Accessing Tencent Cloud Console as SAML 2.0 Federated Users

Last updated: 2020-07-17 16:40:11

    Operation Scenarios

    Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use SAML 2.0-based federation to integrate IdPs with Tencent Cloud. Federated single sign-on (SSO) can be implemented by using an IdP, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud Console to manage Tencent Cloud resources, eliminating the need to create a CAM sub-user for each employee of the organization.


    This process creates one or multiple roles for IdPs to log in to the Tencent Cloud Console. After being granted permissions, the users can manage the resources of the root account in the console within the scope of permissions.

    1. Access the IdP's portal in a browser and select to be redirected to the Tencent Cloud Console.
    2. The portal can verify the identity of the current user.
    3. After verification, the portal will generate an SAML 2.0 identity verification response, which contains the assertions that identify the user's identity along with the related user attributes. The portal website will send the response to the client browser.
    4. The client browser will be redirected to the Tencent Cloud SSO endpoint node and publish an SAML assertion.
    5. The endpoint node will request temporary security credentials on behalf of the user and create a console login URL that uses these credentials.
    6. Tencent Cloud will return the login URL to the user's client as a redirect.
    7. The client browser will be redirected to the Tencent Cloud Console. If the SAML 2.0 identity verification response includes attributes mapping to multiple CAM roles, the system will first prompt the user to select the role they want to use to access the console.

    From the user's perspective, the entire process is streamlined: the user starts the operation on the internal portal of your organization and finishes the operation in the Tencent Cloud Console. There is no need to provide any Tencent Cloud credentials. For links to SSO configuration guides, please see the section below.

    Configuring SAML 2.0-based IdP in organization

    You can configure the identity store (such as Azure Active Directory) of your organization to use SAML 2.0-based IdPs like Azure Active Directory, OneLogin, and Okta. By using IdPs, you can generate a metadata document, which will describe your organization as an IdP with an identity verification key and will configure the portal of your organization to route user requests to access the Tencent Cloud Console to the Tencent Cloud endpoint node, facilitating the use of SAML 2.0 assertions to perform identity verification. The configuration of the metadata.xml file generated by your IdP is subject to your IdP. For more information, please see the documentation of your IdP or read the following documents.

    Creating SAML IdP in CAM

    You can create an SAML (Security Assertion Markup Language) 2.0 IdP in the CAM Console. An IdP is an entity in CAM, which can be seen as a collection of external trusted accounts. An SAML 2.0-based federation IdP describes the IdP services supporting SAML 2.0. During creation, you can upload the IdP metadata file as described in Configuring SAML 2.0-based IdP in Organization. For more information, please see Creating IdP.

    Configuring permissions in Tencent Cloud for SAML provider user

    You can create a role for building the trust between the IdP in your organization and Tencent Cloud. In the context of SAML 2.0 assertions, the role can be assigned to federated users that have been verified by the IdP. This role permits the IdP to request temporary security credentials to access Tencent Cloud resources. In this process, you can associate policies and configure use conditions for the role to determine the access scope and use conditions for federated users in Tencent Cloud. For more information, please see Creating Role.

    Configuring SSO for IdP

    Download and save the Tencent Cloud federation metadata XML file at Map the attributes of the IdP in your organization to the Tencent Cloud attributes to build the trust between the IdP in your organization and Tencent Cloud. How you install this file is subject to your IdP. Some providers offer an option for you to simply enter the URL, upon which they will get and install the file for you, while other providers require that you download the file and then upload it locally. For more information, please see the instructions from your IdP or the following documents:

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback