Enabling Federation to HUAWEI CLOUD Using Windows ADFS and SAML
Introduction to Identity Provider (IdP)
HUAWEI CLOUD provides the identity provider function to implement federated identity authentication based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access HUAWEI CLOUD through single sign-on (SSO).
HUAWEI CLOUD IAM supports two types of federated identity authentication:
- Web SSO: Browsers are used as the communication media. This authentication type enables common users to access HUAWEI CLOUD using browsers.
- API calling: Development tools (such as OpenStack Client and ShibbolethECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access HUAWEI CLOUD by calling APIs.
This article uses the enterprise IdP system as an example of Active Directory Federation Services (ADFS) to illustrate how to configure users to access Huawei’s cloud systems.
1. Preparation
Before getting started, ensure that:
- You have a Windows Domain Controller (with both Active Directory Domain Service and Active Directory Certificate Service).
- You have a Windows Domain Administrator account and password.
- You have a HUAWEI CLOUD account.
2. Installing Active Directory Federation Services (AD FS)
3. Configuring AD FS
3.1 Connecting to Active Directory Domain Services (AD DS)
3.2 Adding Relying Party Trust with HUAWEI CLOUD
- Obtain the metadata from the HUAWEI CLOUD website (https://auth.huaweicloud.com/authui/saml/metadata.xml) and save it as HC-metadata.xml to a local directory.
- Configure the trust relationship.
3.3 Editing Claim Rules for HUAWEI CLOUD
In this tutorial, we add two claim rules.
| Name | Rule Details |
|---|---|
| rule01 | c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”] => add(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”), query = “;sAMAccountName;{0}”, param = c.Value); |
| rule02 | c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”]=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format”] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier”] = “https://auth.huaweicloud.com/”); |
4 Registering SPN
Open the Windows PowerShell, and register SPN.
setspn -s http/{YOUR-ADFS-DOMAIN-NAME} {DOMAIN-NAME}{ACCOUNT}
setspn -q http/{YOUR-ADFS-DOMAIN-NAME}
5 Testing ADFS-LS Website
Open the link https://{YOUR-ADFS-DOMAIN-NAME}/adfs/ls/idpinitiatedsignon.aspx using a browser, and you can see the sign-in page.
Save the metadata file to a local directory. It will be used when you create an identity provider on HUAWEI CLOUD.
https://{YOUR-ADFS-DOMAIN-NAME}/federationmetadata/2007-06/federationmetadata.xml
6 Configuring IAM on HUAWEI CLOUD
6.1 Creating an Identify Provider
Log in to the IAM console, and create a new identify provider.
Click OK, and then modify the identity provider.
Upload the Shibboleth metadata file (see AD FS). The login link is as follows:
https://auth.huaweicloud.com/authui/federation/websso?domain_id=e6505630658e49649784759cdf251af4&idp=myADFS&protocol=saml
7 Testing the Federation Identity
Open the login link (https://auth.huaweicloud.com/authui/federation/websso?domain_id=e6505630658e49649784759cdf251af4&idp=myADFS&protocol=saml) using a browser, and you will be redirected to AD FS.
After sign-in, the HUAWEI CLOUD console is displayed.
- 点赞
- 收藏
- 关注作者
评论(0)