Help Center> Identity and Access Management> User Guide> Identity Providers> OpenID Connect–based Federated Identity Authentication> Configuration of OpenID Connect–based Federated Identity Authentication
View PDF

Configuration of OpenID Connect–based Federated Identity Authentication

This section describes the process and configuration of OpenID Connect–based federated identity authentication between an enterprise IdP and HUAWEI CLOUD.

Configuring Federated Identity Authentication

To implement federated identity authentication between an enterprise management system and HUAWEI CLOUD, complete the following configuration:

  1. Establish a trust relationship and create an identity provider: Create OAuth 2.0 credentials in the enterprise IdP, and create an identity provider in HUAWEI CLOUD.
  2. Configure identity conversion rules: Map the users, user groups, and their permissions in the enterprise IdP to HUAWEI CLOUD.
  3. Configure a login link: Configure a login link in the enterprise management system to allow users to access HUAWEI CLOUD through SSO.

Process of Federated Identity Authentication

Figure 1 shows the interaction between an enterprise management system and HUAWEI CLOUD after a user initiates an SSO request.

Figure 1 Process of federated identity authentication

The process of federated identity authentication is as follows:

  1. A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to HUAWEI CLOUD.
  2. HUAWEI CLOUD searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.
  3. The browser forwards the authorization request to the enterprise IdP.
  4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
  5. The browser responds and forwards the authorization response to HUAWEI CLOUD.
  6. HUAWEI CLOUD parses the ID token in the authorization response, and issues a token to the user after identifying the group to which the user is mapped, according to the configured identity conversion rules.
  7. If the login is successful, the user accesses HUAWEI CLOUD successfully.