Huawei Cloud Federated Authentication with Keycloak
1 Federated Authentication
With identity federation provided by Huawei Cloud Identity and Access Management (IAM), you do not need to create IAM users in Huawei Cloud for your workforce. Instead, they can use their existing usernames and passwords to log in to Huawei Cloud. You can use identity provider (IdP) to assign permissions to your workforce.
Huawei Cloud supports federated identity authentication based on Web SSO and API calling. Here we use Keycloak as an enterprise IdP to describe the process of Web SSO–based federated identity authentication.
Prerequisites
You have registered an account in Huawei Cloud and the account is enabled.
Process Flow
The following figure shows the identity federation process between Keycloak and Huawei Cloud.
As shown in the preceding figure, the process of identity federation is as follows:
1. A user enters the Huawei Cloud login link in the address bar of a browser to send a single sign-on (SSO) request to Huawei Cloud.
2. Huawei Cloud searches for the IdP metadata file based on the login link and sends a SAML request to the browser.
3. The browser responds and forwards the SAML request to Keycloak.
4. The user enters their username and password on the Keycloak login page. Keycloak authenticates the user, constructs a SAML assertion containing the user information, and sends the assertion to the browser as a SAML response.
5. The browser responds and forwards the SAML response to Huawei Cloud.
6. Huawei Cloud parses the assertion in the SAML response, and issues a token to the user after identifying the group the user is mapped to according to the configured identity conversion rules.
7. If the SSO is successful, the user can access Huawei Cloud based on the assigned permissions.
2 Configuring Huawei Cloud Information in Keycloak
Step 1 Save the assertion description of Huawei Cloud by entering the following URL in the address bar of the browser and saving the web page as a metadata.xml.
https://auth.huaweicloud.com/authui/saml/metadata.xml
Step 2 Log in to the Keycloak. In the navigation pane on the left, choose Clients and click Create.
Step 3 Click Select file, upload the Huawei Cloud metadata file, and then click Save.
Step 4 Disable Encrypt Assertions in settings.
Step 5 Click Save to save the settings.
Step 6 Click Mappers.
Step 7 On the displayed page, click Create.
Step 8 Create a username mapping.
Step 9 Create a user group mapping.
Step 10 Choose Users in the left navigation pane.
Step 11 Click Add User.
Step 12 On the Credentials tab, set a password for the user.
Step 13 Choose Groups in the left navigation pane.
Step 14 Click New to create a group.
Step 15 Choose Users in the left navigation pane.
Step 16 Locate the user and click Edit to go to the user details page.
Step 17 Click Groups and add the user to the admin group.
Step 18 Choose Realm Settings in the left navigation pane and save the Keycloak metadata file locally.
----End
3 Configuring an IdP in IAM
Step 1 Log in to the IAM console and choose Identity Providers in the left navigation pane.
Step 2 On the Identity Providers page, click Create Identity Provider.
Step 3 Set information about the IdP. For example, set the name to keycloak_idp_test.
Step 4 Click OK. The following message indicates that the IdP is created successfully.
Step 5 Locate the row containing the IdP and click Modify in the Operation
Step 6 Click Select File and select the downloaded Keycloak metadata file.
Step 7 Click Upload.
Step 8 In the Identity Conversion Rules area, click Edit Rule and copy the following to the edit box. This rule maps the usernames and their user groups in Keycloak to the usernames and belonging user groups in Huawei Cloud.
[ {
"remote": [ {
"type": "UserName"
}, {
"type": "Group"
} ],
"local": [ {
"user": {
"name": "{0}"
}
}, {
"group": {
"name": "{1}"
}
} ]
}]
Step 9 Click OK.
Step 10 Locate the IdP and click View in the Operation On the View Identity Provider Information page, copy the login link and open it in a browser.
Step 11 Enter your username and password in Keycloak to log in to Huawei Cloud. If you have logged in to Keycloak, you will be automatically redirected to Huawei Cloud.
----End
- 点赞
- 收藏
- 关注作者
评论(0)