Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use SAML 2.0-based federation to integrate identity providers with Tencent Cloud. Federated single sign-on can be implemented by using an identity provider, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud console or to call Tencent Cloud APIs, without requiring the creation of a CAM sub-user for each employee of the enterprise or organization.
This step creates one or multiple roles for identity providers to log into the Tencent Cloud console. After being granted permissions, the users can, within the scope of permissions, manage the resources of the root account via Tencent Cloud console.
From the user’s perspective, the entire process is streamlined: The user starts the operation on the internal portal of your enterprise or organization, and finishes the operation on the Tencent Cloud console. There is no need to provide any Tencent Cloud credentials. See the following sections for links to single sign-on configuration guides.
You can configure the identity store (such as Azure Active Directory) of your enterprise or organization to use SAML 2.0-based identity providers, such as Azure Active Directory, OneLogin, and Okta. By using identity providers, you can generate a metadata document. This document will describe your enterprise or organization as an identity provider with an identity verification key and will configure the portal of your enterprise or organization to take user requests to access the Tencent Cloud Console and route them to the Tencent Cloud endpoint node, facilitating the use of SAML 2.0 assertions to perform identity verification. The configuration of the metadata.xml file generated by your identity provider depends on your identity provider. For more information, see the documentation of your IdP, or read the following documents.
You can create a SAML 2.0 identity provider in the CAM console. IdP is an entity in CAM, which can be deemed as a collection of external trusted accounts. A SAML 2.0-based identity provider describes the identity provider services supporting Security Assertion Markup Language 2.0. During creation, you can upload the identity provider metadata file from Configuring a SAML 2.0-Based Identity Provider in an Enterprise or Organization. For more information, see Creating an IdP.
You can create a role to be used to build the trust between the identity provider in your enterprise or organization and Tencent Cloud. In the context of the SAML 2.0 assertion, roles can be assigned to federated users that have been verified by identity providers. This role permits identity providers to request temporary security credentials to access Tencent Cloud resources. In this process, you can associate policies and configure use conditions for the role to determine the access scope and use conditions for federated users in Tencent Cloud. For more information see Creating a Role.
Download and save the Tencent Cloud federation metadata XML file: http://cloud.tencent.com/saml.xml. Map the attributes of the identity provider in your enterprise or organization to the Tencent Cloud attributes to build the trust between the identity provider in your enterprise or organization and Tencent Cloud. How you install this file depends on your identity provider. Some providers provide an option for you to simply enter the URL, upon which the identity provider will obtain and install the file for you. Other providers require that you download the file and then upload it locally. For more information, see the instructions from your identity provider or refer to the following documentation: