Switching to the HUAWEI CLOUD Page and Binding the HUAWEI CLOUD Account
The following describes how to bind a customer account on the partner sales platform with the HUAWEI CLOUD account on the web UI. You can create a HUAWEI CLOUD account and bind it with the customer account, or directly bind an existing HUAWEI CLOUD account with the customer account. The following scenarios are involved:
- A customer has created an account on the partner sales platform and does not have a HUAWEI CLOUD account. The customer needs to create such an account and bind it with the account on the partner sales platform.
- Before creating an account on the partner sales platform, a customer has created a HUAWEI CLOUD account. The customer needs to create an account on the partner sales platform and bind it with the HUAWEI CLOUD account.
Subsequent operations, such as product purchasing and subscription query, depend on the customer's HUAWEI CLOUD account in this scenario.
Figure 1 shows the procedure for binding a HUAWEI CLOUD account with a customer account on the partner sales platform and notifying the binding result.
- A partner's customer uses a browser to call the HUAWEI CLOUD login link. IAM sends the SAML request.
- The customer uses a browser to call the HUAWEI CLOUD login link.
https://auth-intl.huaweicloud.com/authui/saml/login?xAccountType=ZXT&isFirstLogin=true&service=https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f
Parameter
Mandatory
Description
Example
xAccountType
Yes
Indicates the identifier of the partner sales platform, which is globally unique. The value is provided by Huawei. After the partner configures the access parameters on the Partner Center page, the partner ID is generated. For details about how to obtain the platform ID, see How Do I Obtain the xaccountType Value?
ZXT
isFirstLogin
No
If no HUAWEI CLOUD account is bound, this parameter is mandatory and must be set to true. Otherwise, the value can be left empty or set to false.
true
service
No
Indicates the redirection address after login.
The encodeURIComponent function is used for coding.
https%3a%2f%2fconsole-intl.huaweicloud.com%2fiam%2f
- IAM receives the login request of the partner's customer, locates the SingleSignOnService configuration item in the IDP Metadata.xml file based on the xAccountType value, and sends the samlRequest request to the required path.
Parameter
Description
SAMLRequest
Indicates the response message body.
The response message is in XML format. IAM then compresses the message, encodes the message using Base64, and URL encodes the message.
- If the partner uses the SAML toolkits, this parameter can be directly used. The partner does not need to parse the XML file.
- If the partner needs to parse the XML file, the partner needs to URL decode the message, decode the message using Base64, and decompress the message (zip.inflate). For details, see Sample Code for Parsing the SAMLRequest.
RelayState
Indicates the response parameters for SAML.
SigAlg
Indicates the signature algorithm. Huawei uses SHA256 for signatures by default.
HTTP://WWW.W3.ORG/2001/04/XMLDSIG-MORE#RSA-SHA256
Signature
Indicates the signature. The signature is used to verify the initiator of a request.
When initiating a request, HUAWEI CLOUD uses the private key to sign SAMLRequest={ SAMLRequest }&RelayState={ RelayState } &SigAlg={ SigAlg } in request https://www.test.com/saml/login?SAMLRequest={SAMLRequest }&RelayState={ RelayState} &SigAlg={ SigAlg}&Signature={ Signature } and then performs Base64 coding to obtain the signature value.
The signature algorithm is specified by the SigAlg field.
When receiving the request, the receiver verifies the signature value using the public key provided by HUAWEI CLOUD (the value in the <ds:X509Certificate></ds:X509Certificate> tag in the SP Metadata.xml file).
If the signature verification succeeds, the request is sent by HUAWEI CLOUD, and the follow-up operations can be performed. Otherwise, the request is invalid.
- The customer uses a browser to call the HUAWEI CLOUD login link.
- The partner sales platform generates the SAML response message and sends it to HUAWEI CLOUD IAM.
- The partner sales platform obtains the HUAWEI CLOUD public key and the response message path of samlResponse from the SP Metadata.xml file. For details, see Example, Public Key, and Response Path in Obtaining the SP Metadata File.
- The partner sales platform constructs the response message body response.xml for the SAML response.
The response message body is in XML format. For the correct response message body and its parameter description, see the following displayed content.
The following content is for reference only. The description in the comments must be modified. The time and ID defined by SAML vary depending on the message. Therefore, it is recommended that you should not directly modify the response message content. Instead, you shall use the SAML toolkits to generate the response message.
<?xml version="1.0" encoding="UTF-8"?> <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the SAML request message. --> <!-- Parameter Destination needs to be the same as the Location value in the AssertionConsumerService tag in the SP Metadata.xml file. --> <saml2p:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_d794dc393ae6724e236003bf0b917cf0" Destination="https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer" InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <!-- Must be the same as the entityID value in the IDP Metadata.xml file. --> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.test.com</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> <saml2p:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</saml2p:StatusMessage> </saml2p:Status> <saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <!-- Must be the same as the entityID value in the IDP Metadata.xml file. --> <saml2:Issuer>https://www.test.com</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <!-- The value after "URI #" must be the same as the ID in the Assertion tag. --> <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <!-- The value of DigestValue is the digest of the Assertion tag object. The digest algorithm is the same as that of DigestMethod. --> <ds:DigestValue>rFxrycznfGNYOnprZIFJJou4ro0Mz65+43MIR5F0+H4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <!-- Partner signature value. For details about how to obtain the value, see the following description. --> <ds:SignatureValue> YqTWQngAPfGqQmWa610PM7LeefqWdKuveUVINrqL67NoHJIDa2WxLwdVzoJIlJh64QiNPr6+ndmL DCMgIC5F/9ijuzhIICZcc6lHNIjy6EsPkKRjfo9oeoVAqLgG/kmVQYeHLBID0y11RNXXpAVY4nhJ 26KiIVGt7ywyKAmhichE+eW/UYAGiOI5vkfgD2gZUGV+yPkv64k7xK4yAH3mL2NaCPuw/90e4enm iUx0YuazDwM5FiRUSMpcJs0rcNmS6clWAUcCzbOx+y2vJGtTjHb7k3UsmpnTop5eYNp94+sDPEat 8FaV4SgafMEL5z54gpe8+//9yOWEvlBs1b0RYg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <!-- Partner public key certificate. The certificate must be the one specified in the IDP Metadata.xml file. --> <ds:X509Certificate> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhK3L160NjP9EhBGQOC2s4r+Wc62bkRkc nUxfhiZwCwJdQCykzuLOAoATnfoEamV5W25xtSS5kFs+4OC0mYVpKcI3SWoydX+UE5Qik5UfJ8Dt G1AvSEKhSluyO9axrV5Uv089jMxBnlm/R+xND73WcZM11yIbKJEZSTCEDfh+KnFbMw108umFMden RZCrNWUJoSp/90XeG0V2Nmj7Fkq72skSifwIASLRq9KqLbmh1QwUX+AoWpHK/jRUBustMBmG1n1i AqpD4EBjjBOB27k1wXZ30+IoJt8IZmfSZRFoNn5VFWXNeEmZ1aQvGSvd3Tyyw2/Wr+w/8Mags69C mpeX6QIDAQAB </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <!-- The value of NameQualifier must be the same as the entityID value in the SP Metadata.xml file. --> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://auth.huaweicloud.com/">Some NameID value</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <!-- Parameter InResponseTo needs to be the same as the ID configuration item of AuthnRequest in the samlRequest message. --> <saml2:SubjectConfirmationData InResponseTo="_dck4mm08qmdhc8k4nuir07hghetdqqg8umg5" NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z" Recipient="https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-10-28T08:21:41.740Z" NotOnOrAfter="2018-11-01T08:21:41.740Z"> <saml2:AudienceRestriction> <!-- Must be the same as the entityID value in the SP Metadata.xml file. --> <saml2:Audience>https://auth.huaweicloud.com/</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AttributeStatement> <!-- For values between<saml2:AttributeValue> and </saml2:AttributeValue>, see the following table. --> <saml2:Attribute FriendlyName="xUserId" Name="xUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*******</saml2:AttributeValue> </saml2:Attribute> <!-- The values of xAccountId and xUserId must be the same. --> <saml2:Attribute FriendlyName="xAccountId" Name="xAccountId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">********</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="bpId" Name="bpId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" /> </saml2:Attribute> <saml2:Attribute FriendlyName="name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">******</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mobile" Name="mobile" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">*****</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> <saml2:AuthnStatement AuthnInstant="2018-10-30T08:21:41.741Z"> <!-- Must be the same as the entityID value in the SP Metadata.xml file. --> <saml2:SubjectLocality Address="https://auth.huaweicloud.com/" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response>
The partner signature value is in standard XML format, and the signature type is enveloped-signature. You are advised to use the SAML library provided by a third party for signature.
The signature procedure is as follows.
- Obtain the signature object (Assertion).
<saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ...... </saml2:Assertion>
- Obtain the tag object (Signature).
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256" /> <ds:Reference URI="#_2320c40ac7b5e857b2d0d4ea0c8758c3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" /> <ds:DigestValue>......</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <!-- Third-party signature value --> <ds:SignatureValue> ...... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <!-- Third-party public key certificate --> <ds:X509Certificate> ...... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature>
- Generate the DigestValue value for the signature object Assertion.
- Convert Assertion according to the algorithm defined in Transform of Signature.
- Generate a digest for the object obtained in 1) according to the algorithm specified in DigestMethod.
- Place the generated digest value in the DigestValue tag.
- Use the private key in Step 6 in Generating a Certificate to generate the SignatureValue value for the SignedInfo object signature.
- Convert SignedInfo according to the algorithm defined in CanonicalizationMethod
- Generate the signature value for the object obtained in 1) according to the signature algorithm defined in SignatureMethod. Place the obtained signature value in SignatureValue.
- Combine the values of DigestValue and SignatureValue to form the final Signature object. Place the value in Assertion as its sub-element.
The signature is displayed as follows.
<saml2:Assertion ID="_2320c40ac7b5e857b2d0d4ea0c8758c3" IssueInstant="2018-10-30T08:21:41.740Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> ...... <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ...... <!-- Third-party signature value --> <ds:SignatureValue> ...... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <!-- Third-party public key certificate --> <ds:X509Certificate> ...... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2:Assertion>
Table 1 Description of parameters between <saml2:AttributeValue> and </saml2:AttributeValue> Parameter
Description
xUserId
Indicates the user ID of the partner's customer on the partner sales platform.
xAccountId
Indicates the account ID of the partner's customer on the partner sales platform.
bpId
Indicates the partner ID.
For details, see How Do I Check the Partner ID?
email
Indicates the email address.
This parameter is optional.
The parameter must meet the following requirements:
- Must be unique for each customer.
- A maximum of 64 characters
- Passes the verification using the following regular expression: ^[azA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[azA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$
name
Indicates the HUAWEI CLOUD account name of the partner.
This parameter is optional.
The parameter must meet the following requirements:
- Must be 5 to 32 characters long.
- Can contain only letters, digits, hyphens (-), and underscores (_), and cannot start with a digit. Can contain spaces in the middle.
- Passes the verification using the following regular expression: ^([a-zA-Z\\_\\- ][0-9a-zA-Z\\_\\- ]*)+$
Table 1 involves the account ID and user ID because HUAWEI CLOUD IAM has account and user concepts. For details about the two concepts, see "Account" and "IAM User" in Basic Concepts.
- Obtain the signature object (Assertion).
- If the customer has logged in to the partner sales platform, the SAML response message is returned directly. Otherwise, the SAML response message is displayed after the login.
Send a POST request to the HUAWEI CLOUD response path AssertionConsumerService in 2.a. The parameters must be in the Form Data format.
Parameter
Description
SAMLResponse
Identifies the string obtained by encoding the SAML response message body in 2.b using Base64.
RelayState
The value of this parameter is the same as that in the SAML request message.
- Create a HUAWEI CLOUD account and bind it with the customer account on the partner sales platform.
After the SAML response message is returned, IAM checks whether there is a HUAWEI CLOUD account already bound with the customer account on the partner sales platform based on the response message. If the required HUAWEI CLOUD account exists, the partner can directly log in to HUAWEI CLOUD. If the required HUAWEI CLOUD account does not exist, the page for creating and binding a HUAWEI CLOUD account is displayed.
- Figure 2 shows the page for creating a HUAWEI CLOUD account. The partner configures the required parameters on the page for creating a HUAWEI CLOUD account and clicks Create And Bind to create a HUAWEI CLOUD account and bind the account with the customer account on the partner sales platform.
- If the partner's customer already has a HUAWEI CLOUD account, click Bind Account on the page shown in Figure 3. On the displayed page, configure the required parameters as prompt and click Bind Account to bind the HUAWEI CLOUD account with the customer account on the partner sales platform.
The customer cannot bind its customer account on the partner sales platform to its existing HUAWEI CLOUD account if this account is in one of the following conditions:
- In arrears
- Associated to another partner
- Used to sign a special contract with HUAWEI CLOUD, such as offline directly-signed contract, authorized telemarketing contract with discounts, or directly-signed special offer contract) with HUAWEI CLOUD
- A consulting partner account in use or pending approval
- An enterprise subaccount or an enterprise primary account associated with an enterprise subaccount
- Containing consumption records or resource provisioned
- Containing valid reserved instances
- HUAWEI CLOUD notifies the account binding result using the binding notification API provided by the partner through browser redirection.
- Obtain the request parameters bindRequest, SigAlg, and Signature.
- Decode the signature using Base64 and use the signature algorithm SigAlg to perform signature verification for the bindRequest parameters.
HUAWEI CLOUD uses the private key used for SAML interconnection to verify the signature. The partner uses the public key (value of the <ds:X509Certificate></ds:X509Certificate> tag in the SP Metadata.xml file) used by HUAWEI CLOUD for SAML interconnection to verify the signature.
- If the signature verification succeeds, decode the binding request using Base64 to obtain JSON strings and perform required operations based on the JSON data processing procedure. If the signature verification fails, the request is invalid and the processing is terminated.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot