Partner CenterPartner Center

Compute
Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
Domain Name Service
VPC Endpoint
Cloud Connect
Enterprise Switch
Security & Compliance
Anti-DDoS
Web Application Firewall
Host Security Service
Data Encryption Workshop
Database Security Service
Advanced Anti-DDoS
Data Security Center
Container Guard Service
Situation Awareness
Managed Threat Detection
Compass
Cloud Certificate Manager
Anti-DDoS Service
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GaussDB NoSQL
GaussDB(for MySQL)
Distributed Database Middleware
GaussDB(for openGauss)
Developer Services
ServiceStage
Distributed Cache Service
Simple Message Notification
Application Performance Management
Application Operations Management
Blockchain Service
API Gateway
Cloud Performance Test Service
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
DevCloud
ProjectMan
CodeHub
CloudRelease
CloudPipeline
CloudBuild
CloudDeploy
Cloud Communications
Message & SMS
Cloud Ecosystem
Marketplace
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP License Service
Support Plans
Customer Operation Capabilities
Partner Support Plans
Professional Services
enterprise-collaboration
Meeting
IoT
IoT
Intelligent EdgeFabric
DeveloperTools
SDK Developer Guide
API Request Signing Guide
Terraform
HCloud CLI
Updated at: Apr 13, 2022 GMT+08:00

Web UI Mode

After logging in to the partner sales platform, a customer can directly switch to HUAWEI CLOUD to purchase cloud services and manage cloud service resources. The partner sales platform must complete SAML authentication to establish a trust relationship with HUAWEI CLOUD.

Prerequisites

The partner has performed steps in Access Configuration.

SAML Authentication

Figure 1 shows the SAML authentication process.

Figure 1 SAML authentication process

  1. A partner's customer uses a browser to call the HUAWEI CLOUD login link. IAM sends the SAML request.
    1. The customer uses a browser to call the HUAWEI CLOUD login link.

      https://auth-intl.huaweicloud.com/authui/saml/login?xAccountType=ZXT&isFirstLogin=false&service=https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f

      Parameter

      Mandatory

      Description

      Example

      xAccountType

      Yes

      Indicates the identifier of the partner sales platform, which is globally unique. The value is provided by Huawei. After the partner configures the access parameters on the Partner Center page, the partner ID is generated. For details about how to obtain the platform ID, see How Do I Obtain the xaccountType Value?

      ZXT

      isFirstLogin

      No

      If no HUAWEI CLOUD account is bound, this parameter is mandatory and must be set to true. Otherwise, the value can be left empty or set to false.

      After the account creation API is successfully called to create a customer account, HUAWEI CLOUD CBC has bound the customer account on the partner sales platform with the customer HUAWEI CLOUD account.

      false

      service

      Yes

      Indicates the redirection address after login.

      The encodeURIComponent function is used for coding.

      https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f

    2. IAM receives the login request of the partner's customer, locates the SingleSignOnService configuration item in the IDP Metadata.xml file based on the xAccountType value, and sends the samlRequest request to the required path.

      Parameter

      Description

      SAMLRequest

      Indicates the response message body.

      The response message is in XML format. IAM then compresses the message, encodes the message using Base64, and URL encodes the message.

      • If the partner uses the SAML toolkits, this parameter can be directly used. The partner does not need to parse the XML file.
      • If the partner needs to parse the XML file, the partner needs to URL decode the message, decode the message using Base64, and decompress the message (zip.inflate). For details, see Sample Code for Parsing the SAMLRequest.

      RelayState

      Indicates the response parameters for SAML.

      SigAlg

      Indicates the signature algorithm. Huawei uses SHA256 for signatures by default.

      HTTP://WWW.W3.ORG/2001/04/XMLDSIG-MORE#RSA-SHA256

      Signature

      Indicates the signature. The signature is used to verify the initiator of a request.

      When initiating a request, HUAWEI CLOUD uses the private key to sign SAMLRequest={ SAMLRequest }&RelayState={ RelayState } &SigAlg={ SigAlg } in request https://www.test.com/saml/login?SAMLRequest={SAMLRequest }&RelayState={ RelayState} &SigAlg={ SigAlg}&Signature={ Signature } and then performs Base64 coding to obtain the signature value.

      The signature algorithm is specified by the SigAlg field.

      When receiving the request, the receiver verifies the signature value using the public key provided by HUAWEI CLOUD (the value in the <ds:X509Certificate></ds:X509Certificate> tag in the SP Metadata.xml file).

      If the signature verification succeeds, the request is sent by HUAWEI CLOUD, and the follow-up operations can be performed. Otherwise, the request is invalid.

  2. The partner sales platform generates the SAML response message and sends it to HUAWEI CLOUD IAM.
    1. The partner sales platform obtains the HUAWEI CLOUD public key and the response message path of samlResponse from the SP Metadata.xml file. For details, see Example, Public Key, and Response Path in Obtaining the SP Metadata File
    2. The partner sales platform generates the SAML response message.
      The response message body is in XML format. For the correct response message body and its parameter description, see the following displayed content.

      The following content is for reference only. The description in the comments must be modified. The time and ID defined by SAML vary depending on the message. Therefore, it is recommended that you should not directly modify the response message content. Instead, you shall use the SAML toolkits to generate the response message.

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the SAML request message. -->
      <!-- Parameter Destination needs to be the same as the Location value in the AssertionConsumerService tag in the SP Metadata.xml file. -->
      <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_d794dc393ae6724e236003bf0b917cf0" Destination=" https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer"InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
          xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <!-- Must be the same as the entityID value in the IDP Metadata.xml file. -->
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" 
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.test.com</saml2:Issuer>
        <saml2p:Status>
          <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
          <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage>
        </saml2p:Status>
        <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" 
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
          xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <!-- Must be the same as the entityID value in the IDP Metadata.xml file. -->
          <saml2:Issuer>https://www.test.com</saml2:Issuer>
          <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
              <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <!-- The value after "URI #" must be the same as the ID in the Assertion tag. -->
              <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3">
                <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <ec:InclusiveNamespaces PrefixList="xsd" 
                      xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
      <!-- The value of DigestValue is the digest of the Assertion tag object. The digest algorithm is the same as that of DigestMethod. -->
                <ds:DigestValue>rFxrycznfGNYOnprZIFJJou4ro0Mz65+43MIR5F0+H4=</ds:DigestValue>
              </ds:Reference>
            </ds:SignedInfo>
            <!-- Partner signature value. For details about how to obtain the value, see the following description. -->
            <ds:SignatureValue>
              YqTWQngAPfGqQmWa610PM7LeefqWdKuveUVINrqL67NoHJIDa2WxLwdVzoJIlJh64QiNPr6+ndmL DCMgIC5F/9ijuzhIICZcc6lHNIjy6EsPkKRjfo9oeoVAqLgG/kmVQYeHLBID0y11RNXXpAVY4nhJ 26KiIVGt7ywyKAmhichE+eW/UYAGiOI5vkfgD2gZUGV+yPkv64k7xK4yAH3mL2NaCPuw/90e4enm iUx0YuazDwM5FiRUSMpcJs0rcNmS6clWAUcCzbOx+y2vJGtTjHb7k3UsmpnTop5eYNp94+sDPEat 8FaV4SgafMEL5z54gpe8+//9yOWEvlBs1b0RYg==
            </ds:SignatureValue>
            <ds:KeyInfo>
              <ds:X509Data>
              <!-- Partner public key certificate. The certificate must be the one specified in the IDP Metadata.xml file. -->
                <ds:X509Certificate>
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhK3L160NjP9EhBGQOC2s4r+Wc62bkRkc nUxfhiZwCwJdQCykzuLOAoATnfoEamV5W25xtSS5kFs+4OC0mYVpKcI3SWoydX+UE5Qik5UfJ8Dt G1AvSEKhSluyO9axrV5Uv089jMxBnlm/R+xND73WcZM11yIbKJEZSTCEDfh+KnFbMw108umFMden RZCrNWUJoSp/90XeG0V2Nmj7Fkq72skSifwIASLRq9KqLbmh1QwUX+AoWpHK/jRUBustMBmG1n1i
                  AqpD4EBjjBOB27k1wXZ30+IoJt8IZmfSZRFoNn5VFWXNeEmZ1aQvGSvd3Tyyw2/Wr+w/8Mags69C mpeX6QIDAQAB
                </ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </ds:Signature>
          <saml2:Subject>
          <!-- The value of NameQualifier must be the same as the entityID value in the SP Metadata.xml file. -->
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://auth.huaweicloud.com/">Some NameID value</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
              <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the samlRequest message. -->
              <saml2:SubjectConfirmationData InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z" Recipient="https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer" />
            </saml2:SubjectConfirmation>
          </saml2:Subject>
          <saml2:Conditions NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z">
            <saml2:AudienceRestriction>
            <!-- Must be the same as the entityID value in the SP Metadata.xml file. -->
              <saml2:Audience>https://auth.huaweicloud.com/</saml2:Audience>
            </saml2:AudienceRestriction>
          </saml2:Conditions>
          <saml2:AttributeStatement>
            <!-- For values between<saml2:AttributeValue> and </saml2:AttributeValue>, see the following table. -->
            <saml2:Attribute FriendlyName="xUserId" Name="xUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*******</saml2:AttributeValue>
            </saml2:Attribute>
      <!-- The values of xAccountId and xUserId must be the same. -->
            <saml2:Attribute FriendlyName="xAccountId" Name="xAccountId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">********</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="bpId" Name="bpId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" />
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute FriendlyName="mobile" Name="mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*****</saml2:AttributeValue>
             </saml2:Attribute>
          </saml2:AttributeStatement>
          <saml2:AuthnStatement AuthnInstant="2018-10-30T08:21:41.741Z">
            <!-- Must be the same as the entityID value in the SP Metadata.xml file. -->
            <saml2:SubjectLocality Address="https://auth.huaweicloud.com/" />
            <saml2:AuthnContext>
              <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
          </saml2:AuthnStatement>
        </saml2:Assertion>
      </saml2p:Response>

      The partner signature value is in standard XML format, and the signature type is enveloped-signature. You are advised to use the SAML library provided by a third party for signature.

      The signature procedure is as follows.

      1. Obtain the signature object (Assertion).
        <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
        ...... 
        
        </saml2:Assertion>
      2. Obtain the tag object (Signature).
        <ds:Signature
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" />
                <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces
                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                              PrefixList="xs" />
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
                        <ds:DigestValue>......</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
              <!-- Third-party signature value -->
                <ds:SignatureValue> 
                ...... 
              </ds:SignatureValue>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <!-- Third-party public key certificate -->
                        <ds:X509Certificate> 
                    ...... 
                  </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </ds:Signature>
      3. Generate the DigestValue value for the signature object Assertion.
        1. Convert Assertion according to the algorithm defined in Transform of Signature.
        2. Generate a digest for the object obtained in 1) according to the algorithm specified in DigestMethod.
        3. Place the generated digest value in the DigestValue tag.
      4. Use the private key in Step 6 in Generating a Certificate to generate the SignatureValue value for the SignedInfo object signature.
        1. Convert SignedInfo according to the algorithm defined in CanonicalizationMethod
        2. Generate the signature value for the object obtained in 1) according to the signature algorithm defined in SignatureMethod. Place the obtained signature value in SignatureValue.
      5. Combine the values of DigestValue and SignatureValue to form the final Signature object. Place the value in Assertion as its sub-element.

      The signature is displayed as follows.

      <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0"
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
          ...... 
          <ds:Signature
              xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
              ...... 
            <!-- Third-party signature value -->
              <ds:SignatureValue> 
              ...... 
            </ds:SignatureValue>
              <ds:KeyInfo>
                  <ds:X509Data>
              <!-- Third-party public key certificate -->
                      <ds:X509Certificate> 
                  ...... 
                </ds:X509Certificate>
                  </ds:X509Data>
              </ds:KeyInfo>
          </ds:Signature>
      </saml2:Assertion>
      Table 1 Description of parameters between <saml2:AttributeValue> and </saml2:AttributeValue>

      Parameter

      Description

      xUserId

      Indicates the user ID of the partner's customer on the partner sales platform. This parameter value equals the value of xAccountId.

      xAccountId

      Indicates the account ID of the partner's customer on the partner sales platform.

      bpId

      Indicates the partner ID.

      For details about how to obtain the partner ID, see How Do I Check the Partner ID?.

      email

      Indicates the email address.

      This parameter is optional.

      The parameter must meet the following requirements:

      • Must be unique for each customer.
      • A maximum of 64 characters
      • Passes the verification using the following regular expression: ^[azA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[azA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$

      name

      Indicates the account name transferred on the partner sales platform.

      This parameter is optional.

      The account name must be the same as the value of domain_name in the request for API in Creating a Customer.

      Table 1 involves the account ID and user ID because HUAWEI CLOUD IAM has the account and user concepts. For details about the two concepts, see "Account" and "IAM User" in Basic Concepts.

    3. If the customer has logged in to the partner sales platform, the SAML response message is returned directly. Otherwise, the SAML response message is displayed after the login.

      Send a POST request to the HUAWEI CLOUD response path AssertionConsumerService in 2.a. The parameters must be in the Form Data format.

      Parameter

      Description

      SAMLResponse

      Identifies the string obtained by encoding the SAML response message body in 2.b using Base64.

      RelayState

      The value of this parameter is the same as that in the SAML request message.

  3. IAM parses the SAMLResponse. When the customer account creation API is called to create an account, HUAWEI CLOUD CBC binds the customer account on the partner sales platform with the HUAWEI CLOUD account. Therefore, the customer can be redirected to the service page and purchase and manage the cloud services.

Did you find this page helpful?

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel