With identity federation provided by Huawei Cloud Identity and Access Management (IAM), you do not need to create IAM users for your workforce users in Huawei Cloud. Instead, they can use their existing usernames and passwords to log in to Huawei Cloud. You can use identity provider (IdP) to assign permissions to your workforce in your enterprise.

Huawei Cloud supports federated identity authentication based on Web SSO and API calling. This document uses Azure Active Directory (Azure AD) as an enterprise identity provider to describe the process of Web SSO–based federated identity authentication. To learn about API-based access, see Federated Identity Authentication Management.

Prerequisites

• You have completed real-name authentication and configured user information on Azure AD.
• You have registered an account in Huawei Cloud and the account is enabled.

Federated Identity Authentication Process

The following figure illustrates the process of federated authentication between Azure AD and Huawei Cloud.

As shown in the preceding figure, the process of federated identity authentication is as follows:

1. A user enters the Huawei Cloud login link in the address bar of a browser to send a single sign-on (SSO) request to Huawei Cloud.

2.Huawei Cloud searches for the metadata file of the specified IdP based on the login link, and sends an SAML request to the browser.

3.The browser responds and forwards the SAML request to Azure AD.

4.The user enters its username and password on the login page of Azure AD. After Azure AD authenticates the user's identity, it constructs a SAML assertion containing the user information and sends the assertion to the browser as a SAML response.

5.The browser responds and forwards the SAML response to Huawei Cloud.

6.Huawei Cloud parses the assertion in the SAML response, and issues a token to the user after identifying the group the user is mapped to according to the configured identity conversion rules.

7.If the SSO is successful, the user can access Huawei Cloud based on the assigned permissions.

Step 1     Log in to the official Azure website as the enterprise administrator.

Step 2     In the navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

Step 3     Click New application and select Non-gallery application.

Step 4     Click the arrow on the right of the purple prompt and activate the Premium edition.

Step 5     Enter the application name, for example, SAML_Test, and click Add.

Step 6     In the application list, select the application (e.g. SAML_Test) created in Step 5.

Step 7     In the SAML_Test application, choose Single sign-on > SAML.

Step 8     In the Basic SAML Configuration section, enter the entity ID and assertion consumer service (ACS) URL of HUAWEI CLOUD.

HUAWEI CLOUD entity ID: https://auth.huaweicloud.com/

ACS URL: https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer

Step 9     (Optional) In the User Attributes & Claims section, define the Azure AD user information (such as username and email address) to be transferred to HUAWEI CLOUD IAM.

The claims correspond to the attributes in identity conversion rules. You can define user groups and grant them permissions in different scenarios based on the claims and identity conversion rules. For details, see Syntax of Identity Conversion Rules.

Step 10     Use Google Chrome to visit https://auth.huaweicloud.com/authui/saml/metadata.xml, and save the HUAWEI CLOUD metadata as SP-metadata.xml.

Step 11     Click Upload metadata file to upload the HUAWEI CLOUD metadata file.

Step 12     Download the Azure AD metadata file (IDPMetadata.xml).

Step 13     Choose Users and groups, and click Add User.

Step 14     Select users or group names from the drop-down list and click Assign.

----End

Step 1     Log in to the IAM console and choose Identity Providers in the left navigation pane.

Step 2     On the Identity Providers page, click Create Identity Provider.

Step 3     Specify parameters in the displayed dialog box. For example, enter AzureAD_IdP in the Name text box.

Step 4     Click OK. The following message indicates that the IdP is created successfully.

Step 5     Locate the created IdP and click Modify in the Operation column.

Step 6     Click  next to Upload, and select the Azure AD metadata file you downloaded in Step 12.

Step 7     Click Upload. After the metadata extracted from the uploaded file is displayed, click OK.

Step 8     Create an identity conversion rule with the same settings as the user attributes and claims in Azure AD. You can create a maximum of 10 identity conversion rules. For details, see Identity Providers. The following table shows the user attribute and value configured for this example.

Click Edit Rule and copy the following rule to the edit box. This rule maps the usernames in Azure AD to the usernames in the admin group of Huawei Cloud. The users in Azure AD inherit the permissions of the admin group.

[{
 "remote": [{
           "type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
 }],
 "local": [{
                    "user": {
                             "name": "{0}"
                    }
           },
           {
                    "group": {
                             "name": "admin"
                    }
           }
 ]
}]

Step 9     Click OK. The identity provider configuration is complete.

Step 10     On the View Identity Provider Information page, copy the login link and open it in a browser.

Step 11     If you have logged in to Azure AD, you will be automatically redirected to Huawei Cloud. Otherwise, enter your username and password in Azure AD to log in to Huawei Cloud.

----End

Azure AD allows users to assign custom app roles to third-party applications and manage the association between users and app roles in applications. If an AD user is associated with an app role, Azure AD automatically carries the app role value (multi-valued attributes) when sending a SAML claim. For example, the attribute in the following red box indicates the app role list of the directory user.

The procedure is as follows.

Step 1     Sign in to the Azure Portal and choose your Azure AD tenant. In the left navigation pane, choose App registrations.

Step 2     Select the application created for interconnecting with Huawei Cloud, for example, SAML_Test created in Step 5 or Huawei Cloud in the following figure.

Step 3     Click Create app role.

The SAML claim carries Value instead of Display name. You are advised to set Value to the name of your IAM user group in Huawei Cloud.

Step 4     On the AD tenant instance panel, choose Enterprise applications in the left navigation pane and select the application created for interconnecting with Huawei Cloud, for example, SAML_Test created in Step 5 or Huawei Cloud.

Step 5     Select a user and a user group, and click Add user/group.

Step 6     Assign an app role to the corresponding user or user group. (Only customers that have Azure AD Premium can assign app roles. You can try premium for free.)

Step 7     Azure AD automatically includes the attribute name http://schemas.microsoft.com/ws/2008/06/identity/claims/role and attribute value app roles (multi-valued attributes) in the SAML claim. There is no need for additional definition in user attributes and claims.

In the identity provider conversion rule of Huawei Cloud, you can use this claim to convert the user group name to the corresponding Huawei Cloud IAM user group name by referring to the following example rule. For details, see Syntax of Identity Conversion Rules.

----End

To configure multiple IdPs on Azure AD to interconnect with Huawei Cloud accounts, you can only use the IdP-initiated mode to configure additional attribute claims in Azure AD and include them in SAML claims to send to Huawei Cloud.

Step 1     Go to the Azure AD User Attributes & Claims details page referring to Step 9.

Step 2     Add an additional claim IAM_SAML_Attributes_identityProviders.

l   For a single account, configure iam::{domain_id_1}:identityProvider:{idp_id_1}.

l   For multiple accounts, configure iam::{domain_id_1}:identityProvider:{idp_id_1};iam::{domain_id_1}:identityProvider:{idp_id_2};iam::{domain_id_2}:identityProvider:{idp_id_3}.

Use a semicolon (;) to separate each segment. For example, iam::1234567:identityProvider:idp123.

Step 3     The IdP-initiated mode must access through the user access URL on Azure AD. The user access URL generated by Azure AD can be found in the following location of your application management panel.

Step 4     Copy User access URL to the address bar of the browser. Enter the AD user password and then the following Huawei Cloud page is displayed. An account list is displayed based on the account information you have configured in the claim. Select an IdP corresponding to the target account to log in to Huawei Cloud.

----End

You can configure the IdP-initiated mode on Azure AD to interconnect with Huawei Cloud by referring to 5 Configuring Multiple IdPs on Azure AD to Interconnect with Huawei Cloud.

Huawei Cloud provides a simple configuration for single-tenant scenarios. You only need to configure two additional claims: IAM_SAML_Attributes_domain_id and IAM_SAML_Attributes_idp_id. There is no need to configure IAM_SAML_Attributes_identityProviders. But note that IAM_SAML_Attributes_domain_id and IAM_SAML_Attributes_idp_id cannot be used together with IAM_SAML_Attributes_identityProviders.

7 Other Claims Supported by Huawei Cloud