Updated on 2022-08-18 GMT+08:00

Step 1: Create an Identity Provider

To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an identity provider and upload the metadata file of the identity provider on the IAM console.

Prerequisites

  • You have registered an account on the cloud platform as an enterprise administrator, and have created user groups and granted them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be used to assign permissions to enterprise IdP users mapped to the cloud platform.
  • You have read the documentation of the enterprise IdP or have understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's metadata file and how to upload the cloud platform's metadata to the enterprise IdP, see the IdP documentation.

Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform

The metadata file of the cloud platform needs to be configured on the enterprise IdP to establish a trust relationship between the two systems.

  1. Download the metadata file of the cloud platform.

    • WebSSO: Visit https://Domain name of the authui service on the cloud platform/authui/saml/metadata.xml, right-click on the page, choose Save As, and set a file name, for example, websso-metadata.xml.
    • API calling: Visit https://Endpoint address of a region/v3-ext/auth/OS-FEDERATION/SSO/metadata, right-click on the page, choose Save As, and set a file name, for example, api-metadata-region.xml.

      The cloud platform provides different API gateways for users in different regions to call APIs. To allow users to access resources in multiple regions, download metadata files of all these regions.

  2. Upload the metadata file to the enterprise IdP server. For details about how to upload the metadata file, see the documentation of your enterprise IdP.
  3. Obtain the metadata file of the enterprise IdP. For details about how to obtain the metadata file, see the documentation of your enterprise IdP.

Creating an Identity Provider on the Cloud Platform

Create an identity provider and configure the metadata file in IAM.

  1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.
  2. Specify the name, protocol, SSO type, status, and description of the identity provider.

    The identity provider name must be unique under your account.

  3. Click OK.

Configuring the Metadata File of the Identity Provider

Configure the metadata file of the enterprise IdP obtained in 3 of section "Creating an Identity Provider on the Cloud Platform" on the cloud platform. You can upload or manually edit metadata configurations in IAM. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.
  • Upload a metadata file.
    1. Click Modify in the row containing the identity provider.
    2. Click Select File and select the metadata file you have obtained.
      Figure 1 Uploading a metadata file
    3. Click Upload. The metadata extracted from the uploaded file is displayed. Click OK.
      • If the uploaded metadata file contains multiple identity providers, select the identity provider you want to use from the Entity ID drop-down list.
      • If a message is displayed indicating that no entity ID is specified or the signing certificate has expired, check the metadata file and upload it again, or configure the metadata manually.
    4. Click OK.
  • Manually configure metadata.
    1. Click Manually configure.
    2. In the Configure Metadata dialog box, set the metadata parameters, such as the entity ID, signing certificate, and SingleSignOnService.

      Parameter

      Mandatory

      Description

      Entity ID

      Yes

      The unique identifier of an identity provider. Enter the value of entityID displayed in the enterprise IdP's metadata file.

      If the metadata file contains multiple identity providers, choose the one you want to use.

      Protocol

      Yes

      The SAML protocol is used for federated identity authentication between an enterprise IdP and SP.

      NameIdFormat

      No

      Enter the value of NameIdFormat displayed in the metadata file.

      This parameter indicates the username and ID format used for communication between the identity provider and federated users.

      Signing Certificate

      Yes

      Enter the value of <X509Certificate> displayed in the metadata file.

      A signing certificate is a public key certificate used for signature verification. For security purposes, enter a public key containing no less than 2048 bits. The signing certificate is used during federated identity authentication to ensure that assertions are credible and complete.

      SingleSignOnService

      Yes

      Enter the value of SingleSignOnService displayed in the metadata file.

      This parameter defines how SAML requests are sent during the SSO process. The SingleSignOnService parameter in the metadata file must support HTTP Redirect or HTTP POST.

      SingleLogoutService

      No

      Enter the value of SingleLogoutService displayed in the metadata file.

      This parameter indicates the address to which federated users will be redirected after logging out their sessions. The SingleLogoutService parameter in the metadata file must support HTTP Redirect or HTTP POST.

      The following example shows the metadata file of an enterprise IdP and the metadata information that needs to be completed during manual configuration.

      Figure 2 Metadata file of an enterprise IdP
    3. Click OK.
  • Click OK to save the settings.

Logging In as a Federated User

  1. Click the login link displayed on the identity provider details page and check if the login page of the enterprise IdP server is displayed.

    1. On the Identity Providers page, click View in the Operation column of the identity provider. Copy the login link displayed on the identity provider details page and visit the link using a browser.
    2. If the login page is not displayed, check the metadata file and configurations of the enterprise IdP server.

  2. Enter the username and password of a user that was created in the enterprise management system.

    • If the login is successful, add the login link to the enterprise's website.
    • If the login fails, check the username and password.

    Federated users only have read permissions for the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the identity provider. For more information, see Step 2: Configure Identity Conversion Rules.

Related Operations

  • Viewing identity provider information: In the identity provider list, click View in the row containing the identity provider, and view its basic information, metadata, and identity conversion rules.

    To modify the configurations of an identity provider, click Modify at the bottom of the details page.

  • Modifying an identity provider: In the identity provider list, click Modify in the row containing the identity provider, and then change its status and modify the description, metadata, and identity conversion rules.
  • Deleting an identity provider: In the identity provider list, click Delete in the row containing the identity provider, and click Yes.

Follow-Up Procedure