If you have an identity authentication system, you do not need to create new users in the service provider system. Instead, you can configure federated identity authentication to allow users in your identity authentication system to access cloud resources through SSO.

The cloud system supports two types of federated identity authentication:

Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the system using browsers.
API calling: Development tools (such as OpenStack Client) are used as the communication media. This authentication type enables enterprise users and common users to access the system by calling APIs.
Users in your enterprise can choose SP-initiated or IdP-initiated federated identity authentication for API calling depending on your identity provider system.

Without Federated Identity Authentication

SSO not supported
Users authenticated by the identity provider of an enterprise management system cannot access the cloud system.

Figure 1 User authentication model (1)

Complex user management
The enterprise administrator has to create users in both the enterprise management system and the cloud system.
Complex user operations
Users have to use different accounts to log in to the enterprise management system and cloud system.

Figure 2 User login model (1)

With Federated Identity Authentication

SSO supported
Users authenticated by the identity provider can access the cloud system through SSO.

Figure 3 User authentication model (2)

Simplified user management
The enterprise administrator does not need to create users in the cloud system.
Easy user operations
Users can access the cloud system through the enterprise management system.

Figure 4 User login model (2)

Introduction

Without Federated Identity Authentication

With Federated Identity Authentication