tencent cloud

Feedback

SSO Overview

Last updated: 2024-01-23 17:42:59
    Tencent Cloud supports Single Sign-On (SSO) that uses SAML 2.0 and OIDC protocols, allowing external users who have authenticated through an Identity Provider (IdP) to directly access your Tencent Cloud resources. Currently, Tencent Cloud supports two modes of SSO login: user-based SSO and role-based SSO.

    Fundamental Concepts of SSO

    Concept
    Description
    Identity Provider (IdP)
    An entity that encompasses metadata about an external IdP, offering identity management services.
    On-Premise IdP: Microsoft Active Directory Federation Service (ADFS), Shibboleth, etc.
    Cloud-based IdP: Azure AD, Google Workspace, Okta, OneLogin, etc.
    Service Provider (SP)
    By using IdP's identity management function and the user's information supplied by IdP, the SP provides users with specific service applications. Some non-SAML protocol identity systems (for example: OpenID Connect) also refer to the SP as the trusted party of IdP.
    Security Assertion Markup Language (SAML 2.0)
    A criterion protocol for implementing enterprise-level user identification. It is one of the ways to facilitate communication between SP and IdP. SAML 2.0 has become a factual criterion for implementing enterprise-level SSO.
    SAML Assertion
    The core element in the SAML protocol used to describe the authentication request and response. For example, specific user attributes are included in the assertion of the authentication response.
    Trust
    A mutual trust mechanism established between an SP and an IdP, typically implemented through the use of public and private keys. The SP obtains the SAML metadata of the IdP in a trustworthy manner. The metadata contains the public key used for signature verification of SAML assertions issued by the IdP. The SP uses this public key to verify the integrity of the assertions.
    OIDC
    OIDC is an authentication protocol built upon OAuth 2.0.
    OAuth is an authorization protocol, and OIDC adds an identity layer on top of the existing OAuth protocol. Apart from the authorization capabilities provided by OAuth, it also allows the client to verify the identity of the end user and obtain the user's basic information through the OIDC protocol API (in the form of HTTP RESTful).
    OIDC Token
    OIDC can issue identity tokens that represent logged-in users, namely OIDC tokens. OIDC tokens are used to obtain basic information of the logged-in user.
    Client ID
    When your application registers with an external IdP, a client ID will be generated. This client ID is requisite when requesting the issuance of an OIDC token from the external IdP, and the issued OIDC token will also contain this client ID in the 'aud' field. During the setting up the OIDC IdP, the client ID will be configured. Tencent Cloud checks whether the client ID carried in the 'aud' field of the OIDC token is the same as that configured in the OIDC IdP when converting the OIDC token into an STS Token. The role can only be played when both IDs are identical.
    Verification Fingerprint
    To prevent Issuer URL from being maliciously hijacked or tampered with, you need to configure the verification fingerprint generated by the HTTPS CA certificate of the external IdP. Although Tencent Cloud will assist you in automatically calculating this fingerprint, it is recommended that you compute it locally (for instance, using OpenSSL to calculate the fingerprint), and contrast it with the fingerprint calculated by Tencent Cloud. If the comparison reveals differences, it indicates that the issuer URL might have been attacked. Please confirm again, and input the correct fingerprint.
    IdP URL
    OpenID Connect Identity Provider Identifier. Corresponds to the value of the "issuer" field in the OpenID Connect metadata document provided by the IdP.
    Mapping Field
    The field in the OpenID Connect IdP that maps to the Cloud Access Management (CAM) sub-user name. You can use the value of "claims_supported" in the OpenID Connect metadata document provided by the IdP. In this example, the name field maps to the CAM username.
    Signature Public Key
    Public key for verifying the OpenID Connect IdP ID Token signatures. Corresponds to the content (accessed by visiting the link) linked in the "jwks_uri" field of the OpenID Connect metadata document provided by the corresponding IdP.
    For the safeguarding of your account, it is advised to periodically rotate your signature public keys.

    SSO Method

    Tencent Cloud offers two types of SSO methods:
    User-based SSO
    Tencent Cloud determines the correspondence between enterprise users and CAM users through SAML assertions issued by the IdP. Enterprises can manage employee information in their local IdP, and employees can log in to Tencent Cloud through specified links. After logging in, enterprise users access Tencent Cloud resources using this CAM user. For more information, please refer to User-based SSO Overview.
    Role-Based SSO
    Tencent Cloud determines the correspondence between enterprise users and CAM users through SAML assertions or OIDC tokens issued by the IdP. After logging in, enterprise users access Tencent Cloud resources using this CAM user. It supports two types of role-based SSO based on SAML 2.0 and OIDC:
    SAML Role-Based SSO: Tencent Cloud determines the CAM roles that enterprise users can utilise in Tencent Cloud through SAML assertions issued by the IdP. After logging in, enterprise users access Tencent Cloud resources using the CAM roles specified in the SAML assertion. For more information, please refer to Overview of SAML Role-Based SSO.
    OIDC Role-Based SSO: Enterprise users use the OIDC tokens issued by the IdP, call Tencent's Application Programming Interface to impersonate a specified role and exchange for temporary role identity credentials (STS Token), and then use the STS Token to securely access Tencent Cloud resources. For more information, please refer to Overview of OIDC Role-Based Single Sign-On.

    SSO Method Comparison

    SSO Method
    SP initiated SSO
    IdP initiated SSO
    Login with Sub-User Account and Password
    Configuration of IdP Association with Multiple Tencent Cloud Accounts at a Time
    Multiple IdPs
    User-based SSO
    Supported
    Supported
    Not supported
    Not supported
    Not supported
    Role-based SSO
    Not supported
    Supported
    Supported
    Supported
    Supported
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support