vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/iam/umn/iam_08_0010.html
Wei, Hongmin f37f5291ef IAM UMN 930 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>
2023-02-02 16:20:41 +00:00

35 lines
4.7 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<a name="iam_08_0010"></a><a name="iam_08_0010"></a>
<h1 class="topictitle1">OpenID Connectbased Federated Identity Authentication</h1>
<div id="body1598524160363"><p id="iam_08_0010__en-us_topic_0175818705_p184931879469">This section describes the process and configuration of OpenID Connectbased federated identity authentication between an enterprise identity provider and the cloud system.</p>
<div class="section" id="iam_08_0010__en-us_topic_0175818705_section265513151533"><h4 class="sectiontitle">Configuring Federated Identity Authentication</h4><p id="iam_08_0010__en-us_topic_0175818705_p54841424581">To implement federated identity authentication between an identity provider and the cloud system, complete the following configuration:</p>
<ol id="iam_08_0010__en-us_topic_0175818705_ol10515154254010"><li id="iam_08_0010__li2295530111220"><a href="iam_08_0009.html">Establish a trust relationship and create an identity provider</a>: Create OAuth 2.0 credentials in the enterprise identity provider, and create an identity provider in the cloud system.</li><li id="iam_08_0010__en-us_topic_0175818705_li551564215408"><a href="iam_08_0008.html">Configure identity conversion rules</a>: Map the users, user groups, and permissions in the identity provider to the cloud system.</li><li id="iam_08_0010__en-us_topic_0175818705_li1051634215408"><a href="iam_08_0007.html">Configure a login link</a>: Configure a login link in the enterprise management system to allow users to access the cloud system through SSO.</li></ol>
</div>
<div class="section" id="iam_08_0010__en-us_topic_0175818705_section7468191134310"><h4 class="sectiontitle">Process of Federated Identity Authentication</h4><p id="iam_08_0010__en-us_topic_0175818705_p1535006694447"><a href="#iam_08_0010__fig1898444131619">Figure 1</a> shows the interaction between an identity provider and the cloud system after a user initiates an SSO request.</p>
<div class="fignone" id="iam_08_0010__fig1898444131619"><a name="iam_08_0010__fig1898444131619"></a><a name="fig1898444131619"></a><span class="figcap"><b>Figure 1 </b>Process of federated identity authentication</span><br><span><img id="iam_08_0010__image13426515142012" src="en-us_image_0274187264.png" width="497.42" height="271.877004" title="Click to enlarge" class="imgResize"></span></div>
<p id="iam_08_0010__en-us_topic_0175818705_p4241452064">As shown in the preceding figure, the process of federated identity authentication is as follows:</p>
<ol id="iam_08_0010__en-us_topic_0175818705_ol12413521862"><li id="iam_08_0010__en-us_topic_0175818705_li6241652062">A user uses a browser to open the login link obtained from IAM, and then the browser sends an SSO request to the cloud system.</li><li id="iam_08_0010__en-us_topic_0175818705_li192445216615">The cloud system searches for identity provider configurations based on the login link, and sends an OpenID Connect authorization request to the browser.</li><li id="iam_08_0010__en-us_topic_0175818705_li82485211618">The browser forwards the authorization request to the enterprise identity provider.</li><li id="iam_08_0010__en-us_topic_0175818705_li224165212613">The user enters their username and password on the login page displayed in the identity provider system. After the identity provider authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.</li><li id="iam_08_0010__en-us_topic_0175818705_li17241252863">The browser responds and forwards the authorization response to the cloud system.</li><li id="iam_08_0010__en-us_topic_0175818705_li024752864">The cloud system parses the ID token in the authorization response, and issues a token to the user after identifying the group the user is mapped to, according to the configured identity conversion rules.</li><li id="iam_08_0010__en-us_topic_0175818705_li17248521767">If the login is successful, the user accesses the cloud system successfully.</li></ol>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="iam_08_0009.html">Step 1: Create an Identity Provider</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_08_0008.html">Step 2: Configure Identity Conversion Rules</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="iam_08_0007.html">Step 3: Configure Login Link in the Enterprise Management System</a></strong><br>
</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0059870089.html">Federated Identity Authentication</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink