Overview of OIDC Role-Based Single Sign-On

最終更新日:2024-01-23 17:48:51

OIDC is an authentication protocol built on OAuth 2.0. Tencent Cloud CAM supports OIDC role-based SSO.
Basic Concepts
Concept
Note
OIDC
OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful).
OIDC Token
OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens.
OIDC tokens are used to retrieve the basic information of the logged-in user.
Temporary ID Credential
Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions.
Issuer URL
The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token.
The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @).
Client ID
When your application is registered with an external IdP, a Client ID is generated.
When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field.
During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent.
Scenarios
When enterprise applications need to frequently access Tencent Cloud, using a fixed access key (AccessKey) can pose a security risk if there is no adequate security measures in place and the AccessKey is leaked. To address this issue, some enterprises register their applications with their own or third-party IdP that support OIDC (such as Google G Suite or Okta), to generate OIDC tokens for the applications using the capabilities of the OIDC IdP. In this scenario, with the role-based SSO capability provided by Tencent Cloud CAM, enterprise applications can exchange their OIDC tokens for Tencent Cloud temporary identity credentials (STS Token), thereby securely accessing Tencent Cloud resources.
Moreover, some individual developers or small and medium-sized enterprises allow their employees to log in to Tencent Cloud using their identities registered on certain websites (such as social networking sites). If these websites support the generation of OIDC tokens, Tencent Cloud CAM can be used to accomplish SSO based on OIDC.
Fundamental Procedure
1. Register an application in an external IdP to obtain the application's Client ID.
2. In Tencent Cloud CAM, create an OIDC IdP to establish a trust relationship between Tencent Cloud and the external IdP. For specific operations, please refer to Creating an OIDC Identity Provider.
3. In Tencent Cloud CAM, create the OIDC IdP's CAM role and authorize it. For specific operations, please refer to Creating Role.
4. Issue an OIDC token in the external IdP.
5. Use the OIDC Token to exchange for an STS Token. For specific operations, please refer to AssumeRoleWithWebIdentity.
6. Access Tencent Cloud resources using the STS Token.
Parameter Configuration Sample Code
Azure Active Directory Single Sign-On
﻿

tencent cloud

Recent Pages

Overview of OIDC Role-Based Single Sign-On

Basic Concepts

Scenarios

Fundamental Procedure

Parameter Configuration Sample Code

この記事はお役に立ちましたか？

この記事はお役に立ちましたか？

Concept	Note
OIDC	OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful).
OIDC Token	OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens. OIDC tokens are used to retrieve the basic information of the logged-in user.
Temporary ID Credential	Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions.
Issuer URL	The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token. The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @).
Client ID	When your application is registered with an external IdP, a Client ID is generated. When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field. During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent.

tencent cloud

サインアップ

ログイン

Recent Pages

Overview of OIDC Role-Based Single Sign-On

Basic Concepts

Scenarios

Fundamental Procedure

Parameter Configuration Sample Code

この記事はお役に立ちましたか？

この記事はお役に立ちましたか？