IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
After a federated user logs in to the cloud platform, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:
After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. IAM user SSO is recommended if:
They differences between virtual user SSO and IAM user SSO are described as follows:
1. Identity conversion mode: Virtual user SSO uses identity conversion rules to convert the identities of IdP users and IAM users. IAM user SSO uses the external identity ID for identity conversion. The IAM_SAML_Attributes_xUserId value of the IdP user is the same as the external identity ID of the IAM user. The IdP user is mapped to the corresponding IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.
2. User identity in IAM: In virtual user SSO, the IdP user does not have a corresponding IAM user in the IAM user list. After the IdP user logs in, the system automatically creates a virtual user for it. In IAM user SSO, the IdP user has a IAM user mapped by external identity ID on the IAM console.
3. Permissions assignment in IAM: In virtual user SSO, the permissions of the IdP user are defined by the identity conversion rule. In IAM user SSO, the IdP user inherits the permissions of the user group which the mapped IAM user belongs to.