Enabling Federation to HUAWEI CLOUD Using Windows ADFS and SAML

举报
彩色的云 发表于 2022/08/29 20:43:29 2022/08/29
【摘要】 This article uses the enterprise IdP system as an example of Active Directory Federation Services (ADFS) to illustrate how to configure users to access Huawei's cloud systems.

Introduction to Identity Provider (IdP)

HUAWEI CLOUD provides the identity provider function to implement federated identity authentication based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access HUAWEI CLOUD through single sign-on (SSO).
HUAWEI CLOUD IAM supports two types of federated identity authentication:

  • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access HUAWEI CLOUD using browsers.
  • API calling: Development tools (such as OpenStack Client and ShibbolethECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access HUAWEI CLOUD by calling APIs.

This article uses the enterprise IdP system as an example of Active Directory Federation Services (ADFS) to illustrate how to configure users to access Huawei’s cloud systems.

1. Preparation

Before getting started, ensure that:

  • You have a Windows Domain Controller (with both Active Directory Domain Service and Active Directory Certificate Service).
  • You have a Windows Domain Administrator account and password.
  • You have a HUAWEI CLOUD account.

2. Installing Active Directory Federation Services (AD FS)

image.png

image.png

image.png

image.png

3. Configuring AD FS

3.1 Connecting to Active Directory Domain Services (AD DS)

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

3.2 Adding Relying Party Trust with HUAWEI CLOUD

  1. Obtain the metadata from the HUAWEI CLOUD website (https://auth.huaweicloud.com/authui/saml/metadata.xml) and save it as HC-metadata.xml to a local directory.

image.png

  1. Configure the trust relationship.
    image.png

image.png

image.png

image.png

image.png

image.png

3.3 Editing Claim Rules for HUAWEI CLOUD

image.png

image.png

In this tutorial, we add two claim rules.

Name Rule Details
rule01 c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”] => add(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”), query = “;sAMAccountName;{0}”, param = c.Value);
rule02 c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”]=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier”] = “https://auth.huaweicloud.com/”);

4 Registering SPN

Open the Windows PowerShell, and register SPN.
setspn -s http/{YOUR-ADFS-DOMAIN-NAME} {DOMAIN-NAME}{ACCOUNT}
setspn -q http/{YOUR-ADFS-DOMAIN-NAME}
image.png

5 Testing ADFS-LS Website

Open the link https://{YOUR-ADFS-DOMAIN-NAME}/adfs/ls/idpinitiatedsignon.aspx using a browser, and you can see the sign-in page.
image.png

Save the metadata file to a local directory. It will be used when you create an identity provider on HUAWEI CLOUD.
https://{YOUR-ADFS-DOMAIN-NAME}/federationmetadata/2007-06/federationmetadata.xml

6 Configuring IAM on HUAWEI CLOUD

6.1 Creating an Identify Provider

image.png

Log in to the IAM console, and create a new identify provider.
image.png

Click OK, and then modify the identity provider.
image.png

Upload the Shibboleth metadata file (see AD FS). The login link is as follows:
https://auth.huaweicloud.com/authui/federation/websso?domain_id=e6505630658e49649784759cdf251af4&idp=myADFS&protocol=saml
image.png

7 Testing the Federation Identity

Open the login link (https://auth.huaweicloud.com/authui/federation/websso?domain_id=e6505630658e49649784759cdf251af4&idp=myADFS&protocol=saml) using a browser, and you will be redirected to AD FS.
image.png

After sign-in, the HUAWEI CLOUD console is displayed.
image.png

【版权声明】本文为华为云社区用户原创内容,未经允许不得转载,如需转载请自行联系原作者进行授权。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。