Accessing Tencent Cloud Console as SAML 2.0 Federated Users
Last updated: 2019-11-28 18:24:13PDF
Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use SAML 2.0-based federation to integrate identity providers with Tencent Cloud. Federated single sign-on can be implemented by using an identity provider, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud console or to call Tencent Cloud APIs, without requiring the creation of a CAM sub-user for each employee of the enterprise or organization.
This step creates one or multiple roles for identity providers to log into the Tencent Cloud console. After being granted permissions, the users can, within the scope of permissions, manage the resources of the root account via Tencent Cloud console.
- Access the identity provider’s portal through a browser and select to be redirected to the Tencent Cloud console.
- This portal can verify the identity of the current user.
- After verification, this portal will generate a SAML 2.0 identity verification response. This response contains the assertions that identify the user’s identity along with the related user attributes. This portal website sends the response to the client browser.
- The client browser redirects to the Tencent Cloud single sign-on endpoint node, and publishes a SAML assertion.
- The endpoint node requests the temporary security credentials on behalf of the user, and create a console login URL that uses these credentials.
- Tencent Cloud returns the login URL to the user’s client as a redirect.
- The client browser is redirected to the Tencent Cloud console. If the SAML 2.0 identity verification response includes attributes mapping to multiple CAM roles, the system will first prompt the user to select the role they want to use to access the console.
From the user’s perspective, the entire process is streamlined: The user starts the operation on the internal portal of your enterprise or organization, and finishes the operation on the Tencent Cloud console. There is no need to provide any Tencent Cloud credentials. See the following sections for links to single sign-on configuration guides.
Configuring a SAML 2.0-Based Identity Provider in an Enterprise or Organization
You can configure the identity store (such as Azure Active Directory) of your enterprise or organization to use SAML 2.0-based identity providers, such as Azure Active Directory, OneLogin, and Okta. By using identity providers, you can generate a metadata document. This document will describe your enterprise or organization as an identity provider with an identity verification key and will configure the portal of your enterprise or organization to take user requests to access the Tencent Cloud Console and route them to the Tencent Cloud endpoint node, facilitating the use of SAML 2.0 assertions to perform identity verification. The configuration of the metadata.xml file generated by your identity provider depends on your identity provider. For more information, see the documentation of your IdP, or read the following documents.
Creating SAML Identity Providers in CAM
You can create a SAML 2.0 identity provider in the CAM console. IdP is an entity in CAM, which can be deemed as a collection of external trusted accounts. A SAML 2.0-based identity provider describes the identity provider services supporting Security Assertion Markup Language 2.0. During creation, you can upload the identity provider metadata file from Configuring a SAML 2.0-Based Identity Provider in an Enterprise or Organization. For more information, see Creating an IdP.
Configuring Permissions in Tencent Cloud for a SAML Provider User
You can create a role to be used to build the trust between the identity provider in your enterprise or organization and Tencent Cloud. In the context of the SAML 2.0 assertion, roles can be assigned to federated users that have been verified by identity providers. This role permits identity providers to request temporary security credentials to access Tencent Cloud resources. In this process, you can associate policies and configure use conditions for the role to determine the access scope and use conditions for federated users in Tencent Cloud. For more information see Creating a Role.
Configuring Single Sign-On for Identity Providers
Download and save the Tencent Cloud federation metadata XML file: http://cloud.tencent.com/saml.xml. Map the attributes of the identity provider in your enterprise or organization to the Tencent Cloud attributes to build the trust between the identity provider in your enterprise or organization and Tencent Cloud. How you install this file depends on your identity provider. Some providers provide an option for you to simply enter the URL, upon which the identity provider will obtain and install the file for you. Other providers require that you download the file and then upload it locally. For more information, see the instructions from your identity provider or refer to the following documentation: