Federated Authentication for Enterprise Accounts
Scenario
Enterprises with multiple accounts in the public cloud can access the resources under these accounts through their own IdP system. To achieve this purpose, they can call APIs to configure federated identity authentication.
This section describes how to implement automatic federated authentication by calling APIs.
Prerequisites
Only administrators can perform the registration and import operations described in this section. Ensure that you have been assigned the Security Administrator role.
General Procedure
Perform the following steps to configure federated identity authentication for multiple accounts on the cloud:
- Register an identity provider.
- Register a mapping.
- Register a protocol.
- Import a metadata file.
- Log in as a federated user.
The following APIs will be used in this example:
- Registering an Identity Provider
- Registering a Mapping
- Registering a Protocol
- Importing a Metadata File
Step 1: Register an Identity Provider
URI: PUT /v3/OS-FEDERATION/identity_providers/{id}
For details about the API, see Creating an Identity Provider.
- Example Request
PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/{id}
{ "identity_provider":{ "description":"Stores ACME identities.", "enabled":true } }
- Example Response
{ "identity_provider": { "remote_ids": [], "enabled": true, "id": "ACME", "links": { "self": "https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME", "protocols": "https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME/protocols" }, "description": "Stores ACME identities." } }
Step 2: Register a Mapping
URI: PUT /v3/OS-FEDERATION/mappings/{id}
For details about the API, see Registering a Mapping.
- Example Request
PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/mappings/{id}
{ "mapping":{ "rules":[ { "local":[ { "user":{ "name":"LocalUser" } }, { "group":{ "name":"LocalGroup" } } ], "remote":[ { "type":"UserName" }, { "not_any_of":[ "Contractor", "Guest" ], "type":"orgPersonType" } ] } ] } }
- Example Response
{ "mapping":{ "id":"ACME", "links":{ "self":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/mappings/ACME" }, "rules":[ { "local":[ { "user":{ "name":"LocalUser" } }, { "group":{ "name":"LocalGroup" } } ], "remote":[ { "type":"UserName" }, { "not_any_of":[ "Contractor", "Guest" ], "type":"orgPersonType" } ] } ] } }
Step 3: Register a Protocol
URI: PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
For details about the API, see Registering a Protocol.
- Example Request
PUT https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
{ "protocol":{ "mapping_id":"ACME" } }
- Example Response
{ "protocol":{ "id":"saml", "links":{ "identity_provider":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME", "self":"https://iam.myhuaweicloud.eu/v3/OS-FEDERATION/identity_providers/ACME/protocols/saml" }, "mapping_id":"ACME" } }
Step 4: Import a Metadata File
URI: POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata
For details about the API, see Importing a Metadata File.
- Example Request
POST https://iam.myhuaweicloud.eu/v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata
{ "domain_id":"d78cbac186b744899480f25bd022....", "metadata":"$metadataContent", "xaccount_type":"" }
- Example Response
{ "message":"Import metadata successful" }
Step 5: Log In as a Federated User
Configure federated authentication. For details, see Identity Providers.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.