Identity and Access Management
Identity and Access Management
- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Change History
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
- Access Key Management
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups to Which an IAM User Belongs
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (Recommended)
- Modifying IAM User Information (Recommended)
- Modifying User Information
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting a User Permissions for an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Querying MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Querying Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
- Best Practices
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the Cloud Alliance Regions?
- Project Management
- Agency Management
- Account Management
- Others
- Videos
On this page
Show all
Help Center/
Identity and Access Management/
User Guide/
Custom Identity Broker/
Enabling Custom Identity Broker Access with a Token
Enabling Custom Identity Broker Access with a Token
Updated on 2024-10-31 GMT+08:00
If the IdP of your enterprise is not compatible with SAML or OpenID Connect, you can create a custom identity broker to enable access to Huawei Cloud. You can write and run code to generate a login URL. Users in your enterprise can then use the URL to log in to Huawei Cloud. The users will be authenticated by your enterprise IdP.
NOTE:
If your enterprise IdP is compatible with SAML or OpenID Connect, configure identity federation to enable users in your enterprise to access Huawei Cloud through SSO.
Prerequisites
- Your enterprise has an enterprise management system.
- The enterprise administrator has created an account (for example, DomainA) in Huawei Cloud.
Procedure
- Use the DomainA account to create an IAM user (for example, UserB) by following the instructions in Creating an IAM User.
- (Optional) Add UserB to a user group (for example, GroupC) and grant permissions to the user group by following the instructions in Creating a User Group and Assigning Permissions.
- Configure the access key (recommended) or username and password of UserB in the configuration file of your enterprise IdP so that the user can obtain a user token. For account security, encrypt the password and access key before you store them.
- Log in to the enterprise management system, access the custom identity broker by selecting a common user from the user list. For details, see the documentation of the enterprise management system. For this example, select user UserB.
NOTE:
The user list of the custom broker is the same as the IAM user list under your Huawei Cloud account. To align these IAM users with the user accounts in your enterprise, configure the IAM users' access keys (recommended) or usernames and passwords in the configuration file of the enterprise IdP.
- The custom identity broker uses the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary access key and security token. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
- The custom identity broker uses the temporary access key, security token, and global domain name of IAM (iam.myhuaweicloud.eu) to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens for obtaining a loginToken. The value of X-Subject-LoginToken in the response header is a loginToken. For details, see Obtaining a Login Token.
NOTE:
- To obtain a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens, use the global domain name (iam.myhuaweicloud.eu) of IAM.
- A loginToken is issued to a user to log in through a custom identity broker and contains identity and session information about the user. A loginToken is valid for 10 minutes by default.
- You can set the validity period of a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. If the value you have specified is greater than the remaining validity period of the temporary security token, the remaining validity period of the temporary securityToken is used.
- The custom identity broker generates a FederationProxyUrl and returns it to the browser through Location.
https://auth.eu.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}Example:
https://auth.eu.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.eu.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******
Table 1 Parameter description Parameter
Description
idp_login_url
Login URL of the enterprise management system.
service
Access address of a Huawei Cloud service.
logintoken
LoginToken of the custom identity broker.
For details about how to create a FederationProxyUrl, view the example provided in Creating a FederationProxyUrl Using a Token.
NOTE:
The FederationProxyUrl contains the loginToken that has been obtained from IAM, and the value of each parameter in the FederationProxyUrl is encoded using URLEncode.
- If the loginToken is authenticated successfully, you will be automatically redirected to the Huawei Cloud service address specified in the service parameter.
If the loginToken fails to be authenticated, you will be redirected to the address specified in idp_login_url.
Parent topic: Custom Identity Broker
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
