vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/iam/umn/iam_08_0009.html
Wei, Hongmin 25e8bdf969 IAM UMN 0815 Version 
Reviewed-by: Belejkanic, Lukas <lukas.belejkanic@t-systems.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>
2023-08-21 13:27:54 +00:00

122 lines
22 KiB
HTML
Raw Blame History

<a name="iam_08_0009"></a><a name="iam_08_0009"></a>
<h1 class="topictitle1">Step 1: Create an IdP Entity</h1>
<div id="body1598524160363"><p id="iam_08_0009__en-us_topic_0272448422_p1981195018257">To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On the IAM console, create an IdP entity and configure authorization information.</p>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section4804173815234"><h4 class="sectiontitle">Prerequisites</h4><ul id="iam_08_0009__en-us_topic_0272448422_ul1121752275615"><li id="iam_08_0009__en-us_topic_0272448422_li8181341128">The enterprise administrator has created an account in the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see <a href="en-us_topic_0046611269.html">Creating a User Group and Assigning Permissions</a>. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.</li><li id="iam_08_0009__en-us_topic_0272448422_li198153013819">The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain an enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.</li></ul>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section81252015115012"><a name="iam_08_0009__en-us_topic_0272448422_section81252015115012"></a><a name="en-us_topic_0272448422_section81252015115012"></a><h4 class="sectiontitle">Creating OAuth 2.0 Credentials in the Enterprise IdP</h4><ol id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ol15379454241"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li19378125420417"><span>Set redirect URLs <strong id="iam_08_0009__en-us_topic_0272448422_b8137597507">https://<span id="iam_08_0009__en-us_topic_0272448422_text10120124135111"></span>/authui/oidc/redirect</strong> and <strong id="iam_08_0009__en-us_topic_0272448422_b11142099504">https://<span id="iam_08_0009__en-us_topic_0272448422_text184105445110"></span>/authui/oidc/post</strong> in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.</span></li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li17371448151420"><span>Obtain OAuth 2.0 credentials of the enterprise IdP.</span></li></ol>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section1725417499229"><h4 class="sectiontitle">Creating an IdP Entity on the Cloud Platform</h4><p id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_p14271944725">Create an IdP entity and configure authorization information in IAM to establish a trust relationship between the enterprise IdP and IAM</p>
<ol id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ol21644229"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li7670737"><span>Log in to the IAM console, choose <strong id="iam_08_0009__en-us_topic_0272448422_b19787619364">Identity Providers</strong> from the navigation pane, and click <strong id="iam_08_0009__en-us_topic_0272448422_b119794619363">Create Identity Provider</strong> in the upper right corner.</span><p><div class="fignone" id="iam_08_0009__en-us_topic_0272448422_fig7233641112318"><span class="figcap"><b>Figure 1 </b>Creating an IdP entity</span><br><span><img id="iam_08_0009__en-us_topic_0272448422_image9234144112319" src="en-us_image_0000001656303721.png" height="139.471381" width="460.845" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li202871146194"><span>Enter an IdP name, select <strong id="iam_08_0009__en-us_topic_0272448422_b9726640112815">OpenID Connect</strong> and <strong id="iam_08_0009__en-us_topic_0272448422_b19635592917">Enabled</strong>, and click <strong id="iam_08_0009__en-us_topic_0272448422_b84626312299">OK</strong>.</span><p><div class="fignone" id="iam_08_0009__en-us_topic_0272448422_fig546833182412"><span class="figcap"><b>Figure 2 </b>Setting IdP parameters</span><br><span><img id="iam_08_0009__en-us_topic_0272448422_image1247113318240" src="en-us_image_0000001606944408.png" width="337.15500000000003" height="308.86789500000003" title="Click to enlarge" class="imgResize"></span></div>
<div class="note" id="iam_08_0009__en-us_topic_0272448422_note19380426847"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_08_0009__en-us_topic_0272448422_p14380526247">The IdP name must be unique under your account. You are advised to use the domain name.</p>
</div></div>
</p></li></ol>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section1245888153813"><h4 class="sectiontitle">Configuring Authorization Information in the Cloud Platform</h4><ol id="iam_08_0009__en-us_topic_0272448422_ol848017521287"><li id="iam_08_0009__en-us_topic_0272448422_li1888833818014"><span>Click <strong id="iam_08_0009__en-us_topic_0272448422_b85280239567">Modify</strong> in the <strong id="iam_08_0009__en-us_topic_0272448422_b10630925155612">Operation</strong> column of the row containing the IdP you want to modify.</span><p><div class="fignone" id="iam_08_0009__en-us_topic_0272448422_fig1803185422516"><span class="figcap"><b>Figure 3 </b>Modifying an IdP</span><br><span><img id="iam_08_0009__en-us_topic_0272448422_image4803145472512" src="en-us_image_0000001656344889.png" height="125.98119100000001" width="464.83500000000004" title="Click to enlarge" class="imgResize"></span></div>
</p></li><li id="iam_08_0009__en-us_topic_0272448422_li12397151313323"><span>Select an access type.</span><p><div class="fignone" id="iam_08_0009__en-us_topic_0272448422_fig21371746192613"><span class="figcap"><b>Figure 4 </b>Access type</span><br><span><img id="iam_08_0009__en-us_topic_0272448422_image7137194692613" src="en-us_image_0000001606945160.png" height="98.75250000000001" width="523.6875" title="Click to enlarge" class="imgResize"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="iam_08_0009__en-us_topic_0272448422_table11994612399" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Access type description</caption><thead align="left"><tr id="iam_08_0009__en-us_topic_0272448422_row899311215915"><th align="left" class="cellrowborder" valign="top" width="30.04%" id="mcps1.3.5.2.2.2.2.2.3.1.1"><p id="iam_08_0009__en-us_topic_0272448422_p2993412799">Access Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="69.96%" id="mcps1.3.5.2.2.2.2.2.3.1.2"><p id="iam_08_0009__en-us_topic_0272448422_p8993412097">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="iam_08_0009__en-us_topic_0272448422_row99943121091"><td class="cellrowborder" valign="top" width="30.04%" headers="mcps1.3.5.2.2.2.2.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p1099311210915">Programmatic access and management console access</p>
</td>
<td class="cellrowborder" valign="top" width="69.96%" headers="mcps1.3.5.2.2.2.2.2.3.1.2 "><ul id="iam_08_0009__en-us_topic_0272448422_ul899418125915"><li id="iam_08_0009__en-us_topic_0272448422_li79939121097">Programmatic access: Federated users can use development tools (including APIs, CLI, and SDKs) that support key authentication to access the cloud platform.</li><li id="iam_08_0009__en-us_topic_0272448422_li599412121098">Management console access: Federated users can log in to the cloud platform by using their own usernames and passwords.<p id="iam_08_0009__en-us_topic_0272448422_p139942121595"><a name="iam_08_0009__en-us_topic_0272448422_li599412121098"></a><a name="en-us_topic_0272448422_li599412121098"></a>Select this access type if you want users to access the cloud platform through SSO.</p>
</li></ul>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row209945123915"><td class="cellrowborder" valign="top" width="30.04%" headers="mcps1.3.5.2.2.2.2.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p1299431219912">Programmatic access</p>
</td>
<td class="cellrowborder" valign="top" width="69.96%" headers="mcps1.3.5.2.2.2.2.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p899411219914">Federated users can only use development tools (including APIs, CLI, and SDKs) that support key authentication to access the cloud platform.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="iam_08_0009__en-us_topic_0272448422_li15789193216"><span>Specify the configuration information.</span><p><div class="p" id="iam_08_0009__en-us_topic_0272448422_p1776910753419">
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="iam_08_0009__en-us_topic_0272448422_table563516315348" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Configuration information</caption><thead align="left"><tr id="iam_08_0009__en-us_topic_0272448422_row263411316342"><th align="left" class="cellrowborder" valign="top" width="25.1%" id="mcps1.3.5.2.3.2.1.1.2.3.1.1"><p id="iam_08_0009__en-us_topic_0272448422_p463463163416">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="74.9%" id="mcps1.3.5.2.3.2.1.1.2.3.1.2"><p id="iam_08_0009__en-us_topic_0272448422_p1963453143413">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="iam_08_0009__en-us_topic_0272448422_row1163553193412"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p20634103123416">Identity Provider URL</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p775311435398">URL of the OpenID Connect IdP.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p583295615537">Set it to the value of <strong id="iam_08_0009__en-us_topic_0272448422_b15533135116115">issuer</strong> in the <strong id="iam_08_0009__en-us_topic_0272448422_b164202361728">Openid-configuration</strong>.</p>
<div class="note" id="iam_08_0009__en-us_topic_0272448422_note26485591531"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="iam_08_0009__en-us_topic_0272448422_p1540635145919"><strong id="iam_08_0009__en-us_topic_0272448422_b18622381312">Openid-configuration</strong> indicates a URL defined in OpenID Connect, containing configurations of an enterprise IdP. The URL format is <strong id="iam_08_0009__en-us_topic_0272448422_b1075110598441">https://</strong><em id="iam_08_0009__en-us_topic_0272448422_i178701628455">{base URL}</em><strong id="iam_08_0009__en-us_topic_0272448422_b7288145719449">/.well-known/openid-configuration</strong>, where <em id="iam_08_0009__en-us_topic_0272448422_i889718305563">base URL</em> is defined by the enterprise IdP. For example, the <strong id="iam_08_0009__en-us_topic_0272448422_b6629150359">Openid-configuration</strong> of Google is <strong id="iam_08_0009__en-us_topic_0272448422_b84531927620">https://accounts.google.com/.well-known/openid-configuration</strong>.</p>
</div></div>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row10635113103410"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p1263510310346">Client ID</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p206351836346">ID of a client registered with the OpenID Connect IdP. The client ID is <a href="#iam_08_0009__en-us_topic_0272448422_section81252015115012">an OAuth 2.0 credential created in the enterprise IdP</a>.</p>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row463512343415"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p5635730345">Authorization Endpoint</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p102941849174115">Authorization endpoint of the OpenID Connect IdP. Set it to the value of <strong id="iam_08_0009__en-us_topic_0272448422_b087320610189">authorization_endpoint</strong> in <strong id="iam_08_0009__en-us_topic_0272448422_b14878196121810">Openid-configuration</strong>.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p1044445564410">This parameter is required only if you set <strong id="iam_08_0009__en-us_topic_0272448422_b5888101417425">Access Type</strong> to <strong id="iam_08_0009__en-us_topic_0272448422_b11343152874219">Programmatic access and management console access</strong>.</p>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row1563510314342"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p106356312347">Scopes</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p9122114644620">Scopes of authorization requests. <strong id="iam_08_0009__en-us_topic_0272448422_b564710229190">openid</strong> is selected by default.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p168351951124616">This parameter is required only if you set <strong id="iam_08_0009__en-us_topic_0272448422_b1975215712439">Access Type</strong> to <strong id="iam_08_0009__en-us_topic_0272448422_b12753155714435">Programmatic access and management console access</strong>.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p137881118173510">Enumerated values:</p>
<ul id="iam_08_0009__en-us_topic_0272448422_ul182672313510"><li id="iam_08_0009__en-us_topic_0272448422_li4262237352">openid</li><li id="iam_08_0009__en-us_topic_0272448422_li1526723103517">email</li><li id="iam_08_0009__en-us_topic_0272448422_li12662315356">profile</li></ul>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row563563193418"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p17635633344">Response Type</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p963513383414">Response type of authorization requests. The default value is <strong id="iam_08_0009__en-us_topic_0272448422_b10129195782015">id_token</strong>.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p1264192812522">This parameter is required only if you set <strong id="iam_08_0009__en-us_topic_0272448422_b12664256445">Access Type</strong> to <strong id="iam_08_0009__en-us_topic_0272448422_b1366419564410">Programmatic access and management console access</strong>.</p>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row1363513316349"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p1463516353416">Response Mode</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p86355319348">Response mode of authorization requests. The options include <strong id="iam_08_0009__en-us_topic_0272448422_b637017497223">form_post</strong> and <strong id="iam_08_0009__en-us_topic_0272448422_b4774135013222">fragment</strong>. <strong id="iam_08_0009__en-us_topic_0272448422_b0979195712214">form_post</strong> is recommended.</p>
<p id="iam_08_0009__en-us_topic_0272448422_p154790335015">This parameter is required only if you set <strong id="iam_08_0009__en-us_topic_0272448422_b4818618154414">Access Type</strong> to <strong id="iam_08_0009__en-us_topic_0272448422_b11818141874415">Programmatic access and management console access</strong>.</p>
</td>
</tr>
<tr id="iam_08_0009__en-us_topic_0272448422_row063515353419"><td class="cellrowborder" valign="top" width="25.1%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.1 "><p id="iam_08_0009__en-us_topic_0272448422_p56353319349">Signing Key</p>
</td>
<td class="cellrowborder" valign="top" width="74.9%" headers="mcps1.3.5.2.3.2.1.1.2.3.1.2 "><p id="iam_08_0009__en-us_topic_0272448422_p1163543193412">Public key used to sign the ID token of the OpenID Connect IdP. For account security purposes, change the signing key periodically.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</p></li><li id="iam_08_0009__en-us_topic_0272448422_li723352954113"><span>Click <strong id="iam_08_0009__en-us_topic_0272448422_b1655104372815">OK</strong>.</span></li></ol>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section18826752132718"><h4 class="sectiontitle">Verifying the Federated Login</h4><ol id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ol39932055154412"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li3667194318261"><span>Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.</span><p><ol type="a" id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ol1571111571714"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li1671175717713">On the <strong id="iam_08_0009__en-us_topic_0272448422_b1557192615293">Identity Providers</strong> page, click <strong id="iam_08_0009__en-us_topic_0272448422_b15722193312295">Modify</strong> in the <strong id="iam_08_0009__en-us_topic_0272448422_b1592218352298">Operation</strong> column of the identity provider.</li><li id="iam_08_0009__en-us_topic_0272448422_li841813545417">Copy the login link displayed on the <strong id="iam_08_0009__en-us_topic_0272448422_b05407014504">Modify Identity Provider</strong> page and visit the link using a browser.<div class="fignone" id="iam_08_0009__en-us_topic_0272448422_fig14799955162715"><span class="figcap"><b>Figure 5 </b>Copying the login link</span><br><span><img id="iam_08_0009__en-us_topic_0272448422_image10800155152719" src="en-us_image_0000001656585157.png" height="274.235759" width="460.845" title="Click to enlarge" class="imgResize"></span></div>
</li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li13241914283">If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.</li></ol>
</p></li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li10993125510445"><span>Enter the username and password of a user that was created in the enterprise management system.</span><p><ul id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ul5993205514416"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li12993145515449">If the login is successful, add the login link to the enterprise management system.</li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li599315564412">If the login fails, check the username and password.</li></ul>
<div class="note" id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_note1176022717104"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_p0761527151014">Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see <a href="iam_08_0008.html#iam_08_0008">Step 2: Configure Identity Conversion Rules</a>.</p>
</div></div>
</p></li></ol>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section23811148114613"><h4 class="sectiontitle">Related Operations</h4><ul id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_ul4296945016821"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_li3998488416821">Viewing IdP information: In the IdP list, click <strong id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_b38461712175">View</strong> in the row containing the IdP, and view its basic information, metadata, and identity conversion rules.<div class="note" id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_note1768310816844"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_p2493024416844">To modify the configuration of an IdP, click <strong id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_b7611722191713">Modify</strong> at the bottom of the details page.</p>
</div></div>
</li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_li1227968616821">Modifying an IdP: In the IdP list, click <strong id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_b63521155131414">Modify</strong> in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.</li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_en-us_topic_0175818704_li5904713316821">Deleting an IdP: In the IdP list, click <strong id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_b19497449171710">Delete</strong> in the row containing the IdP, and click <strong id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0272447057_b849817493172">Yes</strong> in the displayed dialog box.</li></ul>
</div>
<div class="section" id="iam_08_0009__en-us_topic_0272448422_section103531134810"><h4 class="sectiontitle">Follow-Up Procedure</h4><ul id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_ul11792191715210"><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li18792111735212">Configure identity conversion rules to map enterprise IdP users to IAM user groups and assign permissions to the users. For details, see <a href="iam_08_0008.html#iam_08_0008">Step 2: Configure Identity Conversion Rules</a>.</li><li id="iam_08_0009__en-us_topic_0272448422_en-us_topic_0175818704_li4910182155212">Configure the enterprise management system to allow users to access the cloud platform through SSO. For details, see <a href="iam_08_0007.html#iam_08_0007">(Optional) Step 3: Configure Login Link in the Enterprise Management System</a>.</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="iam_08_0022.html">Virtual User SSO via OpenID Connect</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink