Updated on 2024-07-26 GMT+08:00

Step 1: Create an IdP Entity

To establish a trust relationship between an enterprise IdP and the cloud platform, create an IdP entity and configure authorization information on the IAM console, and set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP.

Prerequisites

  • The enterprise administrator has created an account on the cloud platform, and has created user groups and assigned permissions to the group in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
  • The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain an enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.

Creating OAuth 2.0 Credentials in the Enterprise IdP

  1. Set redirect URLs in the enterprise IdP so that users can be redirected to the OpenID Connect IdP on the cloud platform.
  2. Obtain OAuth 2.0 credentials of the enterprise IdP.

    The configurations vary depending on the enterprise IdP. For details about the required configurations, see the documentation of the enterprise IdP.

Creating an IdP Entity on the Cloud Platform

Create an IdP entity and configure authorization information in IAM.

  1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

    Figure 1 Creating an IdP entity

  2. Enter an IdP name, select OpenID Connect and Enabled, and click OK.

    The IdP name must be unique under your account.

Configuring Authorization Information on the Cloud Platform

  1. Click Modify in the Operation column of the row containing the IdP you want to modify.
  2. Select an access type.

    Table 1 Access type description

    Access Type

    Description

    Programmatic access and management console access

    • Programmatic access: Federated users can use development tools (including APIs, CLI, and SDKs) that support key authentication to access the cloud platform.
    • Management console access: Federated users can log in to the management console by using their own usernames and passwords.

      Select this access type if you want users to access the cloud platform through SSO.

    Programmatic access

    Federated users can only use development tools (including APIs, CLI, and SDKs) that support key authentication to access the cloud platform.

  3. Specify the configuration information.

    Table 2 Configuration information

    Parameter

    Description

    Identity Provider URL

    URL of the OpenID Connect IdP.

    Specify this parameter as the value of issuer in the Openid-configuration.

    NOTE:

    Openid-configuration indicates a URL defined in OpenID Connect, containing configurations of an enterprise IdP. The URL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterprise IdP. For example, the Openid-configuration of Google is https://accounts.google.com/.well-known/openid-configuration.

    Client ID

    ID of a client registered with the OpenID Connect IdP. The client ID is an OAuth 2.0 credential created in the enterprise IdP.

    Authorization Endpoint

    Authorization endpoint of the OpenID Connect IdP. Specify this parameter as the value of authorization_endpoint in the Openid-configuration.

    This parameter is required only if you set Access Type to Programmatic access and management console access.

    Scopes

    Scopes of authorization requests. openid is selected by default.

    This parameter is required only if you set Access Type to Programmatic access and management console access.

    Enumerated values:

    • openid
    • email
    • profile

    Response Type

    Response type of authorization requests. The default value is id_token.

    This parameter is required only if you set Access Type to Programmatic access and management console access.

    Response Mode

    Response mode of authorization requests. The options include form_post and fragment. form_post is recommended.

    This parameter is required only if you set Access Type to Programmatic access and management console access.

    Signing Key

    Public key used to sign the ID token of the OpenID Connect IdP. For account security purposes, change the signing key periodically.

  4. Click OK.

Verifying the Federated Login

  1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.

    1. On the Identity Providers page, click Modify in the Operation column of the IdP.
    2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
    3. If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.

  2. Enter the username and password of a user that was created in the enterprise management system.

    • If the login is successful, add the login link to the enterprise's website.
    • If the login fails, check the username and password.

    Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules. For more information, see Step 2: Configure Identity Conversion Rules.

Related Operations

  • Viewing IdP information: In the IdP list, click View in the row containing the IdP, and view its basic information, metadata configuration, and identity conversion rules.

    To modify the configuration of an IdP, click Modify at the bottom of the details page.

  • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
  • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.

Follow-Up Procedure