Concept | Description |
Identity Provider (IdP) | An entity that encompasses metadata about an external IdP, offering identity management services. On-Premise IdP: Microsoft Active Directory Federation Service (ADFS), Shibboleth, etc. Cloud-based IdP: Azure AD, Google Workspace, Okta, OneLogin, etc. |
Service Provider (SP) | By using IdP's identity management function and the user's information supplied by IdP, the SP provides users with specific service applications. Some non-SAML protocol identity systems (for example: OpenID Connect) also refer to the SP as the trusted party of IdP. |
Security Assertion Markup Language (SAML 2.0) | A criterion protocol for implementing enterprise-level user identification. It is one of the ways to facilitate communication between SP and IdP. SAML 2.0 has become a factual criterion for implementing enterprise-level SSO. |
SAML Assertion | The core element in the SAML protocol used to describe the authentication request and response. For example, specific user attributes are included in the assertion of the authentication response. |
Trust | A mutual trust mechanism established between an SP and an IdP, typically implemented through the use of public and private keys. The SP obtains the SAML metadata of the IdP in a trustworthy manner. The metadata contains the public key used for signature verification of SAML assertions issued by the IdP. The SP uses this public key to verify the integrity of the assertions. |
OIDC | OIDC is an authentication protocol built upon OAuth 2.0. OAuth is an authorization protocol, and OIDC adds an identity layer on top of the existing OAuth protocol. Apart from the authorization capabilities provided by OAuth, it also allows the client to verify the identity of the end user and obtain the user's basic information through the OIDC protocol API (in the form of HTTP RESTful). |
OIDC Token | OIDC can issue identity tokens that represent logged-in users, namely OIDC tokens. OIDC tokens are used to obtain basic information of the logged-in user. |
Client ID | When your application registers with an external IdP, a client ID will be generated. This client ID is requisite when requesting the issuance of an OIDC token from the external IdP, and the issued OIDC token will also contain this client ID in the 'aud' field. During the setting up the OIDC IdP, the client ID will be configured. Tencent Cloud checks whether the client ID carried in the 'aud' field of the OIDC token is the same as that configured in the OIDC IdP when converting the OIDC token into an STS Token. The role can only be played when both IDs are identical. |
Verification Fingerprint | To prevent Issuer URL from being maliciously hijacked or tampered with, you need to configure the verification fingerprint generated by the HTTPS CA certificate of the external IdP. Although Tencent Cloud will assist you in automatically calculating this fingerprint, it is recommended that you compute it locally (for instance, using OpenSSL to calculate the fingerprint), and contrast it with the fingerprint calculated by Tencent Cloud. If the comparison reveals differences, it indicates that the issuer URL might have been attacked. Please confirm again, and input the correct fingerprint. |
IdP URL | OpenID Connect Identity Provider Identifier.
Corresponds to the value of the "issuer" field in the OpenID Connect metadata document provided by the IdP. |
Mapping Field | The field in the OpenID Connect IdP that maps to the Cloud Access Management (CAM) sub-user name.
You can use the value of "claims_supported" in the OpenID Connect metadata document provided by the IdP. In this example, the name field maps to the CAM username. |
Signature Public Key | Public key for verifying the OpenID Connect IdP ID Token signatures.
Corresponds to the content (accessed by visiting the link) linked in the "jwks_uri" field of the OpenID Connect metadata document provided by the corresponding IdP. For the safeguarding of your account, it is advised to periodically rotate your signature public keys. |
SSO Method | SP initiated SSO | IdP initiated SSO | Login with Sub-User Account and Password | Configuration of IdP Association with Multiple Tencent Cloud Accounts at a Time | Multiple IdPs |
User-based SSO | Supported | Supported | Not supported | Not supported | Not supported |
Role-based SSO | Not supported | Supported | Supported | Supported | Supported |
문제 해결에 도움이 되었나요?