Partner CenterPartner Center

Compute
Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Anti-DDoS
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Compass
Cloud Certificate Manager
Anti-DDoS Service
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB NoSQL
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
ServiceStage
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
Blockchain Service
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
DevCloud
ProjectMan
CodeHub
CloudRelease
CloudPipeline
CloudBuild
CloudDeploy
Cloud Communications
Message & SMS
Cloud Ecosystem
Marketplace
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
enterprise-collaboration
Meeting
IoT
IoT
Intelligent EdgeFabric
DeveloperTools
SDK Developer Guide
API Request Signing Guide
Terraform
HCloud CLI
Help Center> Partner Center> API Reference> Appendix> Switching to the HUAWEI CLOUD Page and Binding the HUAWEI CLOUD Account
Updated at: Apr 13, 2022 GMT+08:00

Switching to the HUAWEI CLOUD Page and Binding the HUAWEI CLOUD Account

The following describes how to bind a customer account on the partner sales platform with the HUAWEI CLOUD account on the web UI. You can create a HUAWEI CLOUD account and bind it with the customer account, or directly bind an existing HUAWEI CLOUD account with the customer account. The following scenarios are involved:

  • A customer has created an account on the partner sales platform and does not have a HUAWEI CLOUD account. The customer needs to create such an account and bind it with the account on the partner sales platform.
  • Before creating an account on the partner sales platform, a customer has created a HUAWEI CLOUD account. The customer needs to create an account on the partner sales platform and bind it with the HUAWEI CLOUD account.

Subsequent operations, such as product purchasing and subscription query, depend on the customer's HUAWEI CLOUD account in this scenario.

Figure 1 shows the procedure for binding a HUAWEI CLOUD account with a customer account on the partner sales platform and notifying the binding result.

Figure 1 Binding a HUAWEI CLOUD account
  1. A partner's customer uses a browser to call the HUAWEI CLOUD login link. IAM sends the SAML request.
    1. The customer uses a browser to call the HUAWEI CLOUD login link.

      https://auth-intl.huaweicloud.com/authui/saml/login?xAccountType=ZXT&isFirstLogin=true&service=https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f

      Parameter

      Mandatory

      Description

      Example

      xAccountType

      Yes

      Indicates the identifier of the partner sales platform, which is globally unique. The value is provided by Huawei. After the partner configures the access parameters on the Partner Center page, the partner ID is generated. For details about how to obtain the platform ID, see How Do I Obtain the xaccountType Value?

      ZXT

      isFirstLogin

      No

      If no HUAWEI CLOUD account is bound, this parameter is mandatory and must be set to true. Otherwise, the value can be left empty or set to false.

      true

      service

      No

      Indicates the redirection address after login.

      The encodeURIComponent function is used for coding.

      https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f

    2. IAM receives the login request of the partner's customer, locates the SingleSignOnService configuration item in the IDP Metadata.xml file based on the xAccountType value, and sends the samlRequest request to the required path.

      Parameter

      Description

      SAMLRequest

      Indicates the response message body.

      The response message is in XML format. IAM then compresses the message, encodes the message using Base64, and URL encodes the message.

      • If the partner uses the SAML toolkits, this parameter can be directly used. The partner does not need to parse the XML file.
      • If the partner needs to parse the XML file, the partner needs to URL decode the message, decode the message using Base64, and decompress the message (zip.inflate). For details, see Sample Code for Parsing the SAMLRequest.

      RelayState

      Indicates the response parameters for SAML.

      SigAlg

      Indicates the signature algorithm. Huawei uses SHA256 for signatures by default.

      HTTP://WWW.W3.ORG/2001/04/XMLDSIG-MORE#RSA-SHA256

      Signature

      Indicates the signature. The signature is used to verify the initiator of a request.

      When initiating a request, HUAWEI CLOUD uses the private key to sign SAMLRequest={ SAMLRequest }&RelayState={ RelayState } &SigAlg={ SigAlg } in request https://www.test.com/saml/login?SAMLRequest={SAMLRequest }&RelayState={ RelayState} &SigAlg={ SigAlg}&Signature={ Signature } and then performs Base64 coding to obtain the signature value.

      The signature algorithm is specified by the SigAlg field.

      When receiving the request, the receiver verifies the signature value using the public key provided by HUAWEI CLOUD (the value in the <ds:X509Certificate></ds:X509Certificate> tag in the SP Metadata.xml file).

      If the signature verification succeeds, the request is sent by HUAWEI CLOUD, and the follow-up operations can be performed. Otherwise, the request is invalid.

  2. The partner sales platform generates the SAML response message and sends it to HUAWEI CLOUD IAM.
    1. The partner sales platform obtains the HUAWEI CLOUD public key and the response message path of samlResponse from the SP Metadata.xml file. For details, see Example, Public Key, and Response Path in Obtaining the SP Metadata File
    2. The partner sales platform constructs the response message body response.xml for the SAML response.
      The response message body is in XML format. For the correct response message body and its parameter description, see the following displayed content.

      The following content is for reference only. The description in the comments must be modified. The time and ID defined by SAML vary depending on the message. Therefore, it is recommended that you should not directly modify the response message content. Instead, you shall use the SAML toolkits to generate the response message.

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the SAML request message. -->
      <!-- Parameter Destination needs to be the same as the Location value in the AssertionConsumerService tag in the SP Metadata.xml file. -->
      <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_d794dc393ae6724e236003bf0b917cf0" Destination=" https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer"InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
          xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <!-- Must be the same as the entityID value in the IDP Metadata.xml file. -->
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.test.com</saml2:Issuer>
        <saml2p:Status>
          <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
          <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
        </saml2p:Status>
        <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" 
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
          xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <!-- Must be the same as the entityID value in the IDP Metadata.xml file. -->
          <saml2:Issuer>https://www.test.com</saml2:Issuer>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <!-- The value after "URI #" must be the same as the ID in the Assertion tag. -->
              <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces PrefixList="xsd" 
                      xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
      <!-- The value of DigestValue is the digest of the Assertion tag object. The digest algorithm is the same as that of DigestMethod. -->
                <ds:DigestValue>rFxrycznfGNYOnprZIFJJou4ro0Mz65+43MIR5F0+H4=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <!-- Partner signature value. For details about how to obtain the value, see the following description. -->
            <ds:SignatureValue>
              YqTWQngAPfGqQmWa610PM7LeefqWdKuveUVINrqL67NoHJIDa2WxLwdVzoJIlJh64QiNPr6+ndmL DCMgIC5F/9ijuzhIICZcc6lHNIjy6EsPkKRjfo9oeoVAqLgG/kmVQYeHLBID0y11RNXXpAVY4nhJ 26KiIVGt7ywyKAmhichE+eW/UYAGiOI5vkfgD2gZUGV+yPkv64k7xK4yAH3mL2NaCPuw/90e4enm iUx0YuazDwM5FiRUSMpcJs0rcNmS6clWAUcCzbOx+y2vJGtTjHb7k3UsmpnTop5eYNp94+sDPEat 8FaV4SgafMEL5z54gpe8+//9yOWEvlBs1b0RYg==
            </ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
              <!-- Partner public key certificate. The certificate must be the one specified in the IDP Metadata.xml file. -->
                <ds:X509Certificate>
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhK3L160NjP9EhBGQOC2s4r+Wc62bkRkc nUxfhiZwCwJdQCykzuLOAoATnfoEamV5W25xtSS5kFs+4OC0mYVpKcI3SWoydX+UE5Qik5UfJ8Dt G1AvSEKhSluyO9axrV5Uv089jMxBnlm/R+xND73WcZM11yIbKJEZSTCEDfh+KnFbMw108umFMden RZCrNWUJoSp/90XeG0V2Nmj7Fkq72skSifwIASLRq9KqLbmh1QwUX+AoWpHK/jRUBustMBmG1n1i
                  AqpD4EBjjBOB27k1wXZ30+IoJt8IZmfSZRFoNn5VFWXNeEmZ1aQvGSvd3Tyyw2/Wr+w/8Mags69C mpeX6QIDAQAB
                </ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
          <saml2:Subject>
          <!-- The value of NameQualifier must be the same as the entityID value in the SP Metadata.xml file. -->
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://auth.huaweicloud.com/">Some NameID value</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the samlRequest message. -->
              <saml2:SubjectConfirmationData InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z" Recipient="https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer" />
            </saml2:SubjectConfirmation>
          </saml2:Subject>
          <saml2:Conditions NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z">
            <saml2:AudienceRestriction>
            <!-- Must be the same as the entityID value in the SP Metadata.xml file. -->
              <saml2:Audience>https://auth.huaweicloud.com/</saml2:Audience>
            </saml2:AudienceRestriction>
          </saml2:Conditions>
          <saml2:AttributeStatement>
            <!-- For values between<saml2:AttributeValue> and </saml2:AttributeValue>, see the following table. -->
            <saml2:Attribute FriendlyName="xUserId" Name="xUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*******</saml2:AttributeValue>
            </saml2:Attribute>
      <!-- The values of xAccountId and xUserId must be the same. -->
            <saml2:Attribute FriendlyName="xAccountId" Name="xAccountId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">********</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="bpId" Name="bpId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" />
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="mobile" Name="mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*****</saml2:AttributeValue>
             </saml2:Attribute>
          </saml2:AttributeStatement>
          <saml2:AuthnStatement AuthnInstant="2018-10-30T08:21:41.741Z">
            <!-- Must be the same as the entityID value in the SP Metadata.xml file. -->
            <saml2:SubjectLocality Address="https://auth.huaweicloud.com/" />
            <saml2:AuthnContext>
              <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
          </saml2:AuthnStatement>
        </saml2:Assertion>
      </saml2p:Response>

      The partner signature value is in standard XML format, and the signature type is enveloped-signature. You are advised to use the SAML library provided by a third party for signature.

      The signature procedure is as follows.

      1. Obtain the signature object (Assertion).
        <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
        ...... 
        
        </saml2:Assertion>
      2. Obtain the tag object (Signature).
        <ds:Signature
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />
                <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                              PrefixList="xs" />
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
                        <ds:DigestValue>......</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
              <!-- Third-party signature value -->
                <ds:SignatureValue> 
                ...... 
              </ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <!-- Third-party public key certificate -->
                        <ds:X509Certificate> 
                    ...... 
                  </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </ds:Signature>
      3. Generate the DigestValue value for the signature object Assertion.
        1. Convert Assertion according to the algorithm defined in Transform of Signature.
        2. Generate a digest for the object obtained in 1) according to the algorithm specified in DigestMethod.
        3. Place the generated digest value in the DigestValue tag.
      4. Use the private key in Step 6 in Generating a Certificate to generate the SignatureValue value for the SignedInfo object signature.
        1. Convert SignedInfo according to the algorithm defined in CanonicalizationMethod
        2. Generate the signature value for the object obtained in 1) according to the signature algorithm defined in SignatureMethod. Place the obtained signature value in SignatureValue.
      5. Combine the values of DigestValue and SignatureValue to form the final Signature object. Place the value in Assertion as its sub-element.

      The signature is displayed as follows.

      <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
          ...... 
          <ds:Signature
              xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
              ...... 
            <!-- Third-party signature value -->
              <ds:SignatureValue> 
              ...... 
            </ds:SignatureValue>
              <ds:KeyInfo>
                  <ds:X509Data>
              <!-- Third-party public key certificate -->
                      <ds:X509Certificate> 
                  ...... 
                </ds:X509Certificate>
                  </ds:X509Data>
              </ds:KeyInfo>
          </ds:Signature>
      </saml2:Assertion>
      Table 1 Description of parameters between <saml2:AttributeValue> and </saml2:AttributeValue>

      Parameter

      Description

      xUserId

      Indicates the user ID of the partner's customer on the partner sales platform.

      xAccountId

      Indicates the account ID of the partner's customer on the partner sales platform.

      bpId

      Indicates the partner ID.

      For details about how to obtain the partner ID, see How Do I Check the Partner ID?.

      email

      Indicates the email address.

      This parameter is optional.

      The parameter must meet the following requirements:

      • Must be unique for each customer.
      • A maximum of 64 characters
      • Passes the verification using the following regular expression: ^[azA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[azA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$

      name

      Indicates the HUAWEI CLOUD account name of the partner.

      This parameter is optional.

      The parameter must meet the following requirements:

      • Must be 5 to 32 characters long.
      • Can contain only letters, digits, hyphens (-), and underscores (_), and cannot start with a digit. Can contain spaces in the middle.
      • Passes the verification using the following regular expression: ^([a-zA-Z\\_\\- ][0-9a-zA-Z\\_\\- ]*)+$

      Table 1 involves the account ID and user ID because HUAWEI CLOUD IAM has account and user concepts. For details about the two concepts, see "Account" and "IAM User" in Basic Concepts.

    3. If the customer has logged in to the partner sales platform, the SAML response message is returned directly. Otherwise, the SAML response message is displayed after the login.

      Send a POST request to the HUAWEI CLOUD response path AssertionConsumerService in 2.a. The parameters must be in the Form Data format.

      Parameter

      Description

      SAMLResponse

      Identifies the string obtained by encoding the SAML response message body in 2.b using Base64.

      RelayState

      The value of this parameter is the same as that in the SAML request message.

  3. Create a HUAWEI CLOUD account and bind it with the customer account on the partner sales platform.

    After the SAML response message is returned, IAM checks whether there is a HUAWEI CLOUD account already bound with the customer account on the partner sales platform based on the response message. If the required HUAWEI CLOUD account exists, the partner can directly log in to HUAWEI CLOUD. If the required HUAWEI CLOUD account does not exist, the page for creating and binding a HUAWEI CLOUD account is displayed.

    • Figure 2 shows the page for creating a HUAWEI CLOUD account. The partner configures the required parameters on the page for creating a HUAWEI CLOUD account and clicks Create And Bind to create a HUAWEI CLOUD account and bind the account with the customer account on the partner sales platform.
      Figure 2 Page for creating a HUAWEI CLOUD account
    • If the partner's customer already has a HUAWEI CLOUD account, click Bind Account on the page shown in Figure 3. On the displayed page, configure the required parameters as prompt and click Bind Account to bind the HUAWEI CLOUD account with the customer account on the partner sales platform.
      The customer cannot bind its customer account on the partner sales platform to its existing HUAWEI CLOUD account if this account is in one of the following conditions:
      • In arrears
      • Associated to another partner
      • Used to sign a special contract with HUAWEI CLOUD, such as offline directly-signed contract, authorized telemarketing contract with discounts, or directly-signed special offer contract) with HUAWEI CLOUD
      • A consulting partner account in use or pending approval
      • An enterprise subaccount or an enterprise primary account associated with an enterprise subaccount
      • Containing consumption records or resource provisioned
      • Containing valid reserved instances
      Figure 3 Page for binding a HUAWEI CLOUD account
  4. HUAWEI CLOUD notifies the account binding result using the binding notification API provided by the partner through browser redirection.
    1. Obtain the request parameters bindRequest, SigAlg, and Signature.
    2. Decode the signature using Base64 and use the signature algorithm SigAlg to perform signature verification for the bindRequest parameters.

      HUAWEI CLOUD uses the private key used for SAML interconnection to verify the signature. The partner uses the public key (value of the <ds:X509Certificate></ds:X509Certificate> tag in the SP Metadata.xml file) used by HUAWEI CLOUD for SAML interconnection to verify the signature.

    3. If the signature verification succeeds, decode the binding request using Base64 to obtain JSON strings and perform required operations based on the JSON data processing procedure. If the signature verification fails, the request is invalid and the processing is terminated.

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel