Scenario
Tencent Cloud supports federated identity authentication based on SAML 2.0 (Security Assertion Markup Language 2.0), an open standard used by many Identity Providers (IdPs). By integrating IdPs with Tencent Cloud through SAML 2.0 federated identity authentication, you can enable automatic login (Single Sign-On) to the Tencent Cloud Console for IdP users to manage Tencent Cloud resources, eliminating the need to create a CAM sub-user for each member of your enterprise or organization.
Instructions
This process creates one or multiple roles for IdPs to log in to the Tencent Cloud console. After being granted permissions, the users can manage the resources of the root account in the console within the scope of permissions.
1. Access the IdP's portal in a browser and select to be redirected to the Tencent Cloud console.
2. The portal can verify the identity of the current user.
3. Upon successful verification, the portal will generate a SAML 2.0 authentication response, which includes assertions identifying the user's identity and related attributes. This response is then sent to the client's browser.
4. The client browser will be redirected to the Tencent Cloud SSO endpoint node and publish an SAML assertion.
5. The endpoint node will request temporary security credentials on behalf of the user and create a console login URL that uses these credentials.
6. Tencent Cloud will return the login URL to the user's client as a redirect.
7. The client browser will be redirected to the Tencent Cloud console. If the SAML 2.0 authentication response includes attributes mapped to multiple CAM roles, the system will first prompt the user to select the role to be used for console access.
From the user's perspective, the entire process is transparent: users start their operations on your organization's internal portal and end them on the Tencent Cloud Console, without needing to provide any Tencent Cloud credentials. For an overview of how to configure this behavior and links to detailed steps, see the following sections.
Configuring SAML 2.0-based IdP in organization
Within your enterprise organization, configure an identity store (such as Azure Active Directory) to use a SAML 2.0-based IdP, such as Azure Active Directory, OneLogin, Okta, etc. By using an IdP, you can generate a metadata document that describes your enterprise organization as an IdP containing authentication keys. This will configure your enterprise organization's portal to route user requests to access the Tencent Cloud Console to Tencent Cloud endpoints for authentication using SAML 2.0 assertions. How you configure your IdP to generate a metadata.xml file depends on your IdP. See your IdP's documentation for instructions, or see the following documents.
Creating SAML IdP in CAM
You can create a SAML 2.0 IdP in the Cloud Access Management (CAM) Console. This IdP is an entity in CAM, which can be considered as a collection of trusted external accounts. A SAML 2.0 federated IdP describes an IdP service that supports the SAML 2.0 (Security Assertion Markup Language 2.0) standard. During the creation process, you can upload the metadata document of the IdP in Configure a SAML 2.0 IdP in your organization. For more details, see Create IdP.
Configuring permissions in Tencent Cloud for SAML provider user
You can create a role to establish a trust relationship between your enterprise's IdP and Tencent Cloud. In the context of a SAML 2.0 assertion, this role can be assigned to federated users whose identities have been authenticated by the IdP. This role allows the IdP to request temporary security credentials for accessing Tencent Cloud resources. During this process, you can associate policies with the role and set conditions for its use, thereby determining the scope and conditions of access for federated users to Tencent Cloud resources. For more details, see Create a Role for Your IdP.
Configuring SSO for IdP
Download and save the Tencent Cloud federation metadata XML document at http://cloud.tencent.com/saml.xml. Map the attributes of your organization's IdP to Tencent Cloud's attributes to establish a trust relationship between your organization's IdP and Tencent Cloud. The method of installing this file depends on your IdP. Some providers offer the option to enter this URL, in which case the IdP will retrieve and install the file for you. Other providers require you to download the file from this URL and provide it as a local file. See your IdP's documentation for instructions, or see the following documents.
Sample SAML response
Below is an SAML sample:
<samlp:Response><saml:Issuer>...</saml:Issuer><ds:Signature>...</ds:Signature><samlp:Status>...</samlp:Status><saml:Assertion><saml:Issuer>...</saml:Issuer><saml:Subject><saml:NameID>${NameID}</saml:NameID><saml:SubjectConfirmation>...</saml:SubjectConfirmation></saml:Subject><saml:Conditions><saml:AudienceRestriction><saml:Audience>${Audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement>...</saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName">...</saml:Attribute><saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role">...</saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
The
AttributeStatement element of an SAML assertion must contain the following Attribute elements required by Tencent Cloud:1. The Attribute element with the Name attribute value of https://cloud.tencent.com/SAML/Attributes/Role is mandatory and can be multiple. The AttributeValue element it contains represents the roles that the current user is allowed to assume. The value is a combination of the role description and the IdP description, separated by a comma (,).
Note
If there are multiple roles, they will be listed for the user to choose from when logging in to the console.
Below is a sample
Attribute element of Role:<Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role"><AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName1},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName1}</AttributeValue><AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName2},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName2}</AttributeValue></Attribute>
If the same IdP is used, you can combine the values into one value and separate the
ARN of different roles by semicolon (;).<Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role"><AttributeValue>qcs::cam::uin/{AccountID}:roleName/{RoleName1};qcs::cam::uin/{AccountID}:roleName/{RoleName2},qcs::cam::uin/{AccountID}:saml-provider/{ProviderName}</AttributeValue></Attribute>
Note
In the Role source attribute, replace {AccountID}, {RoleName}, and {ProviderName} with the following content:
Replace {AccountID} with your Tencent Cloud primary account ID, which can be viewed in Account Information - Console.
Replace {RoleName} with the name of the role you created for the IdP in Tencent Cloud (click to see how to create a role for the IdP in Tencent Cloud here). You can view the role name in the Roles - Console.
Replace {ProviderName} with the name of the SAML IdP you created in Tencent Cloud. You can view this in the IdP Console.
2. An Attribute element with the Name attribute value of https://cloud.tencent.com/SAML/Attributes/RoleSessionName. This element is mandatory and can only be one. This field is user-defined and should not exceed 32 characters. Below is an example of a RoleSessionName Attribute element. In this example, "userName" can be replaced with your custom information.
<Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName"><AttributeValue>userName</AttributeValue></Attribute>