Scenario
When Tencent Cloud and an enterprise implement user SSO, Tencent Cloud acts as the Service Provider (SP), while the enterprise's own identity management system serves as the IdP. Through user SSO, once enterprise employees log in, they access Tencent Cloud as CAM sub-users.
Instructions
Configuration Workflow
Before implementing user-based SSO, you must establish trust between Tencent Cloud and your IdP by configuring Security Assertion Markup Language (SAML) on both sides.
1. Configure your IdP to Tencent Cloud.
Objective: To establish trust between Tencent Cloud and your enterprise's IdP.
For specific configuration steps, see Configure SAML for Tencent Cloud SP.
2. Configure Tencent Cloud as a trusted SP in your IdP and configure the SAML assertion attributes.
Objective: To establish trust from the enterprise IdP towards Tencent Cloud.
For specific configuration steps, see Configuring SAML for Enterprise IdP.
3. Enterprises log in to the Cloud Access Management Console or create a CAM sub-user via API call that perfectly matches the name in the enterprise IdP.
Objective: To utilize sub-users for subsequent login operations.
For detailed configuration operations, see Create a Sub-User.
Login and verification process
Upon completion of the aforementioned user SSO configurations, users in the enterprise IdP can log in to Tencent Cloud via SSO and access authorized resources. For instance, the specific login verification process for a user named 'user1' would be as follows:
1. "user1" initiates user-based SSO login on the sub-user login page.
2. Tencent Cloud returns an SAML assertion authentication request to the browser.
3. The browser forwards the SAML authentication request to the IdP.
4. The IdP authenticates user1 and returns the generated SAML response to the browser after the authentication is passed.
5. The browser forwards the SAML response to Tencent Cloud.
6. Tencent Cloud verifies the authenticity and integrity of the SAML assertion based on the SAML mutual trust configuration and then maps the value of the
NameID element in the SAML assertion to the CAM sub-user.7. After successful verification and mapping, Tencent Cloud returns the URL of Tencent Cloud console to the browser, and user1 can log in to the console successfully.