Identity and Access Management
Identity and Access Management
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
- Access Key Management
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups to Which an IAM User Belongs
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (Recommended)
- Modifying IAM User Information (Recommended)
- Modifying User Information
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting a User Permissions for an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Querying MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Querying Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the Cloud Alliance Regions?
- Project Management
- Agency Management
- Account Management
- Others
- Videos
On this page
Help Center/
Identity and Access Management/
User Guide/
Identity Providers/
Application Scenarios of Virtual User SSO and IAM User SSO
Application Scenarios of Virtual User SSO and IAM User SSO
Updated on 2024-10-31 GMT+08:00
IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
Virtual User SSO
After a federated user logs in to Huawei Cloud, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:
- To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
- You want to assign permissions for cloud resources based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
- Your enterprise has branches and may require multiple enterprise IdPs. These IdPs need to access the same Huawei Cloud account. You need to configure multiple IdPs in Huawei Cloud for identity federation.
IAM User SSO
After a federated user logs in to Huawei Cloud, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. IAM user SSO is recommended if:
- The cloud products you use do not support virtual user SSO.
- You do not need virtual user SSO and want to simplify the IdP configuration.
Differences Between Virtual User SSO and IAM User SSO
The differences between virtual user SSO and IAM user SSO are described as follows:
1. Identity conversion: Virtual user SSO uses identity conversion rules while IAM user SSO uses external identity IDs for identity conversion. If the IAM_SAML_Attributes_xUserId value of one or more IdP users is the same as the external identity ID of an IAM user, these IdP users will be mapped to the IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.
2. User identity in IAM: In virtual user SSO, the IdP user does not have a corresponding IAM user in the IAM user list. After the IdP user logs in, the system automatically creates a virtual user for it. In IAM user SSO, the IdP user has a IAM user mapped by external identity ID on the IAM console.
3. Permissions assignment in IAM: In virtual user SSO, the permissions of the IdP user are defined by the identity conversion rule. In IAM user SSO, the IdP user inherits the permissions of the user group which the mapped IAM user belongs to.
Parent topic: Identity Providers
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
