tencent cloud

Cloud Access Management

Product Introduction
CAM Overview
Features
Scenarios
Basic Concepts
Use Limits
User Types
Purchase Guide
Getting Started
Creating Admin User
Creating and Authorizing Sub-account
Logging In to Console with Sub-account
User Guide
Overview
Users
Access Key
User Groups
Role
Identity Provider
Policies
Permissions Boundary
Troubleshooting
Downloading Security Analysis Report
CAM-Enabled Role
Overview
Compute
Container
Microservice
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Database SaaS Service
Networking
CDN and Acceleration
Network Security
Data Security
Application Security
Domains & Websites
Big Data
Middleware
Interactive Video Services
Real-Time Interaction
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
CAM-Enabled API
Overview
Compute
Edge Computing
Container
Distributed cloud
Microservice
Serverless
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Networking
CDN and Acceleration
Network Security
Endpoint Security
Data Security
Business Security
Application Security
Domains & Websites
Office Collaboration
Big Data
Voice Technology
Image Creation
Tencent Big Model
AI Platform Service
Natural Language Processing
Optical Character Recognition
Middleware
Communication
Interactive Video Services
Real-Time Interaction
Stream Services
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Education Sevices
Medical Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
Use Cases
Security Practical Tutorial
Multi-Identity Personnel Permission Management
Authorizing Certain Operations by Tag
Supporting Isolated Resource Access for Employees
Enterprise Multi-Account Permissions Management
Reviewing Employee Operation Records on Tencent Cloud
Implementing Attribute-Based Access Control for Employee Resource Permissions Management
During tag-based authentication, only tag key matching is supported
Business Use Cases
TencentDB for MySQL
CLB
CMQ
COS
CVM
VPC
VOD
Others
API Documentation
History
Introduction
API Category
Making API Requests
User APIs
Policy APIs
Role APIs
Identity Provider APIs
Data Types
Error Codes
FAQs
Role
Key
Others
CAM Users and Permissions
Glossary
DocumentationCloud Access ManagementUser GuideIdentity ProviderRole-Based SSOOverview of SAML Role-Based SSO

Overview of SAML Role-Based SSO

PDF
Focus Mode
Font Size
Last updated: 2024-01-23 17:46:25
During role-based SSO with Tencent Cloud, Tencent Cloud acts as the SP, while the enterprise's own identity management system serves as the IdP. With role-based SSO, enterprises can manage employee information in their local IdP, eliminating the need for user synchronization between Tencent Cloud and the enterprise IdP. Enterprise employees will log in to Tencent Cloud using the specified CAM roles.

Fundamental Procedure

Enterprise employees can access Tencent Cloud via the console or program.

Accessing Tencent Cloud via the Console

Once the administrator has completed the necessary role-based SSO configurations, enterprise employees can log in to Tencent Cloud using the following method. The fundamental procedure is as follows:
1. Access the IdP's login page through a browser and select Tencent Cloud as the target service.
2. The IdP generates a SAML response and returns it to the browser.
3. The browser is redirected to the SSO service page and forwards the SAML response to the SSO service.
4. The SSO service uses the SAML response to request temporary security credentials from Tencent Cloud's STS service, and generates a URL that can be used to log in to the Tencent Cloud console with these temporary security credentials.
5. The SSO service returns the URL to the browser.
6. The browser redirects to this URL. Then log in to the Tencent Cloud console with the specified CAM role.

Accessing Tencent Cloud Through a Program

Enterprise employees can access Tencent Cloud by writing a program. The fundamental procedure is as follows:
1. Initiate a login request to the enterprise IdP through a program.
2. The IdP generates a SAML response containing a SAML assertion about the logged-in user and returns this response to the program.
3. The program invokes the APIAssumeRoleWithSAML provided by Tencent Cloud STS service and passes the following information: the ARN of the IdP in Tencent Cloud, the ARN of the role to be assumed, and the SAML assertion from the enterprise IdP.
4. The STS service verifies the SAML assertion and returns a temporary security credential to the program.
5. The program uses the temporary security credentials to call Tencent Cloud APIs.

Configuration Steps

To establish a trust relationship between Tencent Cloud and the enterprise IdP, it is necessary to configure SAML for Tencent Cloud as the SP and for the enterprise IdP. Role-based SSO can only be performed after these configurations are completed.
1. To establish a trust relationship between Tencent Cloud and the enterprise IdP, it is necessary to configure the enterprise IdP in Tencent Cloud. For more information, please refer to Creating a SAML IdP.
2. Enterprises need to create a CAM role for SSO in the Cloud Access Management Console or through programs and grant the necessary permissions. For more information, see Creating Role.
3. To establish a trust relationship between the enterprise IdP and Tencent Cloud, it is necessary to configure Tencent Cloud as a trusted SAML SP in the enterprise IdP and set the SAML assertion attributes.

Parameter Configuration Sample Code


Previous Topic: OverviewNext Topic: Overview of OIDC Role-Based Single Sign-On

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback