Tencent Cloud supports identity federation based on SAML 2.0 (Security Assertion Markup Language 2.0). SAML 2.0 is an open standard used by many identity providers (IdPs). IdP enables federated single sign-on (SSO), so you can authorize users that have been successfully authenticated to log in to the Tencent Cloud console or call the Tencent Cloud APIs without creating a CAM sub-user account for each of your members. In addition, as an open protocol, SAML 2.0 allows you use the proxy code directly instead of writing one by yourself, which has simplified federated authentication in Tencent Cloud.
IdP is an entity in CAM, which can be deemed as a collection of external trusted accounts. SAML 2.0-based identity providers are the SAML 2.0-compliant IdPs. If you want to build trust between SAML 2.0 protocol-compatible IdPs (such as Microsoft Active Directory Federation Service) and Tencent Cloud for your enterprise or organization members to access Tencent Cloud resources, you need to create SAML IdPs. For more information, see Creating an IdP.
After creating an SAML IdP, you must create one or more IdP roles with the SAML IdP as the role entity. A role is a virtual identity with a group of permissions, and uses temporary security credentials to access resources. In the context of SAML 2.0 assertions, a role can be assigned to a federated user authenticated by an IdP. This role allows the IdP to request for temporary security credentials to access the Tencent Cloud resources. The policy associated with the role determines the scope of Tencent Cloud resources that can be accessed by the federated user. For more information on how to create SAML 2.0-based federated IdP roles, see Creating a Role.