Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use SAML 2.0-based federation to integrate IdPs with Tencent Cloud. Federated single sign-on (SSO) can be implemented by using an IdP, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud Console to manage Tencent Cloud resources, eliminating the need to create a CAM sub-user for each employee of the organization.
This process creates one or multiple roles for IdPs to log in to the Tencent Cloud Console. After being granted permissions, the users can manage the resources of the root account in the console within the scope of permissions.
From the user's perspective, the entire process is streamlined: the user starts the operation on the internal portal of your organization and finishes the operation in the Tencent Cloud Console. There is no need to provide any Tencent Cloud credentials. For links to SSO configuration guides, please see the section below.
You can configure the identity store (such as Azure Active Directory) of your organization to use SAML 2.0-based IdPs like Azure Active Directory, OneLogin, and Okta. By using IdPs, you can generate a metadata document, which will describe your organization as an IdP with an identity verification key and will configure the portal of your organization to route user requests to access the Tencent Cloud Console to the Tencent Cloud endpoint node, facilitating the use of SAML 2.0 assertions to perform identity verification. The configuration of the
metadata.xml file generated by your IdP is subject to your IdP. For more information, please see the documentation of your IdP or read the following documents.
You can create an SAML (Security Assertion Markup Language) 2.0 IdP in the CAM Console. An IdP is an entity in CAM, which can be seen as a collection of external trusted accounts. An SAML 2.0-based federation IdP describes the IdP services supporting SAML 2.0. During creation, you can upload the IdP metadata file as described in Configuring SAML 2.0-based IdP in Organization. For more information, please see Creating IdP.
You can create a role for building the trust between the IdP in your organization and Tencent Cloud. In the context of SAML 2.0 assertions, the role can be assigned to federated users that have been verified by the IdP. This role permits the IdP to request temporary security credentials to access Tencent Cloud resources. In this process, you can associate policies and configure use conditions for the role to determine the access scope and use conditions for federated users in Tencent Cloud. For more information, please see Creating Role.
Download and save the Tencent Cloud federation metadata XML file at http://cloud.tencent.com/saml.xml. Map the attributes of the IdP in your organization to the Tencent Cloud attributes to build the trust between the IdP in your organization and Tencent Cloud. How you install this file is subject to your IdP. Some providers offer an option for you to simply enter the URL, upon which they will get and install the file for you, while other providers require that you download the file and then upload it locally. For more information, please see the instructions from your IdP or the following documents: