Enabling Custom Identity Broker Access with a Token

Prerequisites

• Your enterprise has an enterprise management system.
• The enterprise administrator has created an account (for example, DomainA) in Huawei Cloud.

Procedure

1. Use the DomainA account to create an IAM user (for example, UserB) by following the instructions in Creating an IAM User.
2. (Optional) Add UserB to a user group (for example, GroupC) and grant permissions to the user group by following the instructions in Creating a User Group and Assigning Permissions.
3. Configure the access key (recommended) or username and password of UserB in the configuration file of your enterprise IdP so that the user can obtain a user token. For account security, encrypt the password and access keys before you store them.
4. Log in to the enterprise management system, access the custom identity broker by selecting a common user from the user list. For details, see the documentation of the enterprise management system. For this example, select user UserB.
   

   The user list of the custom broker is the same as the IAM user list under your Huawei Cloud account. To align these IAM users with the user accounts in your enterprise, configure the IAM users' access keys (recommended) or usernames and passwords in the configuration file of the enterprise IdP.

5. The custom identity broker uses the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary access key and security token. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
6. The custom identity broker uses the temporary access key, security token, and global domain name of IAM (iam.myhuaweicloud.com) to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens for obtaining a login token. The value of X-Subject-LoginToken in the response header is a login token. For details, see Obtaining a Login Token.
   

   • To obtain a login token by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens, use the global domain name (iam.myhuaweicloud.com) of IAM.
   • A login token is issued to a user to log in through a custom identity broker and contains identity and session information about the user. A login token is valid for 10 minutes by default.
   • You can set the validity period of a login token by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. If the value you have specified is greater than the remaining validity period of the temporary security token, the remaining validity period of the temporary security token is used.

7. The custom identity broker generates a FederationProxyUrl and returns it to the browser through Location.

   https://auth.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}

   Example:

   https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******

   Table 1 Parameter description

   Parameter	Description
   idp_login_url	Login URL of the enterprise management system.
   service	Access address of a Huawei Cloud service.
   logintoken	Login token of the custom identity broker.

   For details about how to create a FederationProxyUrl, view the example provided in Creating a FederationProxyUrl Using a Token.

   

   The FederationProxyUrl contains the login token that has been obtained from IAM, and the value of each parameter in the FederationProxyUrl is encoded using URLEncode.

8. If the login token is authenticated successfully, federated users will be automatically redirected to the Huawei Cloud service address specified in the service parameter.

   If the login token fails to be authenticated, federated users will be redirected to the address specified in idp_login_url.