Huawei Cloud Federated Authentication with Okta
1 Overview
With identity federation provided by Huawei Cloud Identity and Access Management (IAM), you do not need to create IAM users for your workforce users in Huawei Cloud. Instead, they can use their existing usernames and passwords to log in to Huawei Cloud. You can use identity provider (IdP) to assign permissions to your workforce.
Huawei Cloud supports federated identity authentication based on Web SSO and API calling. Here we use Okta as an enterprise IdP to describe the process of Web SSO–based identity federation. To learn about API-based identity federation, see Federated Identity Authentication Management.
Prerequisites
You have completed real-name authentication and configured user information on Okta.
You have registered an account in Huawei Cloud and the account is enabled.
Process Flow
The following figure shows the identity federation process between Okta and Huawei Cloud.
As shown in the preceding figure, the identity federation is as follows:
1.A user enters the Huawei Cloud login link in the address bar of a browser to send a single sign-on (SSO) request to Huawei Cloud.
2.Huawei Cloud searches for the IdP metadata file based on the login link and sends a SAML request to the browser.
3.The browser responds and forwards the SAML request to Okta.
4.he user enters its username and password on the Okta login page. Okta authenticates the user, constructs a SAML assertion containing the user information, and sends the assertion to the browser as a SAML response.
5.The browser responds and forwards the SAML response to Huawei Cloud.
6.Huawei Cloud parses the assertion in the SAML response, and issues a token to the user after identifying the group the user is mapped to based on the configured identity conversion rules.
7.The user logs in to Huawei Cloud using SSO and accesses resources based on assigned permissions.
2 Configuring Huawei Cloud System Information in Okta
Step 1 Log in to the Okta official website as an enterprise administrator.
Step 2 In the left navigation pane on the Okta homepage, choose Applications > Applications and click Create App Integration.
Step 3 Select SAML 2.0 and click Next.
Step 4 Enter basic information about the application (HuaweiCloud) and click Next.
Step 5 Download the metadata file of the Huawei Cloud system, specify the following parameters, and click Next.
- Single sign on URL: Enter https://auth.huaweicloud.com/authui/saml/SAMLAssertionConsumer (the value of Location in AssertionConsumerService in the Huawei Cloud system metadata file).
- Audience URI (SP Entity ID): Enter https://auth.huaweicloud.com/ (the value of entityID in the Huawei Cloud system metadata file).
Step 6 Configure user attribute statements. In the following figure, the first statement indicates that the user.email value is included in the email field in the assertion. The second statement indicates that the appuser.approle value is included in the approle field in the assertion for user group mapping in Huawei Cloud.
Note that approle is a custom attribute statement and can be modified. For details, see 4 Mapping User Group Attributes to Huawei Cloud User Groups. The appuser attribute cannot be modified.
Step 7 Configure feedback information and click Finish.
Step 8 Download the metadata file of the Okta system, which needs to be uploaded to Huawei Cloud later.
----End
3 Configuring an IdP in IAM
Step 1 Log in to the IAM console and choose Identity Providers in the left navigation pane.
Step 2 On the Identity Providers page, click Create Identity Provider.
Step 3 Specify parameters in the displayed dialog box. For example, enter Okta_IdP in the Name text box.
Step 4 Click OK. The following message indicates that the IdP is created successfully.
Step 5 Locate the created IdP and click Modify in the Operation column.
Step 6 Click Select File and select the Okta system metadata file downloaded in Step 8.
Step 7 Click Upload. After the metadata extracted from the uploaded file is displayed, click OK.
Step 8 Create an identity conversion rule with the same settings as the user attribute statements in Okta. You can create a maximum of 10 identity conversion rules. For details, see Identity Providers.
In the Identity Conversion Rules area, click Edit Rule and copy the following to the edit box. This rule maps the user emails in Okta to the usernames in the admin group of Huawei Cloud. Then users in Okta inherit the permissions of the admin group.
[{
"remote": [{
"type": "email"
}],
"local": [{
"user": {
"name": "{0}"
}
},
{
"group": {
"name": "admin"
}
}]
}]
Step 9 Click OK.
Step 10 Locate the IdP and click View in the Operation column. On the View Identity Provider Information page, copy the login link and open it in a browser.
Step 11 Enter your username and password in Okta to log in to Huawei Cloud. If you have logged in to Okta, you will be automatically redirected to Huawei Cloud.
----End
4 Mapping User Group Attributes to Huawei Cloud User Groups
Okta allows users to assign custom application roles (approle) to third-party applications and manage the association between users and approles. If a user is associated with an approle, Okta automatically carries the approle value (multi-valued attributes) when sending a SAML claim.
Step 1 In the left navigation pane on the Okta homepage, choose Directory > Profile Editor and click the user HuaweiCloud User that has been created for interconnecting with Huawei Cloud. Then, click Add Attributes.
Step 2 Edit the approle attribute. The attribute members included in the SAML claim is Value, not Display name. You are advised to set Value to the name of your IAM user group in Huawei Cloud.
Step 3 In the left navigation pane, choose Directory > Groups and click Add Group.
Step 4 Enter admin in the Name text box to create an administrator user group for Huawei Cloud.
Step 5 In the user group list, click the created user group. On the People tab, click Assign People and add a user to the user group.
Step 6 Choose Applications > Assign Applications to configure applications for the user group.
Step 7 Click Assign in the row containing the HuaweiCloud application.
Step 8 Select administrator created in Step 2 for approle and click Save and Go Back.
Step 9 Click Done to complete the configuration for the Okta user group attributes. You can also directly configure attributes for a user without adding the user to a user group by referring to Step 6 to Step 8.
Step 10 Okta automatically includes the email and approle attributes in a SAML assertion. There is no need for additional definition in user attributes and claims.
In the identity provider conversion rule of Huawei Cloud, you can use this claim to convert the user group name to the corresponding Huawei Cloud IAM user group name by referring to the following example rule. For details, see Syntax of Identity Conversion Rules.
Step 11 Click your HuaweiCloud application to switch to the Huawei Cloud console. Federation between Okta and Huawei Cloud has been established. By default, federated users can only log in to Huawei Cloud and they do not have any permissions. You can configure identity conversion rules on the IAM console to assign them permissions.
If you are not redirected to Huawei Cloud, check whether the federation has been established by referring to 5 Verifying the Login Result. If the federation authentication is successful, check the mapping rules on Okta and identity conversion rules on Huawei Cloud.
----End
The preceding describes how to configure the SP initiation mode. For details about how to configure the IdP initiation mode, see FAQ 3 in Federated Authentication with Azure Active Directory.
5 Verifying the Login Result
Step 1 Enter the login link configured in Huawei Cloud IAM (see 3 Configuring an IdP in IAM). (The Okta SAML file has been uploaded to Huawei Cloud.) An example link is as follows:
https://auth.huaweicloud.com/authui/federation/websso?domain_id=xxxxx&idp=oktaname&protocol=saml
The Okta login page is displayed. Enter the username and password of the Okta user.
Step 2 Check whether you have logged in to Huawei Cloud. If yes, federation between Okta and Huawei Cloud has been established. By default, an Okta user accesses Huawei Cloud as a guest and does not have any permissions. You can configure identity conversion rules on the IAM console to assign permissions to federated users.
If the login failed, compare the assertion carried in SAMLResponse of /authui/SAMLAssertionConsumer with the Huawei Cloud identity conversion rules, and modify the attribute statements on Okta or the conversion rules on Huawei Cloud as required.
----End
- 点赞
- 收藏
- 关注作者
评论(0)