Okta is an Identity authentication and access management solution provider. Tencent Cloud supports federated authentication based on SAML 2.0 (Security Assertion Markup Language 2.0), an open standard used by many Identity providers (IdP). You can integrate Okta with Tencent Cloud through SAML 2.0 federated authentication, thereby achieving automatic login (SSO) to Tencent Cloud's Console Management for managing resources without creating a CAM sub-user for each member in your enterprise or organization.
Operation Steps
Retrieving SAML Service Provider Metadata Document
1. Log in to the CAM console, go to Identity Provider > User SSO in the left sidebar, and click Edit.
2. Copy the current user's SAML service provider (SP) metadata URL at SSO login setting.
3. Open a new tab page in the browser, paste the link to view and download.
Note:
You want to view and download the current user's SAML service provider (SP) metadata file. This file will be used for the subsequent Okta application creation flow and establish the IdP's Trust Relationship with the SP.
click Admin in the upper right corner of the Okta home page to enter the administrator interface
.
2.
On the admin page, select Applications to enter the application management page
. As shown below:
3. On the application management page, click Add Application to enter the add application page.
4. On the add application page, click Create App Integration. As shown below:
5. In the pop-up Create a New Application Integration window, select Platform and Sign-in method. Among them, set Sign-in method to SAML 2.0, then click Next, as shown below:
6. On the General Settings page, supplement App name, App logo (optional), and App visibility (optional), then click Next. This application can be used to integrate with Tencent Cloud, allowing the application to implement automatic login (SSO) for Okta accounts to manage Tencent Cloud's resources in the Console.
Configuring SAML for an Okta Application
Note:
You can map Okta application attributes to Tencent Cloud's properties in this step.
1.
On the Configure SAML page
, fill in the following information for Single sign-on URL (Consumer URL) and Audience URL (SP Entity ID) under General:
Parameter
Required or Optional
Description
Audience URL(SP Entity ID)
Required
The entityID attribute value of the EntityDescriptor element in the downloaded service provider metadata XML.
Single sign-on URL
Required
The Location attribute value of the AssertionConsumerService element in the downloaded service provider metadata XML.
2. If you want to specify a specific page to go to Tencent Cloud, you can supplement Default RelayState (optional) with the domain names or IP addresses require specifying.
Note:
The Single sign-on URL redirects to the Tencent Cloud webpage. If you need to specify another page, in addition to configuring Default RelayState, you can also use the https://cloud.tencent.com/login/saml?s_URL=xxxx format, where xxxx is the domain name or IP address that needs to be specified and requires URL encoding. However, the Default RelayState parameter takes precedence.
3. Set NameID format to Unspecified.
Note:
Tencent Cloud needs to locate a CAM user by Username, so the enterprise IdP must generate a SAML assertion containing the user's Username. Tencent Cloud parses the NameID element in the SAML assertion to match the CAM user's Username, thereby achieving user SSO.
Therefore, when configuring the SAML assertion issued by the IdP, the field corresponding to the CAM user's Username must be mapped to the NameID element in the SAML assertion.
Example: The CAM username is example@tencent.com, and the NameID value in the SAML assertion is example@tencent.com.
4. Click Next, enter the Feedback page, select the following information, then click Finish to complete the CAM configuration. As shown below:
Configuring SAML Integration for an Okta Application
Note:
You can configure the trust relationship between Okta and Tencent Cloud through this step to establish mutual trust with each other.
1. Log in to the administrator interface, select Applications, click the application name you created, go to the application details page, and click Sign On. As shown below:
2. On the Sign On page, click View SAML setup instructions in the bottom-right corner to view the identity provider metadata. After obtaining the IdP metadata, right-click on the view page to save it to a local directory.
3. Log in to the CAM console with your Tencent Cloud account, go to Identity Provider > User SSO in the left sidebar. Click Edit under SSO login setting and upload the identity provider metadata document.
Click the switch button after user SSO to enable or disable user SSO.
Enabled status: At this point, CAM sub-users cannot log in to Tencent Cloud via account. All CAM sub-users navigate to the enterprise IdP login page to authenticate your identity.
Disabled status: At this time, CAM sub-users can log in to Tencent Cloud via account. User SSO settings will not take effect.
Identity provider metadata document: Click select a file to upload the metadata document provided by the enterprise IdP. If needed, click reupload to replace the file after uploading.
Note:
The metadata document is provided by the enterprise IdP, usually in XML format, containing the IdP's login URL and X.509 public key certificate (to verify the validity of SAML assertions issued by the IdP).
If the enterprise IdP only provides a metadata access address, copy the address, open it in a browser, and save it as an XML file before uploading.
Auxiliary domain name (optional): Enable the auxiliary domain name, and a secondary domain name can be set.
If an auxiliary domain name is set: The NameID element in the SAML assertion can use this auxiliary domain name as a suffix.
If the auxiliary domain name is not set: The NameID element in the SAML assertion can only match the sub-user name of the current account.
Note:
Use the auxiliary domain name as the suffix for the NameID element, i.e., <username>@<auxiliary_domain>. Among them, <username> is the username of the CAM user, and <auxiliary_domain> is the auxiliary domain name.
If you set up an auxiliary domain name, Tencent Cloud will compare NameID with UserName@auxiliary_domain_name. Just match successfully to log in to Tencent Cloud.
4. Click Save.
Assigning Okta Users
Note:
You can allocate user access permissions through this step, assigning Tencent Cloud's SSO access privileges to Okta users.
1. Log in to the administrator interface, click People under Directory to enter the user management page. As shown below:
2. On the user management page, find the user to be authorized.
3. Click the username to enter the user details page, then click Assign Applications in the upper left corner. As shown below:
4. In the pop-up settings window, click Assign, set the Username to fully match the CAM sub-user name, then click Save and Go Back > Done to complete the configuration of Okta user operations. As shown below:
5. Go to the application management page, click the name of the application you created to enter the application details page. Select GENERAL, copy the EMBED LINK under the App Embed Link field, and log in to the Tencent Cloud console. Alternatively, click My end user dashboard in the upper right corner, click the application, and log in to the Tencent Cloud console.
