Overview of Virtual User SSO via OpenID Connect

Configuring Identity Federation

The following describes how to configure your enterprise IdP and Huawei Cloud to trust each other.

1. Create an IdP entity and establish a trust relationship: Create OAuth 2.0 credentials in the enterprise IdP. On Huawei Cloud, create an IdP entity and establish a trust relationship between the two systems.
2. Configure identity conversion rules: Configure identity conversion rules on Huawei Cloud to map the users, user groups, and permissions in the enterprise IdP to Huawei Cloud.
3. Configure a federated login entry: Configure the login link in the enterprise IdP to allow enterprise users to be redirected to Huawei Cloud from your enterprise management system.

How Identity Federation Works

Figure 1 shows the identity federation process between an enterprise management system and Huawei Cloud.

Figure 1 How identity federation works

The process of identity federation is as follows:

1. A user opens the login link obtained from the IAM console in the browser. The browser sends an SSO request to Huawei Cloud.
2. Huawei Cloud authenticates the user against the configuration of the enterprise IdP and constructs an OpenID Connect request to the browser.
3. The browser forwards the OpenID Connect request to the enterprise IdP.
4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
5. The browser responds and forwards the OpenID Connect response to Huawei Cloud.
6. Huawei Cloud parses the ID token in the OpenID Connect response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
7. The SSO login is successful.