OneLogin Single Sign-On

Last updated: 2019-12-31 17:54:55

PDF

Introduction

OneLogin is a cloud identity access management solution provider. You can log in to all the internal system platforms of an enterprise through OneLogin’s identity verification system with one click. Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs) such as OneLogin. Federated single sign-on can be implemented by using an identity provider, and admins can authorize users that have their federated identity authenticated to log in to the Tencent Cloud console or to call Tencent Cloud APIs, without requiring the creation of a CAM sub-user for each employee of the enterprise or organization.
This tutorial describes how to configure OneLogin single sign-on for Tencent Cloud.

Directions

Creating OneLogin Enterprise Applications

  • This step creates a OneLogin enterprise application. If you’re already using one, please skip this step and go straight to CAM configuration.
  • This document uses the application name test as an example.
  1. Log in and access the OneLogin Application Management page. Click Add App.
  2. In the search box, enter SAML and press Enter. In the results list, click Pilot Catastrophe SAML (IdP). This is shown in the following figure:
  3. In Display Name field, enter the application name and click Save to complete the application creation. This is shown in the following figure:

Configuring CAM

  • This step configures the trust relationship between OneLogin and Tencent Cloud.
  • In this example, the SAML identity provider and role name are both test.
  1. In the OneLogin Application Management page, select the application test that you created.
  2. Click More Actions. Select SAML Metadata, and download the IDP cloud data documentation. This is shown in the following figure.
  3. Create the Tencent Cloud CAM identity provider and roles. For more information, see Creating an IdP.

Configuring OneLogin Single Sign-On

This step maps OneLogin application attributes to Tencent Cloud attributes to create trust between the OneLogin application and Tencent Cloud.

  1. In the OneLogin Application Management page, click the test application that has been created to redirect to the application editor page.
  2. Select the Configuration tab, enter the following content, and then click Save. This is shown in the following figure:
  • If your Tencent Cloud account is located on Tencent Cloud China website, perform configuration as follows:
    SAML Consumer URL: https://cloud.tencent.com/login/saml
    SAML Audience: https://cloud.tencent.com
    SAML Recipient: https://cloud.tencent.com/login/saml
  • If your Tencent Cloud account is located on Tencent Cloud International website, perform configuration as follows:
    SAML Consumer URL: https://intl.cloud.tencent.com/login/saml
    SAML Audience: https://intl.cloud.tencent.com
    SAML Recipient: https://intl.cloud.tencent.com/login/saml
  1. Click Parameters, select Add Parameter and add the following two items.
Field name Flags Value Source Attribute
https://cloud.tencent.com/SAML/Attributes/Role Include in SAML assertion Macro qcs::cam::uin/{AccountID}:roleName/{RoleName1};qcs::cam::uin/{AccountID}:roleName/{RoleName2},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName}
https://cloud.tencent.com/SAML/Attributes/RoleSessionName Include in SAML assertion Macro Test

Replace {AccountID}, {RoleName}, and {ProviderName} of the Role source attribute with the following content:

  • {AccountID}: Replace this with your Tencent Cloud account ID. You can view this at Account Information - Console.
  • {RoleName}: Replace this with the role name you created on Tencent Cloud. You can view this at Role - Console.
  • {ProviderName}: Replace this with the SAML identity provider name that you created on Tencent Cloud. You can view this at Identity Providers - Console.
  1. Click Save on the upper right corner to save the configuration.

Configuring OneLogin Users

  1. Log in to OneLogin User Management console.
  2. Click New User to go to the user creation page.
  3. Enter First Name, Last Name, Email, and Username, then click Save User to save. This is shown in the following figure:

Check your email for the password of this account, or click More Actions and select Change Password to change the password.

  1. Click Applications in the user editing page. Select on the right side. This is shown in the following figure:
  2. In the dialog box that pops up, select the SAML test application that you created. Click Continue. This is shown in the following figure:
  3. In the editing page, click Save. This is shown in the following figure:
  4. Use the account created in Step 3 to log in to OneLogin, and access the SAML test application created in the preceding sections. You will be redirected to the Tencent Cloud console.