Accessing Tencent Cloud Console as SAML 2.0 Federated Users

Last updated: 2021-04-16 10:19:08

    Overview

    Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use SAML 2.0-based federation to integrate IdPs with Tencent Cloud. Federated single sign-on (SSO) can be implemented by using an IdP, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud console to manage Tencent Cloud resources, eliminating the need to create a CAM sub-user for each employee of the organization.

    Directions

    This process creates one or multiple roles for IdPs to log in to the Tencent Cloud console. After being granted permissions, the users can manage the resources of the root account in the console within the scope of permissions.

    1. Access the IdP's portal in a browser and select to be redirected to the Tencent Cloud console.
    2. The portal can verify the identity of the current user.
    3. After verification, the portal will generate an SAML 2.0 identity verification response, which contains the assertions that identify the user's identity along with the related user attributes. The portal website will send the response to the client browser.
    4. The client browser will be redirected to the Tencent Cloud SSO endpoint node and publish an SAML assertion.
    5. The endpoint node will request temporary security credentials on behalf of the user and create a console login URL that uses these credentials.
    6. Tencent Cloud will return the login URL to the user's client as a redirect.
    7. The client browser will be redirected to the Tencent Cloud console. If the SAML 2.0 identity verification response includes attributes mapping to multiple CAM roles, the system will first prompt the user to select the role they want to use to access the console.

    From the user's perspective, the entire process is streamlined: the user starts the operation on the internal portal of your organization and finishes the operation in the Tencent Cloud console. There is no need to provide any Tencent Cloud credentials. For links to SSO configuration guides, please see the section below.

    Configuring SAML 2.0-based IdP in organization

    You can configure the identity store (such as Azure Active Directory) of your organization to use SAML 2.0-based IdPs like Azure Active Directory, OneLogin, and Okta. By using IdPs, you can generate a metadata document, which will describe your organization as an IdP with an identity verification key and will configure the portal of your organization to route user requests to access the Tencent Cloud console to the Tencent Cloud endpoint node, facilitating the use of SAML 2.0 assertions to perform identity verification. The configuration of the metadata.xml file generated by your IdP is subject to your IdP. For more information, please see the documentation of your IdP or read the following documents.

    Creating SAML IdP in CAM

    You can create an SAML (Security Assertion Markup Language) 2.0 IdP in the CAM console. An IdP is an entity in CAM, which can be seen as a collection of external trusted accounts. An SAML 2.0-based federation IdP describes the IdP services supporting SAML 2.0. During creation, you can upload the IdP metadata document as described in Configuring SAML 2.0-based IdP in organization. For more information, please see Creating IdP.

    Configuring permissions in Tencent Cloud for SAML provider user

    You can create a role for building the trust between the IdP in your organization and Tencent Cloud. In the context of SAML 2.0 assertions, the role can be assigned to federated users that have been verified by the IdP. This role permits the IdP to request temporary security credentials to access Tencent Cloud resources. In this process, you can associate policies and configure use conditions for the role to determine the access scope and use conditions for federated users in Tencent Cloud. For more information, please see Creating Role.

    Configuring SSO for IdP

    Download and save the Tencent Cloud federation metadata XML file at http://cloud.tencent.com/saml.xml. Map the attributes of the IdP in your organization to the Tencent Cloud attributes to build the trust between the IdP in your organization and Tencent Cloud. How you install this file is subject to your IdP. Some providers offer an option for you to simply enter the URL, upon which they will get and install the file for you, while other providers require that you download the file and then upload it locally. For more information, please see the instructions from your IdP or the following documents:

    Sample SAML response

    Below is an SAML sample:

    <samlp:Response>
        <saml:Issuer>...</saml:Issuer>
        <ds:Signature>
                ...
        </ds:Signature>
        <samlp:Status>
            ...
        </samlp:Status>
        <saml:Assertion>
            <saml:Issuer>...</saml:Issuer>
            <saml:Subject>
                <saml:NameID>${NameID}</saml:NameID>
                <saml:SubjectConfirmation>
                    ...
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions>
                <saml:AudienceRestriction>
                    <saml:Audience>${Audience}</saml:Audience>
                </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement>
                ...
            </saml:AuthnStatement>
            <saml:AttributeStatement>
                <saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName">
                    ...
                </saml:Attribute>
                <saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role">
                    ...
                </saml:Attribute>
            </saml:AttributeStatement>
        </saml:Assertion>
    </samlp:Response>
    

    The AttributeStatement element of an SAML assertion must contain the following Attribute elements required by Tencent Cloud:

    1. The Attribute element whose Name attribute value is https://cloud.tencent.com/SAML/Attributes/Role. This element is required, and there can be multiple instances of it. The value of AttributeValue contained in it represents the role that the current user is allowed to play. The format of the value is a combination of role description and IdP description separated by comma (,).

    Note:

    If there are multiple roles, when you log in to the console, all roles will be listed on the page for you to choose.

    Below is a sample Attribute element of Role:

    <Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role">      
      <AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName1},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName1}</AttributeValue>
      <AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName2},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName2}</AttributeValue>
    </Attribute>               
    

    If the same IdP is used, you can combine the values into one value and separate the ARN of different roles by semicolon (;).

    <Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role">       
    <AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName1};qcs::cam::uin/{AccountID}:roleName/{RoleName2},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName}</AttributeValue>
    </Attribute>                            
    

    Note:

    Replace {AccountID}, {RoleName}, and {ProviderName} in the source Role attribute with the following:

    • Replace {AccountID} with your Tencent Cloud root account ID, which can be viewed on the Account Information page.
    • Replace {RoleName} with the role name you created for the IdP in Tencent Cloud (click here to see how to create a role for an IdP in Tencent Cloud), which can be viewed on the Roles page.
    • Replace {ProviderName} with the name of the SAML IdP you created in Tencent Cloud, which can be viewed on the Identity Providers page.
    1. The Attribute element whose Name attribute value is https://cloud.tencent.com/SAML/Attributes/RoleSessionName. This element is required, and there can be only one instance of it. It is user-defined and can contain up to 32 characters. Below is a sample Attribute element of RoleSessionName, where userName can be replaced with your custom information.
    <Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName">
    <AttributeValue>userName</AttributeValue>
    </Attribute>