Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

Overview of OIDC Role-Based Single Sign-On

PDF

Focus Mode

Font Size

Last updated: 2024-01-23 17:48:51

OIDC is an authentication protocol built on OAuth 2.0. Tencent Cloud CAM supports OIDC role-based SSO.
Basic Concepts
Concept
Note
OIDC
OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful).
OIDC Token
OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens.
OIDC tokens are used to retrieve the basic information of the logged-in user.
Temporary ID Credential
Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions.
Issuer URL
The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token.
The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @).
Client ID
When your application is registered with an external IdP, a Client ID is generated.
When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field.
During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent.
Scenarios
When enterprise applications need to frequently access Tencent Cloud, using a fixed access key (AccessKey) can pose a security risk if there is no adequate security measures in place and the AccessKey is leaked. To address this issue, some enterprises register their applications with their own or third-party IdP that support OIDC (such as Google G Suite or Okta), to generate OIDC tokens for the applications using the capabilities of the OIDC IdP. In this scenario, with the role-based SSO capability provided by Tencent Cloud CAM, enterprise applications can exchange their OIDC tokens for Tencent Cloud temporary identity credentials (STS Token), thereby securely accessing Tencent Cloud resources.
Moreover, some individual developers or small and medium-sized enterprises allow their employees to log in to Tencent Cloud using their identities registered on certain websites (such as social networking sites). If these websites support the generation of OIDC tokens, Tencent Cloud CAM can be used to accomplish SSO based on OIDC.
Fundamental Procedure
1. Register an application in an external IdP to obtain the application's Client ID.
2. In Tencent Cloud CAM, create an OIDC IdP to establish a trust relationship between Tencent Cloud and the external IdP. For specific operations, please refer to Creating an OIDC Identity Provider.
3. In Tencent Cloud CAM, create the OIDC IdP's CAM role and authorize it. For specific operations, please refer to Creating Role.
4. Issue an OIDC token in the external IdP.
5. Use the OIDC Token to exchange for an STS Token. For specific operations, please refer to AssumeRoleWithWebIdentity.
6. Access Tencent Cloud resources using the STS Token.
Parameter Configuration Sample Code
Azure Active Directory Single Sign-On
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Access Management

Overview of OIDC Role-Based Single Sign-On

Basic Concepts

Scenarios

Fundamental Procedure

Parameter Configuration Sample Code

Help and Support

Concept	Note
OIDC	OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful).
OIDC Token	OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens. OIDC tokens are used to retrieve the basic information of the logged-in user.
Temporary ID Credential	Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions.
Issuer URL	The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token. The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @).
Client ID	When your application is registered with an external IdP, a Client ID is generated. When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field. During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent.