Help Center/ Identity and Access Management/ API Reference/ Getting Started/ Federated Authentication for Enterprise Accounts
Updated on 2023-09-14 GMT+08:00

Federated Authentication for Enterprise Accounts

Scenario

Enterprises with multiple accounts in the public cloud can access the resources under these accounts through their own IdP system. To achieve this purpose, they can call APIs to configure federated identity authentication.

This section describes how to implement automatic federated authentication by calling APIs.

Prerequisites

Only administrators can perform the registration and import operations described in this section. Ensure that you have been assigned the Security Administrator role.

General Procedure

Perform the following steps to configure federated identity authentication for multiple accounts on the cloud:

  1. Register an identity provider.
  2. Register a mapping.
  3. Register a protocol.
  4. Import a metadata file.
  5. Log in as a federated user.

The following APIs will be used in this example:

Step 1: Register an Identity Provider

URI: PUT /v3/OS-FEDERATION/identity_providers/{id}

For details about the API, see Creating an Identity Provider.

  • Example Request
    PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/{id}

      

    {
         "identity_provider":{
             "description":"Stores ACME identities.",
             "enabled":true
         }
     }
  • Example Response
    {
        "identity_provider": {
            "remote_ids": [],
            "enabled": true,
            "id": "ACME",
            "links": {
                "self": "https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME",
                "protocols": "https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME/protocols"
            },
            "description": "Stores ACME identities."
        }
    }

Step 2: Register a Mapping

URI: PUT /v3/OS-FEDERATION/mappings/{id}

For details about the API, see Registering a Mapping.

  • Example Request
    PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/mappings/{id}
    {
         "mapping":{
             "rules":[
                 {
                     "local":[
                         {
                             "user":{
                                 "name":"LocalUser"
                             }
                         },
                         {
                             "group":{
                                 "name":"LocalGroup"
                             }
                         }
                     ],
                     "remote":[
                         {
                             "type":"UserName"
                         },
                         {
                             "not_any_of":[
                                 "Contractor",
                                 "Guest"
                             ],
                             "type":"orgPersonType"
                         }
                     ]
                 }
             ]
         }
     }
  • Example Response
    {
         "mapping":{
             "id":"ACME",
             "links":{
                 "self":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/mappings/ACME"
             },
             "rules":[
                 {
                     "local":[
                         {
                             "user":{
                                 "name":"LocalUser"
                             }
                         },
                         {
                             "group":{
                                 "name":"LocalGroup"
                             }
                         }
                     ],
                     "remote":[
                         {
                             "type":"UserName"
                         },
                         {
                             "not_any_of":[
                                 "Contractor",
                                 "Guest"
                             ],
                             "type":"orgPersonType"
                         }
                     ]
                 }
             ]
         }
     }

Step 3: Register a Protocol

URI: PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

For details about the API, see Registering a Protocol.

  • Example Request
    PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
    {
         "protocol":{
             "mapping_id":"ACME"
         }
     }
  • Example Response
    {
         "protocol":{
             "id":"saml",
             "links":{
                 "identity_provider":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME",
                 "self":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml"
             },
             "mapping_id":"ACME"
         }
     }

Step 4: Import a Metadata File

URI: POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

For details about the API, see Importing a Metadata File.

  • Example Request
    POST https://iam.myhuaweicloud.eu/v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata
    {
         "domain_id":"d78cbac186b744899480f25bd022....",
         "metadata":"$metadataContent",
         "xaccount_type":""
     }
  • Example Response
    {
         "message":"Import metadata successful"
     }

Step 5: Log In as a Federated User

Configure federated authentication. For details, see Identity Providers.