Help Center/ Identity and Access Management/ User Guide/ Custom Identity Broker/ Enabling Custom Identity Broker Access with a Token
Updated on 2024-12-25 GMT+08:00

Enabling Custom Identity Broker Access with a Token

If the IdP of your enterprise is not compatible with SAML or OpenID Connect, you can create a custom identity broker to enable access to Huawei Cloud. You can write and run code to generate a login URL. Users in your enterprise can then use the URL to log in to Huawei Cloud. The users will be authenticated by your enterprise IdP.

If your enterprise IdP is compatible with SAML or OpenID Connect, configure identity federation to enable users in your enterprise to access Huawei Cloud through SSO.

Prerequisites

  • Your enterprise has an enterprise management system.
  • The enterprise administrator has created an account (for example, DomainA) in Huawei Cloud.

Procedure

  1. Use the DomainA account to create an IAM user (for example, UserB) by following the instructions in Creating an IAM User.
  2. (Optional) Add UserB to a user group (for example, GroupC) and grant permissions to the user group by following the instructions in Creating a User Group and Assigning Permissions.
  3. Configure the access key (recommended) or username and password of UserB in the configuration file of your enterprise IdP so that the user can obtain a user token. For account security, encrypt the password and access keys before you store them.
  4. Log in to the enterprise management system, access the custom identity broker by selecting a common user from the user list. For details, see the documentation of the enterprise management system. For this example, select user UserB.

    The user list of the custom broker is the same as the IAM user list under your Huawei Cloud account. To align these IAM users with the user accounts in your enterprise, configure the IAM users' access keys (recommended) or usernames and passwords in the configuration file of the enterprise IdP.

  5. The custom identity broker uses the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary access key and security token. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
  6. The custom identity broker uses the temporary access key, security token, and global domain name of IAM (iam.myhuaweicloud.com) to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens for obtaining a login token. The value of X-Subject-LoginToken in the response header is a login token. For details, see Obtaining a Login Token.

    • To obtain a login token by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens, use the global domain name (iam.myhuaweicloud.com) of IAM.
    • A login token is issued to a user to log in through a custom identity broker and contains identity and session information about the user. A login token is valid for 10 minutes by default.
    • You can set the validity period of a login token by calling the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. If the value you have specified is greater than the remaining validity period of the temporary security token, the remaining validity period of the temporary security token is used.

  7. The custom identity broker generates a FederationProxyUrl and returns it to the browser through Location.

    https://auth.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}

    Example:

    https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******
    Table 1 Parameter description

    Parameter

    Description

    idp_login_url

    Login URL of the enterprise management system.

    service

    Access address of a Huawei Cloud service.

    logintoken

    Login token of the custom identity broker.

    For details about how to create a FederationProxyUrl, view the example provided in Creating a FederationProxyUrl Using a Token.

    The FederationProxyUrl contains the login token that has been obtained from IAM, and the value of each parameter in the FederationProxyUrl is encoded using URLEncode.

  8. If the login token is authenticated successfully, federated users will be automatically redirected to the Huawei Cloud service address specified in the service parameter.

    If the login token fails to be authenticated, federated users will be redirected to the address specified in idp_login_url.