Configuration of OpenID Connect–based Federated Identity Authentication
This section describes the process and configuration of OpenID Connect–based federated identity authentication between an enterprise IdP and the cloud platform.
Configuring Federated Identity Authentication
To implement federated identity authentication between an enterprise management system and the cloud platform, complete the following configuration:
- Establish a trust relationship and create an identity provider: Create OAuth 2.0 credentials in the enterprise IdP, and create an identity provider on the cloud platform.
- Configure identity conversion rules: Map the users, user groups, and their permissions in the enterprise IdP to the cloud platform.
- Configure a login link: Configure a login link in the enterprise management system to allow users to access the cloud platform through SSO.
Process of Federated Identity Authentication
Figure 1 shows the interaction between an enterprise management system and the cloud platform after a user initiates an SSO request.
The process of federated identity authentication is as follows:
- A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud platform.
- The cloud platform searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.
- The browser forwards the authorization request to the enterprise IdP.
- The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
- The browser responds and forwards the authorization response to the cloud platform.
- The cloud platform parses the ID token in the authorization response, and issues a token to the user after identifying the group to which the user is mapped, according to the configured identity conversion rules.
- If the login is successful, the user accesses the cloud platform successfully.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot