SingleLogoutService displayed in the IdP metadata file.
+This parameter indicates the address to which federated users will be redirected after logging out their sessions. It must support HTTP Redirect or HTTP POST.
+If you configure multiple values, the cloud platform uses the first value by default.
+Logging In as a Federated User
- Click the login link displayed on the identity provider details page to check if the login page of the identity provider server is displayed.
- On the Identity Providers page, click View in the Operation column of the identity provider. Copy the login link displayed on the identity provider details page and visit the link using a browser.
- If the login page is not displayed, check the metadata file and configurations of the identity provider server.
- Enter the username and password of a user that was created in the enterprise management system.
- If the login is successful, add the login link to the enterprise's official website.
- If the login fails, check the username and password.
+ +Federated users only have read permissions for the cloud system by default. To assign permissions to federated users, configure identity conversion rules for the identity provider. For more information, see Step 2: Configure Identity Conversion Rules.
+The following example shows the metadata file of an enterprise IdP and the manually configured metadata.
+Figure 6 Metadata file of an enterprise IdP+
- Click OK.
+ +-Related Operations
- Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.-
To modify the configuration of an IdP, click Modify at the bottom of the details page.
+ - Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
- Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.
-Related Operations
- Viewing identity provider information: In the identity provider list, click View in the row containing the identity provider, and view its basic information, metadata, and identity conversion rules.-
To modify the configurations of an identity provider, click Modify at the bottom of the details page.
- - Modifying an identity provider: In the identity provider list, click Modify in the row containing the identity provider, and then change its status and modify the description, metadata, and identity conversion rules.
- Deleting an identity provider: In the identity provider list, click Delete in the row containing the identity provider, and click Yes.
Follow-Up Procedure
- In the Identity Conversion Rules area, create an identity conversion rule. For details, see Step 2: Configure Identity Conversion Rules.
- Configure the enterprise management system to allow users to access the cloud system through SSO. For details, see Step 3: Configure Login Link in the Enterprise Management System.
Follow-Up Procedure
- Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform
- Configuring identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Step 3: Configure Identity Conversion Rules.
- Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Step 4: Verify the Federated Login.
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0004.html b/docs/iam/umn/iam_08_0004.html index 9d9f299f..b36543c9 100644 --- a/docs/iam/umn/iam_08_0004.html +++ b/docs/iam/umn/iam_08_0004.html @@ -1,66 +1,67 @@ --Parent topic: SAML-based Federated Identity Authentication+Parent topic: Virtual User SSO via SAMLStep 2: Configure Identity Conversion Rules
-As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rules, you can map the identities and permissions of federated users to the cloud system and control their access to specific resources.
- - Modifications to identity conversion rules will take effect only after the federated users log in again.
- To modify the permissions of a federated user, modify the permissions of the user group to which the user belongs. Then restart the identity provider system for the modifications to take effect.
Step 3: Configure Identity Conversion Rules
+After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user in the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.
+You can configure the following parameters for federated users:
+- Username: Usernames of federated users in the cloud platform.
- User permissions: Permissions assigned to federated users in the cloud platform. You need to map the federated users to IAM user groups. In this way, the federated users can obtain the permissions of the user groups to use cloud resources. Ensure that user groups have been created. For details about how to create a user group, see Creating a User Group and Assigning Permissions.
- - Modifications to identity conversion rules will take effect the next time federated users log in.
- To modify the permissions of a user, modify the permissions of the user group to which the user belongs. Then restart the enterprise IdP for the modifications to take effect.
Prerequisites
An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)
+-Prerequisites
- The enterprise administrator has created an account in the cloud platform, and has created user groups and assigned permissions to the group in IAM. For details, see Creating a User Group and Assigning Permissions.
- An IdP has been created in the cloud platform. For details, see Step 1: Create an IdP Entity.
Procedure
If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in the JSON format.
-- Creating a Rule
- Choose Identity Providers from the navigation pane.
- In the identity provider list, click Modify in the row containing the identity provider.
- In the Identity Conversion Rules area, click Create Rule. Then, configure the rule in the Create Rule dialog box.
-
Table 1 Parameter description Parameter
+-Procedure
If you configure identity conversion rules by clicking Create Rule, IAM will convert your specified parameters to the JSON format. Alternatively, you can click Edit Rule to directly configure rules in the JSON format. For details, see Syntax of Identity Conversion Rules.
+- Creating Rules
- Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
- In the IdP list, click Modify in the row containing the IdP.
- In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.++-
Table 1 Parameter description Parameter
Description
+Description
Remarks
+Remarks
Username
+Username
Username of federated users to be displayed in the cloud system
+Username of federated users in the cloud platform.
To distinguish federated users from users of the cloud system, it is recommended that you set the username to "FederationUser-IdP_XXX". IdP indicates an identity provider name, for example, AD FS and Shibboleth. XXX indicates a custom name.
-You can also set the federated username to a simple expression, for example, FederationUser-IdP_{email}. After the rule is created successfully, {email} is automatically replaced with the email address of each federated user. The rule takes effect only if a returned assertion contains an email address.
-NOTICE:Each federated username must be unique under your account. Identical usernames under one or more identity providers of the same account will be identified as the same federated user in the cloud system.
+To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS and Shibboleth. XXX indicates a custom name.
+NOTICE:- The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
- The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
User Group
+User Groups
User groups to which the federated users will belong in the cloud system
+User groups which the federated users belong to in the cloud platform.
Federated users will inherit permissions from the groups to which they belong.
+The federated users will inherit permissions from the groups to which they belong. You can select a user group that has already been created.
Rule Conditions
+Rule Conditions
Conditions that a federated user must meet to obtain permissions from the selected user groups
+Conditions that a federated user must meet to obtain permissions from the selected user groups.
Federated users who do not meet these conditions cannot access the cloud system. You can create a maximum of 10 conditions for an identity conversion rule.
-NOTE:- An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
- An identity provider can have multiple identity conversion rules. If a federated user does not meet any of the rules, the user will not be allowed to access the cloud system.
Federated users who do not meet these conditions cannot access the cloud platform. You can create a maximum of 10 conditions for an identity conversion rule.
+The Attribute and Value parameters are used for the enterprise IdP to transfer user information to the cloud platform through SAML assertions. The Condition parameter can be set to empty, any_one_of, or not_any_of. For details about these parameters, see Syntax of Identity Conversion Rules.
+NOTE:- An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
- An IdP can have multiple identity conversion rules. If a federated user does not meet any of the conditions, the user will be denied to access the cloud platform.
For example, set an identity conversion rule for enterprise administrators.
-- Username: FederationUser-IdP_admin_{email}
- User group: admin
- Rule condition: _NAMEID_ (attribute), any_one_of (condition), and ID1;ID2;ID3 (value). Only users with ID1, ID2, or ID3 inherit permissions from the admin user group.
- In the Create Rule area, click OK.
- On the Modify Identity Provider page, click OK.
-- Editing a Rule
- Log in to the cloud system as an administrator, and go to the IAM console. Then, choose Identity Providers from the navigation pane.
- In the identity provider list, click Modify in the row containing the identity provider.
- In the Identity Conversion Rules area, click Edit Rule. Then configure the rule in the Edit Rule dialog box.
- Edit the identity conversion rule in the JSON format. For details, see Syntax of Identity Conversion Rules.
- Click Validate to verify the syntax of the rule.
- If the rule is correct, click OK in the Edit Rule dialog box. Then click OK on the Modify Identity Provider page.
If a message indicating that the JSON file is incomplete is displayed, modify the statement or click Cancel to cancel the modifications.
+
For example, set an identity conversion rule for administrators in the enterprise management system.
+- Username: FederationUser-IdP_admin
- User group: admin
- Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).
Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.
+
- In the Create Rule dialog box, click OK.
- On the Modify Identity Provider page, click OK.
- Editing Rules
- Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
- In the IdP list, click Modify in the row containing the IdP.
- In the Identity Conversion Rules area, click Edit Rule. Then configure the rules in the Edit Rule dialog box.
- Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
- Click Validate to verify the syntax of the rules.
- If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.
If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.
Verifying Federated User Permissions
After configuring identity conversion rules, verify the permissions of federated users.
-- Log in to the cloud system as a federated user, such as user ID1.
On the Identity Providers page of the IAM console, click View in the row containing the identity provider. Copy the login link displayed on the identity provider details page, open the link using a browser, and then enter the username and password.
- - Check that the federated user has the permissions assigned to the user group to which the user belongs.
For example, an identity conversion rule has defined full permissions for all cloud services for federated user ID1 in the admin user group. On the management console, select any cloud service, and check if you can access the service.
-
Related Operations
Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in the JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.
diff --git a/docs/iam/umn/iam_08_0005.html b/docs/iam/umn/iam_08_0005.html index 08b6c8b8..07e0d23c 100644 --- a/docs/iam/umn/iam_08_0005.html +++ b/docs/iam/umn/iam_08_0005.html @@ -1,16 +1,25 @@ --Parent topic: SAML-based Federated Identity Authentication+Parent topic: Virtual User SSO via SAMLStep 3: Configure Login Link in the Enterprise Management System
-Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.
-Prerequisites
- An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)
- A login link to the cloud system has already been configured in the enterprise management system.
(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP
+Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.
+-Prerequisites
- An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
- The login entry for logging in to the cloud platform has been configured in the enterprise management system.
Procedure
- Log in to the IAM console, and choose Identity Providers from the navigation pane.
- Click View in the row containing the identity provider.
- Click Copy next to the login link.
- Add the following statement to the page file of the enterprise management system:
<a href="<Login link>"> Login </a>
- - Log in to the enterprise management system, and then click the configured login link to access the cloud system.
Procedure
- Log in to the IAM console. In the navigation pane, choose Identity Providers.
- Click View in the row containing the IdP.Figure 1 Viewing IdP details+
- Copy the login link by clicking
in the Login link row.Figure 2 Copying the login link+
- Add the following statement to the page file of the enterprise management system:
<a href="<Login link>"> Cloud platform login entry </a>
+ - Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0007.html b/docs/iam/umn/iam_08_0007.html index a89294a7..83f3d7fb 100644 --- a/docs/iam/umn/iam_08_0007.html +++ b/docs/iam/umn/iam_08_0007.html @@ -1,16 +1,25 @@ --Parent topic: SAML-based Federated Identity Authentication+Parent topic: Virtual User SSO via SAMLStep 3: Configure Login Link in the Enterprise Management System
-Configure the login link of the identity provider in the enterprise management system so that enterprise users can use this link to access the cloud system.
-Prerequisites
- An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)
- A login link to the cloud system has already been configured in the enterprise management system.
(Optional) Step 3: Configure Login Link in the Enterprise Management System
+Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.
+-Prerequisites
- An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
- The login entry for logging in to the cloud platform has been configured in the enterprise management system.
Procedure
- Log in to the IAM console, and choose Identity Providers from the navigation pane.
- Click View in the row containing the identity provider.
- Click Copy next to the login link.
- Add the following statement to the page file of the enterprise management system:
<a href="<Login link>"> Login </a>
- - Log in to the enterprise management system, and then click the configured login link to access the cloud system.
Procedure
- Log in to the IAM console. In the navigation pane, choose Identity Providers.
- Click View in the row containing the IdP.Figure 1 Viewing IdP details+
- Copy the login link by clicking in the Login link row.Figure 2 Copying the login link+
- Add the following statement to the page file of the enterprise management system:
<a href="<Login link>"> Cloud platform login entry </a>
+ - Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0008.html b/docs/iam/umn/iam_08_0008.html index 544639a0..e13b16fb 100644 --- a/docs/iam/umn/iam_08_0008.html +++ b/docs/iam/umn/iam_08_0008.html @@ -1,61 +1,78 @@-Parent topic: OpenID Connect–based Federated Identity Authentication+Parent topic: Virtual User SSO via OpenID ConnectStep 2: Configure Identity Conversion Rules
-As the enterprise administrator, you can manage identities and permissions of federated users in the enterprise identity provider. By configuring identity conversion rules, you can map the identities and permissions of federated users to the cloud system and control their access to specific resources.
- - Modifications to identity conversion rules will take effect only after the federated users log in again.
- To modify the permissions of a federated user, modify the permissions of the user group to which the user belongs. Then restart the identity provider system for the modifications to take effect.
Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:
+- Display enterprise management system users with different names in the cloud platform.
- Assign permissions to enterprise users to use the cloud platform resources by mapping these users to IAM user groups. Ensure that you have created the required user groups. For details, see Creating a User Group and Assigning Permissions.
- - Modifications to identity conversion rules will take effect only after the federated users log in again.
- To modify the permissions of a user, modify the permissions of the user group to which the user belongs. Then restart the enterprise IdP for the modifications to take effect.
Prerequisites
An identity provider has been created in the cloud system, and the login link of the identity provider is accessible. (For details about how to create and verify an identity provider, see Step 1: Create an Identity Provider.)
+-Prerequisites
An IdP has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP, see Step 1: Create an IdP Entity.)
Procedure
If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in the JSON format.
-- Creating a Rule
- Choose Identity Providers from the navigation pane.
- In the identity provider list, click Modify in the row containing the identity provider.
- In the Identity Conversion Rules area, click Create Rule. Then, configure the rule in the Create Rule dialog box.
-
Table 1 Parameter description Parameter
++Procedure
If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in the JSON format. For details, see Syntax of Identity Conversion Rules.
+- Creating Rules
- Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
- In the IdP list, click Modify in the row containing the IdP.
- In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.Figure 1 Setting parameters+
++-Table 1 Parameter description Parameter
Description
+Description
Remarks
+Remarks
Username
+Username
Username of federated users to be displayed in the cloud system
+Username of federated users in the cloud platform.
To distinguish federated users from users of the cloud system, it is recommended that you set the username to "FederationUser-IdP_XXX". IdP indicates an identity provider name, for example, AD FS and Shibboleth. XXX indicates a custom name.
-You can also set the federated username to a simple expression, for example, FederationUser-IdP_{email}. After the rule is created successfully, {email} is automatically replaced with the email address of each federated user.
-NOTICE:Each federated username must be unique under your account. Identical usernames under one or more identity providers of the same account will be identified as the same federated user in the cloud system.
+To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS and Shibboleth. XXX indicates a custom name.
+NOTICE:- The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
- The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
User Group
+User Groups
User groups to which the federated users will belong in the cloud system
+User groups which the federated users belong to in the cloud platform.
Federated users will inherit permissions from the groups to which they belong.
+The federated users will inherit permissions from their user groups. You can select a user group that has already been created.
Rule Conditions
+Rule Conditions
Conditions that a federated user must meet to obtain permissions from the selected user groups
+Conditions that a federated user must meet to obtain permissions from the selected user groups.
Federated users who do not meet these conditions cannot access the cloud system. You can create a maximum of 10 conditions for an identity conversion rule.
-NOTE:- An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
- An identity provider can have multiple identity conversion rules. If a federated user does not meet any of the rules, the user will not be allowed to access the cloud system.
Federated users who do not meet these conditions cannot access the cloud platform. You can create a maximum of 10 conditions for an identity conversion rule.
+NOTE:- An identity conversion rule can have multiple conditions. It takes effect only if all of the conditions are met.
- An IdP can have multiple identity conversion rules. If a federated user does not meet any of the conditions, the user will be denied to access the cloud platform.
For example, set an identity conversion rule for enterprise administrators.
-- Username: FederationUser-IdP_admin_{email}
- User group: admin
- Rule condition: _NAMEID_ (attribute), any_one_of (condition), and ID1;ID2;ID3 (value). Only users with ID1, ID2, or ID3 inherit permissions from the admin user group.
- In the Create Rule area, click OK.
- On the Modify Identity Provider page, click OK.
-- Editing a Rule
- Log in to the cloud system as an administrator, and go to the IAM console. Then, choose Identity Providers from the navigation pane.
- In the identity provider list, click Modify in the row containing the identity provider.
- In the Identity Conversion Rules area, click Edit Rule. Then configure the rule in the Edit Rule dialog box.
- Edit the identity conversion rule in the JSON format. For details, see Syntax of Identity Conversion Rules.
- Click Validate to verify the syntax of the rule.
- If the rule is correct, click OK in the Edit Rule dialog box. Then click OK on the Modify Identity Provider page.
If a message indicating that the JSON file is incomplete is displayed, modify the statement or click Cancel to cancel the modifications.
+
For example, set an identity conversion rule for administrators in the enterprise management system.
+- Username: FederationUser-IdP_admin
- User group: admin
- Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).
Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.
+
- In the Create Rule dialog box, click OK.
- On the Modify Identity Provider page, click OK.
- Editing Rules
- Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
- In the IdP list, click Modify in the row containing the IdP.
- In the Identity Conversion Rules area, click Edit Rule. Then configure the rules in the Edit Rule dialog box.
- Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
- Click Validate to verify the syntax of the rules.
- If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.
If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.
+Verifying Federated User Permissions
After configuring identity conversion rules, verify the permissions of federated users.
+- Log in as a federated user.
On the Identity Providers page of the console, click View in the row containing the IdP. Click
+
to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system. - Check that the federated user has the permissions assigned to their user group.
For example, an identity conversion rule has defined full permissions for all cloud services for federated user ID1 in the admin user group. On the management console, select a cloud service, and check if you can access the service.
+
Related Operations
Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in the JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.
++ + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0009.html b/docs/iam/umn/iam_08_0009.html index 68e28a64..a311b303 100644 --- a/docs/iam/umn/iam_08_0009.html +++ b/docs/iam/umn/iam_08_0009.html @@ -1,116 +1,122 @@ --Parent topic: OpenID Connect–based Federated Identity Authentication+Parent topic: Virtual User SSO via OpenID ConnectStep 1: Create an Identity Provider
-To establish a trust relationship between an enterprise identity provider and the cloud system, create an identity provider and configure authorization information on the IAM console, and set the user redirect URLs and create OAuth 2.0 credentials in the enterprise identity provider.
-Prerequisites
As an enterprise administrator, you have registered an account in the cloud system and created user groups and granted them permissions in IAM.
-+ The user groups created in IAM will be used to assign permissions to identity provider users mapped to the cloud system.
-Step 1: Create an IdP Entity
+To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On the IAM console, create an IdP entity and configure authorization information.
+-Prerequisites
- The enterprise administrator has created an account in the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
- The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.
Creating OAuth 2.0 Credentials in the Enterprise Identity Provider
- The enterprise IdP redirects users to an OpenID Connect identity provider on the cloud platform through a browser. In the IdP system, set the redirect URLs to the following:
https://auth.otc.t-systems.com/authui/oidc/redirect and https://auth.otc.t-systems.com/authui/oidc/post
- - Obtain OAuth 2.0 credentials (see Table 2) of the enterprise IdP. For details, see the documentation of your enterprise IdP.
-Creating OAuth 2.0 Credentials in the Enterprise IdP
- Set redirect URLs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
- Obtain OAuth 2.0 credentials of the enterprise IdP.
Creating an Identity Provider
Create an identity provider and configure authorization information in IAM.
-- Log in to the IAM console, and choose Identity Providers from the navigation pane. Then click Create Identity Provider.
- Enter an identity provider name, select OpenID Connect and Enabled, and click OK.
The identity provider name must be unique under your account.
+-Creating an IdP Entity on the Cloud Platform
Create an IdP entity and configure authorization information in IAM to establish a trust relationship between the enterprise IdP and IAM
+- Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.Figure 1 Creating an IdP entity+
- Enter an IdP name, select OpenID Connect and Enabled, and click OK.Figure 2 Setting IdP parameters+
The IdP name must be unique under your account.
Configuring Authorization Information
- Click Modify in the Operation column of the row containing the identity provider you want to modify.
- Select an access type.
-
Table 1 Access type Access Type
+Configuring Authorization Information in the Cloud Platform
- Click Modify in the Operation column of the row containing the IdP you want to modify.Figure 3 Modifying an IdP+
- Select an access type.Figure 4 Access type description+ +
- - Specify the configuration information.
-
Table 2 Configuration information Parameter
+- Specify the configuration information.
+--Table 2 Configuration information Parameter
Description
+Description
Identity Provider URL
+Identity Provider URL
URL of the OpenID Connect identity provider.
-Specify this parameter as the value of issuer in the Openid-configuration.
-NOTE:Openid-configuration indicates a URL defined in OpenID Connect, containing configurations of an enterprise identity provider. The URL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterprise identity provider.
-For example, the Openid-configuration of Google is https://accounts.google.com/.well-known/openid-configuration. Therefore, the identity provider URL is https://accounts.google.com.
+URL of the OpenID Connect IdP.
+Specify this parameter as the value of issuer in the Openid-configuration.
+NOTE:Openid-configuration indicates a URL defined in OpenID Connect, containing configurations of an enterprise IdP. The URL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterprise IdP. For example, the Openid-configuration of Google is https://accounts.google.com/.well-known/openid-configuration.
Client ID
+Client ID
ID of a client registered with the OpenID Connect identity provider. that is, an OAuth 2.0 credential created in the enterprise identity provider.
+ID of a client registered with the OpenID Connect IdP. The client ID is an OAuth 2.0 credential created in the enterprise IdP.
Authorization Endpoint
+Authorization Endpoint
Authorization endpoint of the OpenID Connect identity provider. Specify this parameter as the value of authorization_endpoint in the Openid-configuration.
-This parameter is required only if you set Access Type to Programmatic access and management console access.
+Authorization endpoint of the OpenID Connect IdP. Specify this parameter as the value of authorization_endpoint in Openid-configuration.
+This parameter is required only if you set Access Type to Programmatic access and management console access.
Scopes
+Scopes
Scopes of authorization requests. openid is selected by default.
-This parameter is required only if you set Access Type to Programmatic access and management console access.
-Enumerated values:
-- openid
- profile
Scopes of authorization requests. openid is selected by default.
+This parameter is required only if you set Access Type to Programmatic access and management console access.
+Enumerated values:
+- openid
- profile
Response Type
+Response Type
Response type of authorization requests. The default value is id_token.
-This parameter is required only if you set Access Type to Programmatic access and management console access.
+Response type of authorization requests. The default value is id_token.
+This parameter is required only if you set Access Type to Programmatic access and management console access.
Response Mode
+Response Mode
Response mode of authorization requests. The options include form_post and fragment. form_post is recommended.
-- form_post: If this mode is selected, set the redirect URL to http://auth.example.com/authul/oidc/post in the enterprise identity provider.
- fragment: If this mode is selected, set the redirect URL to https://auth.example.com/authui/oidc/redirect in the enterprise identity provider.
This parameter is required only if you set Access Type to Programmatic access and management console access.
+Response mode of authorization requests. The options include form_post and fragment. form_post is recommended.
+This parameter is required only if you set Access Type to Programmatic access and management console access.
Signing Key
+Signing Key
Public key used to sign the ID token of the OpenID Connect identity provider. For example: NqMhxWVZf2PcPQRc6aBlpd3k...
-NOTE:+For account security purposes, change the signing key periodically.
-Public key used to sign the ID token of the OpenID Connect IdP. For account security purposes, change the signing key periodically.
- Click OK.
Logging In as a Federated User
- Click the login link displayed on the identity provider details page to check if the login page of the IdP server is displayed.
- On the Identity Providers page, click View in the Operation column of the identity provider.
- Copy the login link displayed on the identity provider details page and visit the link using a browser.
- If the identity provider login page is not displayed, check the configurations of the identity provider and the identity provider server.
- Enter the username and password of a user that was created in the enterprise management system.
- If the login is successful, add the login link to the enterprise's official website.
- If the login fails, check the username and password.
+Federated users only have read permissions for the cloud system by default. To assign permissions to federated users, configure identity conversion rules for the identity provider. For more information, see Step 2: Configure Identity Conversion Rules.
+- Click OK.
+-Verifying the Federated Login
- Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.
- On the Identity Providers page, click Modify in the Operation column of the identity provider.
- Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.Figure 5 Copying the login link+
- If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.
- Enter the username and password of a user that was created in the enterprise management system.
- If the login is successful, add the login link to the enterprise management system.
- If the login fails, check the username and password.
Federated users only have read permissions for the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Step 2: Configure Identity Conversion Rules.
Related Operations
- Viewing identity provider information: In the identity provider list, click View in the row containing the identity provider, and view its basic information, access type, configurations, and identity conversion rules.
To modify the configurations of an identity provider, click Modify at the bottom of the details page.
+-Related Operations
- Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.-
To modify the configuration of an IdP, click Modify at the bottom of the details page.
- Modifying an identity provider: In the identity provider list, click Modify in the row containing the identity provider, and then change its status and modify the description, access type, configurations, and identity conversion rules.
- Deleting an identity provider: In the identity provider list, click Delete in the row containing the identity provider, and click Yes.
- Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
- Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.
Follow-Up Procedure
- Configure identity conversion rules to map identity provider users to IAM user groups. For details, see Step 2: Configure Identity Conversion Rules.
- Configure the enterprise management system to allow users to access the cloud system through SSO. For details, see Step 3: Configure Login Link in the Enterprise Management System.
Follow-Up Procedure
- Configure identity conversion rules to map enterprise IdP users to IAM user groups and assign permissions to the users. For details, see Step 2: Configure Identity Conversion Rules.
- Configure the enterprise management system to allow users to access the cloud platform through SSO. For details, see (Optional) Step 3: Configure Login Link in the Enterprise Management System.
+ + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0010.html b/docs/iam/umn/iam_08_0010.html index df38a56a..0ba3b553 100644 --- a/docs/iam/umn/iam_08_0010.html +++ b/docs/iam/umn/iam_08_0010.html @@ -1,28 +1,22 @@ --Parent topic: OpenID Connect–based Federated Identity Authentication+Parent topic: Virtual User SSO via OpenID ConnectOpenID Connect–based Federated Identity Authentication
-This section describes the process and configuration of OpenID Connect–based federated identity authentication between an enterprise identity provider and the cloud system.
-Configuring Federated Identity Authentication
To implement federated identity authentication between an identity provider and the cloud system, complete the following configuration:
-- Establish a trust relationship and create an identity provider: Create OAuth 2.0 credentials in the enterprise identity provider, and create an identity provider in the cloud system.
- Configure identity conversion rules: Map the users, user groups, and permissions in the identity provider to the cloud system.
- Configure a login link: Configure a login link in the enterprise management system to allow users to access the cloud system through SSO.
Overview of Virtual User SSO via OpenID Connect
+This section describes how to configure identity federation and how identity federation works.
+-Configuring Identity Federation
The following describes how to configure your enterprise IdP and the cloud platform to trust each other.
+- Create an IdP entity and establish a trust relationship: Create OAuth 2.0 credentials in the enterprise IdP. In the cloud platform, create an IdP entity and establish a trust relationship between the two systems.
- Configure identity conversion rules: Configure identity conversion rules in the cloud platform to the users, user groups, and permissions in the enterprise IdP to the cloud platform.
- Configure a login link: Configure a login link to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
Process of Federated Identity Authentication
Figure 1 shows the interaction between an identity provider and the cloud system after a user initiates an SSO request.
- -As shown in the preceding figure, the process of federated identity authentication is as follows:
-- A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud system.
- The cloud system searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.
- The browser forwards the authorization request to the enterprise identity provider.
- The user enters their username and password on the login page displayed in the identity provider system. After the identity provider authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
- The browser responds and forwards the authorization response to the cloud system.
- The cloud system parses the ID token in the authorization response, and issues a token to the user after identifying the group the user is mapped to, according to the configured identity conversion rules.
- If the login is successful, the user accesses the cloud system successfully.
How Identity Federation Works
Figure 1 shows the identity federation process between an enterprise management system and the cloud platform.
+ +The process of identity federation is as follows:
+- A user opens the login link obtained from the IAM console in the browser. The browser sends an SSO request to the cloud platform.
- The cloud platform authenticates the user against the configuration of the enterprise IdP and constructs an OpenID Connect request to the browser.
- The browser forwards the OpenID Connect request to the enterprise IdP.
- The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
- The browser responds and forwards the OpenID Connect response to the cloud platform.
- The cloud platform parses the ID token in the OpenID Connect response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
- The user logs in to the cloud platform through SSO.
-diff --git a/docs/iam/umn/iam_08_0021.html b/docs/iam/umn/iam_08_0021.html new file mode 100644 index 00000000..07a579a6 --- /dev/null +++ b/docs/iam/umn/iam_08_0021.html @@ -0,0 +1,39 @@ + + + + + +-
-
- Step 1: Create an Identity Provider
-
- - Step 2: Configure Identity Conversion Rules
-
- - Step 3: Configure Login Link in the Enterprise Management System
-
-
-Parent topic: Federated Identity Authentication+Parent topic: Virtual User SSO via OpenID ConnectOverview of Virtual User SSO via SAML
++The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During identity federation, the cloud platform functions as a service provider (SP) and enterprises function as IdPs. This section describes how to configure identity federation and how identity federation works.
++ Ensure that your enterprise IdP supports SAML 2.0.
++Configuring Identity Federation
The following describes how to configure your enterprise IdP and the cloud platform to trust each other.
+Figure 1 Configuration of virtual user SSO via SAML+
- Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.Figure 2 Exchanging metadata files+
- Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
- Configure identity conversion rules: Configure identity conversion rules to determine the IdP user identities and permissions on the cloud platform.Figure 3 Mapping external identities to virtual users+
- Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
- (Optional) Configure a login link: Configure a login link (see Figure 4) to allow enterprise users to be redirected to the cloud platform from your enterprise management system. +
+How Identity Federation Works
Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.
+ ++ To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.
+As shown in Figure 5, the process of identity federation is as follows:
+- A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
- The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
- The browser forwards the SAML request to the enterprise IdP.
- The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
- The browser responds and forwards the SAML response to the cloud platform.
- The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
- The user logs in to the cloud platform through SSO.+
The assertion must carry a signature; otherwise, the login will fail.
+
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0022.html b/docs/iam/umn/iam_08_0022.html new file mode 100644 index 00000000..5ac0d79b --- /dev/null +++ b/docs/iam/umn/iam_08_0022.html @@ -0,0 +1,21 @@ + + +++Parent topic: Virtual User SSO via SAML+Virtual User SSO via OpenID Connect
+ +++ diff --git a/docs/iam/umn/iam_08_0025.html b/docs/iam/umn/iam_08_0025.html new file mode 100644 index 00000000..f232cf75 --- /dev/null +++ b/docs/iam/umn/iam_08_0025.html @@ -0,0 +1,33 @@ + + + + + +-
+
- Overview of Virtual User SSO via OpenID Connect
+
+ - Step 1: Create an IdP Entity
+
+ - Step 2: Configure Identity Conversion Rules
+
+ - (Optional) Step 3: Configure Login Link in the Enterprise Management System
+
+
++Parent topic: Identity Providers+Step 4: Verify the Federated Login
+++Verifying the Federated Login
Federated users can initiate a login from the IdP or SP.
+- Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
- Initiating a login from the SP. You can obtain the login link from the IdP details page on the IAM console.
The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.
+- Log in as a federated user.
On the Identity Providers page of the console, click View in the row containing the IdP. Click
+ +
to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.Figure 1 Login link+
- Check that the federated user has the permissions assigned to their user group.
+Redirecting to a Specified Region or Service
You can specify the target page which the federated user will be redirected to after login.
+- Configuring the login link on the SP
Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.
+ - Configuring the login link on the IdP
Configure the IAM_SAML_Attributes_redirect_url assertion (the URL to be redirected to) in the SAML assertion of the enterprise IdP.
+
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0251.html b/docs/iam/umn/iam_08_0251.html new file mode 100644 index 00000000..a14a73fb --- /dev/null +++ b/docs/iam/umn/iam_08_0251.html @@ -0,0 +1,25 @@ + + + + + +++Parent topic: Virtual User SSO via SAML+Application Scenarios of Virtual User SSO and IAM User SSO
++IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
++Virtual User SSO
After a federated user logs in to the cloud platform, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:
+- To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
- You want to separate permissions on the cloud platform based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
- Your enterprise has branches and each branch has multiple enterprise IdPs. These IdPs need to access the same cloud account. You need to configure multiple IdPs in the cloud platform for identity federation.
+IAM User SSO
After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. IAM user SSO is recommended if:
+- Your cloud products do not support virtual user SSO.
- You do not need virtual user SSO and want to simplify the IdP configuration.
+Differences Between Virtual User SSO and IAM User SSO
They differences between virtual user SSO and IAM user SSO are described as follows:
+1. Identity conversion mode: Virtual user SSO uses identity conversion rules to convert the identities of IdP users and IAM users. IAM user SSO uses the external identity ID for identity conversion. The IAM_SAML_Attributes_xUserId value of the IdP user is the same as the external identity ID of the IAM user. The IdP user is mapped to the corresponding IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.
+2. User identity in IAM: In virtual user SSO, the IdP user does not have a corresponding IAM user in the IAM user list. After the IdP user logs in, the system automatically creates a virtual user for it. In IAM user SSO, the IdP user has a IAM user mapped by external identity ID on the IAM console.
+3. Permissions assignment in IAM: In virtual user SSO, the permissions of the IdP user are defined by the identity conversion rule. In IAM user SSO, the IdP user inherits the permissions of the user group which the mapped IAM user belongs to.
+++ diff --git a/docs/iam/umn/iam_08_0252.html b/docs/iam/umn/iam_08_0252.html new file mode 100644 index 00000000..6d632f03 --- /dev/null +++ b/docs/iam/umn/iam_08_0252.html @@ -0,0 +1,56 @@ + + + + + +++Parent topic: Identity Providers+Step 2: Configure the Enterprise IdP
++You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information and identity conversion rules.
++Common parameters in enterprise IdP
++
+Table 1 Common parameters in enterprise IdP Parameter
+Description
+Scenario
+IAM_SAML_Attributes_redirect_url
+Target URL which the federated user will be redirected to
+During SSO login, the federated user will be redirected to a page on the cloud platform .
+IAM_SAML_Attributes_xUserId
+ID of an enterprise IdP user (federated user).
+This parameter is mandatory when the SSO type is IAM user.
+Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.
+IAM_SAML_Attributes_domain_id
+Account ID of the cloud platform to be federated with the enterprise IdP
+This parameter is mandatory in the enterprise IdP-initiated federation.
+IAM_SAML_Attributes_idp_id
+Name of the IdP entity created on the cloud platform
+This parameter is mandatory in the enterprise IdP-initiated federation.
+++ diff --git a/docs/iam/umn/iam_08_0253.html b/docs/iam/umn/iam_08_0253.html new file mode 100644 index 00000000..af28a4f0 --- /dev/null +++ b/docs/iam/umn/iam_08_0253.html @@ -0,0 +1,28 @@ + + + + + +++Parent topic: Virtual User SSO via SAML+IAM User SSO via SAML
+ +++ diff --git a/docs/iam/umn/iam_08_0254.html b/docs/iam/umn/iam_08_0254.html new file mode 100644 index 00000000..200b36ca --- /dev/null +++ b/docs/iam/umn/iam_08_0254.html @@ -0,0 +1,40 @@ + + + + + +-
+
- Overview of IAM User SSO via SAML
+
+ - Step 1: Create an IdP Entity
+
+ - Step 2: Configure the Enterprise IdP
+
+ - Step 3: Configure an External Identity ID
+
+ - Step 4: Verify the Federated Login
+
+ - (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP
+
+
++Parent topic: Identity Providers+Overview of IAM User SSO via SAML
++The cloud platform supports identity federation with Security Assertion Markup Language (SAML), which is an open standard that many identity providers (IdPs) use. During identity federation, the cloud platform functions as a service provider (SP) and enterprises function as IdPs. SAML-based federation enables single sign-on (SSO), so employees in your enterprise can log in to the cloud platform as IAM users.
+This section describes how to configure identity federation and how identity federation works.
++ Ensure that your enterprise IdP supports SAML 2.0.
++Configuring Identity Federation
The following describes how to configure your enterprise IdP and the cloud platform to trust each other.
+Figure 1 Configuration of IAM user SSO via SAML+
- Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.Figure 2 Exchanging metadata files+
- Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
- Configure an external identity ID on IAM: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.Figure 3 Mapping external identities to IAM users+
- Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
- (Optional) Configure a login link: Configure a login link (see Figure 4) to allow enterprise users to be redirected to the cloud platform from your enterprise management system. +
+How Identity Federation Works
Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.
+ ++ To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.
+As shown in Figure 5, the process of identity federation is as follows:+- A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
- The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
- The browser forwards the SAML request to the enterprise IdP.
- The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
- The browser responds and forwards the SAML response to the cloud platform.
- The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
- The user logs in to the cloud platform through SSO.
+ The assertion must carry a signature; otherwise, the login will fail.
+++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0255.html b/docs/iam/umn/iam_08_0255.html new file mode 100644 index 00000000..d028b1ea --- /dev/null +++ b/docs/iam/umn/iam_08_0255.html @@ -0,0 +1,141 @@ + + + + + +++Parent topic: IAM User SSO via SAML+Step 1: Create an IdP Entity
++To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an IdP entity and upload the metadata file of the enterprise IdP on the IAM console.
++Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform
Configure the metadata file of the cloud platform on the enterprise IdP to establish a trust.
+- Download the metadata file of the cloud platform.
- Web SSO: Visit https://auth.otc.t-systems.com/authui/saml/metadata.xml. Right-click on the page, choose Save As, and set a file name, for example, websso-metadata.xml.
- SSO via API calling: Visit https://iam.eu-de.otc.t-systems.com/v3-ext/auth/OS-FEDERATION/SSO/metadata or https://iam.eu-nl.otc.t-systems.com/v3-ext/auth/OS-FEDERATION/SSO/metadata, right-click on the page, choose Save As, and set a file name, for example, api-metadata-region.xml.
The cloud platform provides different API gateways for users in different regions to call APIs. To allow users to access resources in multiple regions, download metadata files of all these regions.
+
- Upload the metadata file to the enterprise IdP server. For details, see the help documentation of the enterprise IdP.
- Obtain the metadata file of the enterprise IdP. For details, see the help documentation of the enterprise IdP.
+Creating an IdP Entity on the Cloud Platform
To create an IdP entity on the IAM console, do as follows:
+- Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.Figure 1 Creating an IdP entity+
- Specify the name, protocol, SSO type, status, and description of the IdP entity.Figure 2 Setting IdP parameters+ +
+
+Table 1 Basic parameters of an IdP Parameter
+Description
+Name
+IdP name, which must be unique globally. You are advised to use the domain name.
+Protocol
+IdP protocol. The cloud platform supports SAML and OpenID Connect protocols. For details about OpenID Connect-based identity federation, see Virtual User SSO via OpenID Connect.
+SSO Type
+IdP type. An account can have only one type of IdP. The following describes the IAM user type.
+IAM user SSO: After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. An account can have only one IdP of the IAM user type. If you select the IAM user type, ensure that you have created an IAM user and set the external identity ID. For details, see Creating an IAM User.
+Status
+IdP status. The default value is Enabled.
+ - Click OK.
+Configuring the Metadata File of the Enterprise IdP on the Cloud Platform
You can upload or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.
++ For details about how to obtain the metadata file of the enterprise IdP, see the help documentation of the enterprise IdP.
++- Upload a metadata file.
- Click Modify in the row containing the IdP.Figure 3 Modifying an IdP+
- Click Select File and select the metadata file of the enterprise IdP.Figure 4 Uploading a metadata file+
- Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
- If the uploaded metadata file contains multiple IdPs, select the IdP you want to use from the Entity ID drop-down list.
- If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
- Click OK to save the settings.
- Click Modify in the row containing the IdP.
- Manually configure metadata.
- Click Manually configure.Figure 5 Manually configuring metadata+
- In the Configure Metadata dialog box, set the metadata parameters, such as Entity ID, Signing Certificate, and SingleSignOnService.
++
+Parameter
+Mandatory
+Description
+Entity ID
+Yes
+The unique identifier of an IdP. Enter the value of entityID displayed in the enterprise IdP's metadata file.
+If the metadata file contains multiple IdPs, choose the one you want to use.
+Protocol
+Yes
+Protocol used for identity federation between an enterprise IdP and SP.
+The protocol is selected by default.
+NameIdFormat
+No
+Enter the value of NameIdFormat displayed in the IdP metadata file.
+It specifies the username identifier format supported by the IdP, which is used for communication between the IdP and federated user.
+If you configure multiple values, the cloud platform uses the first value by default.
+Signing Certificate
+Yes
+Enter the value of <X509Certificate> displayed in the IdP metadata file.
+A signing certificate is a public key certificate used for signature verification. For security purposes, enter a public key containing at least 2,048 bits. The signing certificate is used during identity federation to ensure that assertions are credible and complete.
+If you configure multiple values, the cloud platform uses the first value by default.
+SingleSignOnService
+Yes
+Enter the value of SingleSignOnService displayed in the IdP metadata file.
+This parameter defines how SAML requests are sent during SSO. It must support HTTP Redirect or HTTP POST.
+If you configure multiple values, the cloud platform uses the first value by default.
+SingleLogoutService
+No
+Enter the value of SingleLogoutService displayed in the IdP metadata file.
+This parameter indicates the address to which federated users will be redirected after logging out their sessions. It must support HTTP Redirect or HTTP POST.
+If you configure multiple values, the cloud platform uses the first value by default.
+The following example shows the metadata file of an enterprise IdP and the manually configured metadata.
+Figure 6 Metadata file of an enterprise IdP+
- Click OK to save the settings.
- Click Manually configure.
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0256.html b/docs/iam/umn/iam_08_0256.html new file mode 100644 index 00000000..761fcc26 --- /dev/null +++ b/docs/iam/umn/iam_08_0256.html @@ -0,0 +1,58 @@ + + + + + +++Parent topic: IAM User SSO via SAML+Step 2: Configure the Enterprise IdP
++You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information.
++ If the SSO type is IAM user, the enterprise IdP must have the IAM_SAML_Attributes_xUserId assertion configured.
++Common Parameters in Enterprise IdP
++
+Table 1 Common parameters in enterprise IdP Parameter
+Description
+Scenario
+IAM_SAML_Attributes_xUserId
+ID of an enterprise IdP user (federated user).
+This parameter is mandatory when the SSO type is IAM user.
+Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.
+IAM_SAML_Attributes_redirect_url
+Target URL which the federated user will be redirected to
+During SSO login, the federated user will be redirected to a page on the cloud platform .
+IAM_SAML_Attributes_domain_id
+Account ID of the cloud platform to be federated with the enterprise IdP
+This parameter is mandatory in the enterprise IdP-initiated federation.
+IAM_SAML_Attributes_idp_id
+Name of the IdP entity created on the cloud platform
+This parameter is mandatory in the enterprise IdP-initiated federation.
+++ diff --git a/docs/iam/umn/iam_08_0257.html b/docs/iam/umn/iam_08_0257.html new file mode 100644 index 00000000..021a7beb --- /dev/null +++ b/docs/iam/umn/iam_08_0257.html @@ -0,0 +1,28 @@ + + + + + +++Parent topic: IAM User SSO via SAML+Step 3: Configure an External Identity ID
++For the IAM user SSO type, you must configure an external identity ID for the IAM user which the federated user maps to on the cloud platform. The external identity ID must be the same as the IAM_SAML_Attributes_xUserId value of the enterprise IdP user (federated user). You can create an IAM user and configure an external identity ID for it, or change the external identity ID of an existing IAM user.
+- Creating an IAM User and Configuring an External Identity ID
- Changing the External Identity ID of an Existing IAM User
+ +Creating an IAM User and Configuring an External Identity ID
- Log in to the IAM console as an administrator.
- On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.
- In the User Details area, configure an external identity ID. For details about other settings, see Creating a User.Figure 1 Configuring an external identity ID+
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0258.html b/docs/iam/umn/iam_08_0258.html new file mode 100644 index 00000000..3a5be85d --- /dev/null +++ b/docs/iam/umn/iam_08_0258.html @@ -0,0 +1,33 @@ + + + + + +++Parent topic: IAM User SSO via SAML+Step 4: Verify the Federated Login
+++Verifying the Federated Login
Federated users can initiate a login from the IdP or SP.
+- Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
- Initiating a login from the SP (the cloud platform). You can obtain the login link from the IdP details page on the IAM console.
The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.
+- Log in as a federated user.
On the Identity Providers page of the console, click View in the row containing the IdP. Click
+ +
to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.Figure 1 Login link+
- Check whether the federated user is logging in as an IAM user.
+Redirecting to a Specified Region or Service
You can specify the target page which the federated user will be redirected to after login.
+- Configuring the login link on the SP
Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.
+ - Configuring the login link on the IdP
Configure the IAM_SAML_Attributes_redirect_url assertion (the URL to be redirected to) in the SAML assertion of the enterprise IdP.
+
++ + + \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0259.html b/docs/iam/umn/iam_08_0259.html new file mode 100644 index 00000000..44be1bd1 --- /dev/null +++ b/docs/iam/umn/iam_08_0259.html @@ -0,0 +1,28 @@ + + + + + +++Parent topic: IAM User SSO via SAML+(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP
++Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.
++Prerequisites
- An IdP entity has been created on the cloud platform, and the login link for the IdP is available. For details, see Step 1: Create an IdP Entity.
- The login entry for logging in to the cloud platform has been configured in the enterprise management system.
+Procedure
- Log in to the IAM console. In the navigation pane, choose Identity Providers.
- Click View in the row containing the IdP.Figure 1 Viewing IdP details+
- Copy the login link by clicking
in the Login link row.Figure 2 Copying the login link+
- Add the following statement to the page file of the enterprise management system:
<a href="<Login link>"> Cloud platform login entry </a>
+ - Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
++ + + \ No newline at end of file++Parent topic: IAM User SSO via SAML+ - Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.
- Specify the configuration information.
- Click Modify in the Operation column of the row containing the IdP you want to modify.
- Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
- Creating Rules
- Creating Rules
- Click the login link displayed on the identity provider details page to check if the login page of the identity provider server is displayed.
- Click Manually configure.
- Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
- Download the metadata file of the cloud platform.
- Create a user group and grant permissions to it.
