Help Center/ Identity and Access Management/ User Guide/ Custom Identity Broker/ Creating a FederationProxyUrl Using an Agency
Updated on 2024-12-25 GMT+08:00

Creating a FederationProxyUrl Using an Agency

This section provides example code used to programmatically create a FederationProxyUrl using an agency for logging in to Huawei Cloud services.

Example Code Using Java

The following Java code shows how to create a FederationProxyUrl that gives federated users direct access to the Huawei Cloud console.

import java.net.*;
import java.util.Collections;
import com.huaweicloud.sdk.core.auth.GlobalCredentials;
import com.huaweicloud.sdk.core.exception.ClientRequestException;
import com.huaweicloud.sdk.core.exception.ServerResponseException;
import com.huaweicloud.sdk.core.http.HttpConfig;
import com.huaweicloud.sdk.iam.v3.IamClient;
import com.huaweicloud.sdk.iam.v3.model.*;


// Use the global domain name to obtain a login token.
String endpoint = "https://iam.myhuaweicloud.com";

// Configure client attributes.
HttpConfig config = HttpConfig.getDefaultHttpConfig()
		.withIgnoreSSLVerification(true)
		.withProxyHost("proxy.huawei.com")
		.withProxyPort(8080);

// Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client "{Service}Client". For details about how to create userB, see section "Creating an IAM User".
IamClient iamClient = IamClient.newBuilder().withCredential(new GlobalCredentials()
		.withDomainId("domainId")
		.withAk("ak")
		.withSk("sk"))
		.withEndpoint(endpoint)
		.withHttpConfig(config)
		.build();		
		
/*CreateTemporaryAccessKeyByAgency
Call the API used to obtain a temporary access key and security token with an agency.
The default validity period of an access key and security token is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.
When you obtain a login token with a specified validity period, ensure that the validity period of the login token is not greater than the remaining validity period of the security token.
*/
IdentityAssumerole identityAssumerole = new IdentityAssumerole().
		withAgencyName("testagency").withDomainId("0525e2c87exxxxxxx").withSessionUser(new AssumeroleSessionuser().withName("ExternalUser")).withDurationSeconds(3600);
AgencyAuth agencyAuth = new AgencyAuth().withIdentity(new AgencyAuthIdentity().withAssumeRole(identityAssumerole).
		withMethods(Collections.singletonList(AgencyAuthIdentity.MethodsEnum.fromValue("assume_role"))));
CreateTemporaryAccessKeyByAgencyRequestBody createTemporaryAccessKeyByAgencyRequestBody = new CreateTemporaryAccessKeyByAgencyRequestBody().withAuth(agencyAuth);
CreateTemporaryAccessKeyByAgencyResponse createTemporaryAccessKeyByAgencyResponse = iamClient.createTemporaryAccessKeyByAgency(new CreateTemporaryAccessKeyByAgencyRequest().withBody(createTemporaryAccessKeyByAgencyRequestBody));
Credential credential = createTemporaryAccessKeyByAgencyResponse.getCredential();

/*CreateLoginToken
Obtain a login token.
Login tokens are issued to users to log in through custom identity brokers. Each login token contains identity and session information of a user.
To log in to a cloud service console using a custom identity broker URL, call this API to obtain a login token for authentication.
The default validity period of a login token is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
Ensure that the validity period of the login token is not greater than the remaining validity period of the security token.
When obtaining a security token with an agency, set the session_user.name parameter in the request body.
*/
CreateLoginTokenRequestBody createLoginTokenRequestBody = new CreateLoginTokenRequestBody().
		withAuth(new LoginTokenAuth().withSecuritytoken(new LoginTokenSecurityToken().
				withAccess(credential.getAccess()).
				withId(credential.getSecuritytoken()).
				withSecret(credential.getSecret()).withDurationSeconds(1800)));
CreateLoginTokenResponse createLoginTokenResponse = iamClient.createLoginToken(new CreateLoginTokenRequest().withBody(createLoginTokenRequestBody));
String loginToken = createLoginTokenResponse.getXSubjectLoginToken();

// Login URL of the custom identity broker
String authURL = "https://auth.huaweicloud.com/authui/federation/login";
// Login URL of an enterprise management system.
String enterpriseSystemLoginURL = "https://example.com/";
// Huawei Cloud service address to access.
String targetConsoleURL = "https://console.huaweicloud.com/iam/?region=cn-north-4";

// Create a FederationProxyUrl and return it to the browser through Location.
String FederationProxyUrl = authURL + "?idp_login_url=" +
		URLEncoder.encode(enterpriseSystemLoginURL, "UTF-8") +
		"&service=" + URLEncoder.encode(targetConsoleURL, "UTF-8") +
		"&logintoken=" +URLEncoder.encode(loginToken, "UTF-8");

Example Code Using Python

The following Python code shows how to create a FederationProxyUrl that gives federated users direct access to the Huawei Cloud console.

from huaweicloudsdkcore.auth.credentials import GlobalCredentials
from huaweicloudsdkcore.http.http_config import HttpConfig
from huaweicloudsdkiam.v3 import *

import urllib


# Use the global domain name to obtain a login token.
endpoint = "https://iam.myhuaweicloud.com"

# Configure client attributes.
config = HttpConfig.get_default_config()
config.ignore_ssl_verification = True
config.proxy_protocol = "https"
config.proxy_host = "proxy.huawei.com"
config.proxy_port = 8080
credentials = GlobalCredentials(ak, sk, domain_id)

# Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client "{Service}Client". For details about how to create userB, see section "Creating an IAM User".
client = IamClient().new_builder(IamClient) \
	.with_http_config(config) \
	.with_credentials(credentials) \
	.with_endpoint(endpoint) \
	.build()

# CreateTemporaryAccessKeyByAgency
# Call the API used to obtain a temporary access key and security token with an agency.
# The default validity period of an access key and security token is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.
# When you obtain a login token with a specified validity period, ensure that the validity period of the login token is not greater than the remaining validity period of the security token.
# When obtaining a security token with an agency, set the session_user.name parameter in the request body.
assume_role_session_user = AssumeroleSessionuser(name="ExternalUser")
identity_assume_role = IdentityAssumerole(agency_name="testagency",
                                          domain_id="0525e2c87exxxxxxx",
					  session_user=assume_role_session_user,
					  duration_seconds=3600)
identity_methods = ["assume_role"]
body = CreateTemporaryAccessKeyByAgencyRequestBody(
	AgencyAuth(AgencyAuthIdentity(methods=identity_methods, assume_role=identity_assume_role)))
request = CreateTemporaryAccessKeyByAgencyRequest(body)
create_temporary_access_key_by_agency_response = client.create_temporary_access_key_by_agency(request)
credential = create_temporary_access_key_by_agency_response.credential

# CreateLoginToken
# Obtain a login token.
# The default validity period of a login token is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
# Ensure that the validity period of the login token is not greater than the remaining validity period of the security token.
login_token_security_token = LoginTokenSecurityToken(access=credential.access, secret=credential.secret,
							id=credential.securitytoken, duration_seconds=1800)
body = CreateLoginTokenRequestBody(LoginTokenAuth(login_token_security_token))
request = CreateLoginTokenRequest(body)
create_login_token_response = client.create_login_token(request)
login_token = create_login_token_response.x_subject_login_token

# Obtain a custom identity broker URL.
auth_URL = "https://auth.huaweicloud.com/authui/federation/login"
# Login URL of an enterprise management system.
enterprise_system_login_URL = "https://example.com/"
# Huawei Cloud service address to access.
target_console_URL = "https://console.huaweicloud.com/iam/?region=cn-north-4"

# Create a FederationProxyUrl and return it to the browser through Location.
FederationProxyUrl = auth_URL + "?idp_login_url=" + urllib.parse.quote(
	enterprise_system_login_URL) + "&service=" + urllib.parse.quote(
	target_console_URL) + "&logintoken=" + urllib.parse.quote(login_token)
print(FederationProxyUrl)