Help Center> Identity and Access Management> User Guide (Ankara Region)> User Guide> Identity Providers> Identity Federation Via OpenID Connect> Configuration of OpenID Connect–based Federated Identity Authentication
Updated on 2024-04-15 GMT+08:00
View PDF

Configuration of OpenID Connect–based Federated Identity Authentication

This section describes the process and configuration of OpenID Connect–based federated identity authentication between an enterprise IdP and the cloud platform.

Configuring Federated Identity Authentication

To implement federated identity authentication between an enterprise management system and the cloud platform, complete the following configuration:

  1. Establish a trust relationship and create an identity provider: Create OAuth 2.0 credentials in the enterprise IdP, and create an identity provider on the cloud platform.
  2. Configure identity conversion rules: Map the users, user groups, and their permissions in the enterprise IdP to the cloud platform.
  3. Configure a login link: Configure a login link in the enterprise management system to allow users to access the cloud platform through SSO.

Process of Federated Identity Authentication

Figure 1 shows the interaction between an enterprise management system and the cloud platform after a user initiates an SSO request.

Figure 1 Process of federated identity authentication

The process of federated identity authentication is as follows:

  1. A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud platform.
  2. The cloud platform searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.
  3. The browser forwards the authorization request to the enterprise IdP.
  4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
  5. The browser responds and forwards the authorization response to the cloud platform.
  6. The cloud platform parses the ID token in the authorization response, and issues a token to the user after identifying the group to which the user is mapped, according to the configured identity conversion rules.
  7. If the login is successful, the user accesses the cloud platform successfully.