Enabling Custom Identity Broker Access with a Token

Prerequisites

• Your enterprise has an enterprise management system.
• The enterprise administrator has created an account (for example, DomainA) in Huawei Cloud.

Procedure

1. Use the DomainA account to create an IAM user (for example, UserB) by following the instructions in Creating an IAM User.
2. (Optional) Add UserB to a user group (for example, GroupC) and grant permissions to the user group by following the instructions in Creating a User Group and Assigning Permissions.
3. Configure the access key (recommended) or username and password of UserB in the configuration file of your enterprise IdP so that the user can obtain a user token. For account security, encrypt the password and access key before you store them.
4. Log in to the enterprise management system, access the custom identity broker by selecting a common user from the user list. For details, see the documentation of the enterprise management system. For this example, select user UserB.
   

   The user list of the custom broker is the same as the IAM user list under your Huawei Cloud account. To align these IAM users with the user accounts in your enterprise, configure the IAM users' access keys (recommended) or usernames and passwords in the configuration file of the enterprise IdP.

5. The custom identity broker uses the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary access key and security token. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
6. The custom identity broker uses the temporary access key, security token, and global domain name of IAM (iam.myhuaweicloud.com) to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens for obtaining a loginToken. The value of X-Subject-LoginToken in the response header is a loginToken. For details, see Obtaining a Login Token.
   

   • To obtain a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens, use the global domain name (iam.myhuaweicloud.com) of IAM.
   • A loginToken is issued to a user to log in through a custom identity broker and contains identity and session information about the user. A loginToken is valid for 10 minutes by default.
   • You can set the validity period of a loginToken by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. If the value you have specified is greater than the remaining validity period of the temporary security token, the remaining validity period of the temporary securityToken is used.

7. The custom identity broker generates a FederationProxyUrl and returns it to the browser through Location.

   https://auth.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}

   Example:

   https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******

   Table 1 Parameter description

   Parameter	Description
   idp_login_url	Login URL of the enterprise management system.
   service	Access address of a Huawei Cloud service.
   logintoken	LoginToken of the custom identity broker.

   For details about how to create a FederationProxyUrl, view the example provided in Creating a FederationProxyUrl Using a Token.

   

   The FederationProxyUrl contains the loginToken that has been obtained from IAM, and the value of each parameter in the FederationProxyUrl is encoded using URLEncode.

8. If the loginToken is authenticated successfully, you will be automatically redirected to the Huawei Cloud service address specified in the service parameter.

   If the loginToken fails to be authenticated, you will be redirected to the address specified in idp_login_url.