Okta Single Sign-On

Last updated: 2019-12-25 10:33:53

PDF

Introduction

Okta is a solution provider for identification and access management. Tencent Cloud supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). You can use the SAML 2.0-based identity federation to integrate Okta with Tencent Cloud, implementing single sign-on through the Okta account to log in to the Tencent Cloud console and manage Tencent Cloud resources without requiring the creation of a CAM sub-user for each employee of the enterprise or organization.

Directions

Creating Okta Applications

This step creates an Okta application. If you're already using one, please skip this operation go straight to configuring CAM.

  1. Log in to the Okta website, and click User Name > Your Org at the top right corner, as shown in the following figure:
  2. On the Okta home page, click Admin in the top right corner to go to the Admin interface.
  3. On the Admin page, select Applications to go to the application management page, as shown in the following figure:
  4. In the application management page, click Add Application.
  5. In the Add Application page, click Create New APP, as shown in the following figure:
  6. A Create a New Application Integration will pop up. Select the platform and set the sign-on method as SAML 2.0. Click Create. This is shown in the following figure:
  7. In the General Settings page, add the App name, App logo (optional), and App visibility (optional) information and click Next. This application can be used to integrate with Tencent Cloud to implement Okta account single sign-on to the Tencent Cloud console to manage Tencent Cloud resources.

Configuring SAML for Okta Applications

  • This step maps Okta application attributes to Tencent Cloud attributes to create trust between Okta and Tencent Cloud.
  • If you followed the steps in Creating Okta Applications to create your application, you can go straight to Step 3.
  1. Go to the application management page , and click the name of the application you created.
  2. In the General page, click Edit under the SAML Settings box. Confirm the current App name, App logo (optional), and App visibility (optional) information. Click Next to go to Configure SAML page.
  3. In the Configure SAML page, add the following information to Single sign on URL and Audience URL(SP Entity ID) under GENERAL. This is shown in the following figure:
  • If your Tencent Cloud account is located on Tencent Cloud China website, perform configuration as follows:
    Single sign-on URL: https://cloud.tencent.com/login/saml
    Audience URL (SP Entity ID): cloud.tencent.com
    • If your Tencent Cloud account is located on Tencent Cloud International website, perform configuration as follows:
      Single sign-on URL: https://intl.cloud.tencent.com/login/saml
      Audience URL (SP Entity ID): intl.cloud.tencent.com
  1. In the Configure SAML page, add the following information to ATTRIBUTE STATEMENTS under GENERAL. This is shown in the following figure:
Name Name format Value
https://cloud.tencent.com/SAML/Attributes/Role Unspecified qcs::cam::uin/{AccountID}:roleName/{RoleName},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName}
https://cloud.tencent.com/SAML/Attributes/RoleSessionName Unspecified okta

Replace {AccountID}, {RoleName}, and {ProviderName} under Value with the following content:

  • {AccountID}: Replace this with your Tencent Cloud account ID. You can view this at Account Information - Console.
  • {RoleName}: Replace this with the role name you have created in Tencent Cloud for the identity provider. For more information, see Creating a Role. Role names can be viewed in Role - Console. If you need to add more, you can add them in this format: qcs::cam::uin/{AccountID}:roleName/{RoleName}. Separate them using semicolons (;).
  • {ProviderName}: Replace this with the SAML identity provider name that you created on Tencent Cloud. You can view this at Identity Providers - Console.
    1. Click Next to go to the Feedback page. Select the following information and click Finish to complete the CAM configuration. This is shown in the following figure:

Configuring SAML Integration for Okta Applications

This step configures the trust relationship between Okta and Tencent Cloud.

  1. Log in to Admin Interface, and select Applications to go to the application management page.
  2. In the application management page, click the name of the application you created to go to the application details page. Click Sign On. This is shown in the following figure:
  3. On the Sign On page, click Identity Provider Metadata to view the metadata of the identity provider (IdP). This is shown in the following figure:
  4. After obtaining the identity provider metadata, you can right click on the viewing page to save it locally.
  5. Create the SAML identity provider and roles in Tencent Cloud. For more information, see Creating an IdP.

Configuring Okta Users

This step assigns Tencent Cloud SSO access permissions to Okta users.

  1. Log in to Admin Interface, click People under Directory to go to the user management page, as shown in the following figure:
  2. In the user management page, click Everyone on the upper left corner. Locate the user for whom you need to configure permissions. This is shown in the following figure:
  3. Click the user name to go to the user details page. Click Assigned Applications on the upper left corner. This is shown in the following figure:
  4. In the configurations window that pops up, click Done to complete the configuration of the Okta user. This is shown in the following figure:
  5. Go to the application management page , and click the name of the application you created to enter the application details page..
  6. In the application details page, select General. Copy Embed Link under the App Embed Link box and log in to the Tencent Cloud console.