Logging In to Huawei Cloud via OneAccess Without Password (OIDC)

This section uses OIDC as an example to describe how to use OneAccess to log in to CodeArts on the Huawei Cloud console without entering a password.

Creating a Huawei Cloud OIDC Application

Create a Huawei Cloud OIDC application on the OneAccess administrator portal and obtain the OIDC settings to establish a trust relationship between OneAccess and Huawei Cloud.

Add the Huawei Cloud application in OneAccess.
1. Log in to the OneAccess administrator portal, and choose Resources > Applications.
2. Click Add Custom Application.
3. Enter an application name and click Save.
1. Click the created application and copy the value of ClientId.
Obtain OIDC configurations.
1. Log in to the OneAccess administrator portal, and choose Settings > Service Settings.
2. On the displayed page, click OIDC.
3. Click OIDC Settings.
1. Obtain the issuer, authorization_endpoint, and jwks_uri addresses.
2. Copy the jwks_uri address to the address box of a browser to obtain the signing key.

Creating an IdP on Huawei Cloud

Create an IdP and configure the OneAccess application and OIDC on the Huawei Cloud console.

Create an IdP. For details, see Creating an IdP Entity on Huawei Cloud.
- The IdP name must be unique. You are advised to use the domain name.
- Specify the configuration information.
  1. Identity Provider URL: issuer address obtained in 2.d.
  2. Authorization Endpoint: authorization_endpoint address obtained in 2.d.
  3. Client ID: OIDC application ClientId obtained in 1.d.
  4. Signing Key: Public key (in JSON format) obtained in 2.e.
Copy the login address and redirect URI during the configuration.
Configure identity conversion rules on Huawei Cloud so that OneAccess users can access CodeArts. For details, see Configure Identity Conversion Rules.

Establishing a Trust Between OneAccess and Huawei Cloud

Configure the login address and redirect URI of Huawei Cloud in OneAccess.

Log in to the OneAccess administrator portal, and choose Resources > Applications.
Click the added custom Huawei Cloud application.
Enable Authentication, select OIDC, and click Save.
Click Configure on the right of Authentication. On the OIDC configuration page displayed, set Callback URL to the value of the redirect URI obtained in 2 and enable Implicit Authorization.
Configure the Huawei Cloud login entry in OneAccess.
On the Huawei Cloud application details page, choose Login Settings > Web Applications, click Modify, replace the URL with the login URL of the IdP created on Huawei Cloud, and click OK to save it.

To redirect to a specific service page on the Huawei Cloud console, combine the login link of the identity provider created on Huawei Cloud and enter the combined URL. The following takes CodeArts as an example:

Login link of the identity provider created on Huawei Cloud: https://auth.huawei.com/authui/federation/websso?domain_id=e35f***************79ba14839c&idp=one001&protocol=oidc

CodeArts service address: https://console-intl.huaweicloud.com/devcloud/?region=cn-east-3&locale=en-us#

If the service address contains the agencyId=***& field, delete the field, use &service= to combine the two addresses, and enter the combined address in the URL.

https://auth.huawei.com/authui/federation/websso?domain_id=e35f***************79ba14839c&idp=one001&protocol=oidc&service=https://console.huaweicloud.com/devcloud/?region=cn-south-1&locale=zh-cn#
Grant Huawei Cloud access permissions to users in OneAccess.
On the Huawei Cloud application details page, choose Authorization > Application Accounts, click the button for adding accounts, select required accounts, and click Save. The selected accounts can access Huawei Cloud via OneAccess without a password.

The email address field of an IAM user is mandatory. Users authorized in OneAccess must have this field.