tencent cloud

Feedback

Overview of SAML Role-Based SSO

Last updated: 2024-01-23 17:46:25
    During role-based SSO with Tencent Cloud, Tencent Cloud acts as the SP, while the enterprise's own identity management system serves as the IdP. With role-based SSO, enterprises can manage employee information in their local IdP, eliminating the need for user synchronization between Tencent Cloud and the enterprise IdP. Enterprise employees will log in to Tencent Cloud using the specified CAM roles.

    Fundamental Procedure

    Enterprise employees can access Tencent Cloud via the console or program.

    Accessing Tencent Cloud via the Console

    Once the administrator has completed the necessary role-based SSO configurations, enterprise employees can log in to Tencent Cloud using the following method. The fundamental procedure is as follows:
    1. Access the IdP's login page through a browser and select Tencent Cloud as the target service.
    2. The IdP generates a SAML response and returns it to the browser.
    3. The browser is redirected to the SSO service page and forwards the SAML response to the SSO service.
    4. The SSO service uses the SAML response to request temporary security credentials from Tencent Cloud's STS service, and generates a URL that can be used to log in to the Tencent Cloud console with these temporary security credentials.
    5. The SSO service returns the URL to the browser.
    6. The browser redirects to this URL. Then log in to the Tencent Cloud console with the specified CAM role.

    Accessing Tencent Cloud Through a Program

    Enterprise employees can access Tencent Cloud by writing a program. The fundamental procedure is as follows:
    1. Initiate a login request to the enterprise IdP through a program.
    2. The IdP generates a SAML response containing a SAML assertion about the logged-in user and returns this response to the program.
    3. The program invokes the APIAssumeRoleWithSAML provided by Tencent Cloud STS service and passes the following information: the ARN of the IdP in Tencent Cloud, the ARN of the role to be assumed, and the SAML assertion from the enterprise IdP.
    4. The STS service verifies the SAML assertion and returns a temporary security credential to the program.
    5. The program uses the temporary security credentials to call Tencent Cloud APIs.

    Configuration Steps

    To establish a trust relationship between Tencent Cloud and the enterprise IdP, it is necessary to configure SAML for Tencent Cloud as the SP and for the enterprise IdP. Role-based SSO can only be performed after these configurations are completed.
    1. To establish a trust relationship between Tencent Cloud and the enterprise IdP, it is necessary to configure the enterprise IdP in Tencent Cloud. For more information, please refer to Creating a SAML IdP.
    2. Enterprises need to create a CAM role for SSO in the Cloud Access Management Console or through programs and grant the necessary permissions. For more information, see Creating Role.
    3. To establish a trust relationship between the enterprise IdP and Tencent Cloud, it is necessary to configure Tencent Cloud as a trusted SAML SP in the enterprise IdP and set the SAML assertion attributes.

    Parameter Configuration Sample Code

    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support