Updated on 2022-08-18 GMT+08:00

Configuration of SAML-based Federated Identity Authentication

This section describes the process and configuration of SAML-based federated identity authentication between an enterprise IdP and the cloud platform.

Ensure that your enterprise IdP supports SAML 2.0.

Configuring Federated Identity Authentication

To implement federated identity authentication between an enterprise management system and the cloud platform, complete the following configuration:

  1. Establish a trust relationship and create an identity provider: Exchange the metadata files of the enterprise IdP and the cloud platform.
    Figure 1 Metadata file exchange model
  2. Configure identity conversion rules: Map the users, user groups, and permissions in the enterprise IdP to the cloud platform (see Figure 2).
    Figure 2 User identity conversion model
  3. Configure a login link: Configure a login link in the enterprise management system to allow users to access the cloud platform through SSO.
    Figure 3 SSO login model

Process of Federated Identity Authentication

Figure 4 shows the interaction between an enterprise management system and the cloud platform after a user initiates an SSO request.

Figure 4 Process of federated identity authentication

To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install the SAML Message Decoder plug-in.

The process of federated identity authentication is as follows:

  1. A user uses a browser to visit the login link of the identity provider, and the browser sends an SSO request to the cloud platform.
  2. The cloud platform searches for a metadata file based on the login link, and sends a SAML request to the browser.
  3. The browser forwards the SAML request to the enterprise IdP.
  4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user information, and sends the assertion to the browser as a SAML response.
  5. The browser responds and forwards the SAML response to the cloud platform.
  6. The cloud platform parses the assertion in the SAML response, and issues a token to the user after identifying the group to which the user is mapped, according to the configured identity conversion rules.
  7. If the login is successful, the user accesses the cloud platform successfully.

    The assertion must carry a signature; otherwise, the login will fail.