Help Center> Identity and Access Management> User Guide> Custom Identity Broker> Enabling Custom Identity Broker Access with an Agency
Updated on 2022-09-21 GMT+08:00
View PDF

Enabling Custom Identity Broker Access with an Agency

If the IdP of your enterprise is not compatible with SAML or OpenID Connect, you can create a custom identity broker to enable access to HUAWEI CLOUD. You can write and run code to generate a login URL. Users in your enterprise can then use the URL to log in to HUAWEI CLOUD. The users will be authenticated by your enterprise IdP.

If your enterprise IdP is compatible with SAML or OpenID Connect, configure federated identity authentication to enable users in your enterprise to access HUAWEI CLOUD through SSO.

Prerequisites

  • Your enterprise has an enterprise management system.
  • You have registered an account (for example, DomainA) in HUAWEI CLOUD as an enterprise administrator and has created a user group (for example, GroupC) and assigned it the Agent Operator role. (For details, see Creating a User Group and Assigning Permissions.)

Procedure

  1. Use the DomainA account to create an IAM user (for example, UserB) and add the user to GroupC by following the instructions in Adding Users to a User Group.

    Ensure that the IAM user can programmatically access HUAWEI CLOUD services. For details about how to change the access type, see Viewing or Modifying IAM User Information.

  2. Configure the access key (recommended) or username and password of UserB in the configuration file of your enterprise IdP so that the user can obtain a token for calling APIs. For account security, encrypt the password and access key before you store them.
  3. In the navigation pane of the IAM console, choose Agencies. Then, click Create Agency in the upper right corner.
  4. Set agency parameters.

    For example, set the agency name to testagency, agency type to Account, and delegated account to DomainA. Set the validity period and click Next.

    Figure 1 Creating an agency

  5. Set the authorization scope, and select the permissions you want to grant to the agency.
  6. In the enterprise IdP, create a user group named testagency (same as the name of the agency created in 4), add enterprise users to the group, and grant the users permissions to log in to HUAWEI CLOUD through a custom identity broker. For details, see the documentation of the enterprise IdP.
  7. After an enterprise user logs in to the enterprise management system, the user can access the custom identity broker of the enterprise IdP by selecting an agency from the agency list. The user can obtain the agency from the security administrator or root user. For details, see the documentation of the enterprise management system.

    The agencies of the identity broker must exist in HUAWEI CLOUD and have the same names as some user groups created in the enterprise IdP.

  8. The custom identity broker uses the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary securityToken. For details, see Obtaining a Temporary Access Key and SecurityToken Through an Agency.

    When obtaining a securityToken with an agency, set the session_user.name parameter in the request body.

  9. The custom identity broker uses the temporary access key, securityToken, and global domain name of IAM (iam.myhuaweicloud.eu) to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens for obtaining a loginToken. The value of X-Subject-LoginToken in the response header is a loginToken. For details, see Obtaining a LoginToken.

    • To obtain a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens, use the global domain name (iam.myhuaweicloud.eu) of IAM.
    • A loginToken is issued to a user to log in through a custom identity broker and contains identity and session information about the user. A loginToken is valid for 10 minutes by default. LoginTokens are required for authentication when users log in to a service console using the FederationProxyUrl.
    • You can set the validity period of a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. If the value you have specified is greater than the remaining validity period of the temporary securityToken, the remaining validity period of the temporary securityToken is used.

  10. The custom identity broker generates a FederationProxyUrl and returns it to the browser through Location. The FederationProxyUrl will be in the following format:

    https://auth.eu.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}

    Example:

    https://auth.eu.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.eu.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******

    Table 1 Parameter description

    Parameter

    Description

    idp_login_url

    Login URL of the enterprise management system.

    service

    Access address of a HUAWEI CLOUD service.

    logintoken

    LoginToken of the custom identity broker.

    For details about how to create a FederationProxyUrl, view the example provided in Creating a FederationProxyUrl Using an Agency.

    The FederationProxyUrl contains the loginToken that has been obtained from IAM, and is percent-encoded.

  11. If the loginToken is authenticated successfully, federated users will be automatically redirected to the HUAWEI CLOUD service address specified in the service parameter.

    If the loginToken fails to be authenticated, the users will be redirected to the address specified in idp_login_url.

Parent topic: Custom Identity Broker