Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

SSO Overview

PDF

포커스 모드

폰트 크기

마지막 업데이트 시간: 2024-01-23 17:42:59

Tencent Cloud supports Single Sign-On (SSO) that uses SAML 2.0 and OIDC protocols, allowing external users who have authenticated through an Identity Provider (IdP) to directly access your Tencent Cloud resources. Currently, Tencent Cloud supports two modes of SSO login: user-based SSO and role-based SSO.
Fundamental Concepts of SSO
Concept
Description
Identity Provider (IdP)
An entity that encompasses metadata about an external IdP, offering identity management services.
On-Premise IdP: Microsoft Active Directory Federation Service (ADFS), Shibboleth, etc.
Cloud-based IdP: Azure AD, Google Workspace, Okta, OneLogin, etc.
Service Provider (SP)
By using IdP's identity management function and the user's information supplied by IdP, the SP provides users with specific service applications. Some non-SAML protocol identity systems (for example: OpenID Connect) also refer to the SP as the trusted party of IdP.
Security Assertion Markup Language (SAML 2.0)
A criterion protocol for implementing enterprise-level user identification. It is one of the ways to facilitate communication between SP and IdP. SAML 2.0 has become a factual criterion for implementing enterprise-level SSO.
SAML Assertion
The core element in the SAML protocol used to describe the authentication request and response. For example, specific user attributes are included in the assertion of the authentication response.
Trust
A mutual trust mechanism established between an SP and an IdP, typically implemented through the use of public and private keys. The SP obtains the SAML metadata of the IdP in a trustworthy manner. The metadata contains the public key used for signature verification of SAML assertions issued by the IdP. The SP uses this public key to verify the integrity of the assertions.
OIDC
OIDC is an authentication protocol built upon OAuth 2.0.
OAuth is an authorization protocol, and OIDC adds an identity layer on top of the existing OAuth protocol. Apart from the authorization capabilities provided by OAuth, it also allows the client to verify the identity of the end user and obtain the user's basic information through the OIDC protocol API (in the form of HTTP RESTful).
OIDC Token
OIDC can issue identity tokens that represent logged-in users, namely OIDC tokens. OIDC tokens are used to obtain basic information of the logged-in user.
Client ID
When your application registers with an external IdP, a client ID will be generated. This client ID is requisite when requesting the issuance of an OIDC token from the external IdP, and the issued OIDC token will also contain this client ID in the 'aud' field. During the setting up the OIDC IdP, the client ID will be configured. Tencent Cloud checks whether the client ID carried in the 'aud' field of the OIDC token is the same as that configured in the OIDC IdP when converting the OIDC token into an STS Token. The role can only be played when both IDs are identical.
Verification Fingerprint
To prevent Issuer URL from being maliciously hijacked or tampered with, you need to configure the verification fingerprint generated by the HTTPS CA certificate of the external IdP. Although Tencent Cloud will assist you in automatically calculating this fingerprint, it is recommended that you compute it locally (for instance, using OpenSSL to calculate the fingerprint), and contrast it with the fingerprint calculated by Tencent Cloud. If the comparison reveals differences, it indicates that the issuer URL might have been attacked. Please confirm again, and input the correct fingerprint.
IdP URL
OpenID Connect Identity Provider Identifier.
Corresponds to the value of the "issuer" field in the OpenID Connect metadata document provided by the IdP.
Mapping Field
The field in the OpenID Connect IdP that maps to the Cloud Access Management (CAM) sub-user name.
You can use the value of "claims_supported" in the OpenID Connect metadata document provided by the IdP. In this example, the name field maps to the CAM username.
Signature Public Key
Public key for verifying the OpenID Connect IdP ID Token signatures.
Corresponds to the content (accessed by visiting the link) linked in the "jwks_uri" field of the OpenID Connect metadata document provided by the corresponding IdP.
For the safeguarding of your account, it is advised to periodically rotate your signature public keys.
SSO Method
Tencent Cloud offers two types of SSO methods:
User-based SSO
Tencent Cloud determines the correspondence between enterprise users and CAM users through SAML assertions issued by the IdP. Enterprises can manage employee information in their local IdP, and employees can log in to Tencent Cloud through specified links. After logging in, enterprise users access Tencent Cloud resources using this CAM user. For more information, please refer to User-based SSO Overview.
Role-Based SSO
Tencent Cloud determines the correspondence between enterprise users and CAM users through SAML assertions or OIDC tokens issued by the IdP. After logging in, enterprise users access Tencent Cloud resources using this CAM user. It supports two types of role-based SSO based on SAML 2.0 and OIDC:
SAML Role-Based SSO: Tencent Cloud determines the CAM roles that enterprise users can utilise in Tencent Cloud through SAML assertions issued by the IdP. After logging in, enterprise users access Tencent Cloud resources using the CAM roles specified in the SAML assertion. For more information, please refer to Overview of SAML Role-Based SSO.
OIDC Role-Based SSO: Enterprise users use the OIDC tokens issued by the IdP, call Tencent's Application Programming Interface to impersonate a specified role and exchange for temporary role identity credentials (STS Token), and then use the STS Token to securely access Tencent Cloud resources. For more information, please refer to Overview of OIDC Role-Based Single Sign-On.
SSO Method Comparison
SSO Method
SP initiated SSO
IdP initiated SSO
Login with Sub-User Account and Password
Configuration of IdP Association with Multiple Tencent Cloud Accounts at a Time
Multiple IdPs
User-based SSO
Supported
Supported
Not supported
Not supported
Not supported
Role-based SSO
Not supported
Supported
Supported
Supported
Supported
﻿

도움말 및 지원

문제 해결에 도움이 되었나요?

더 자세한 내용은 문의하기 또는 티겟 제출 을 통해 문의할 수 있습니다.

피드백

Concept	Description
Identity Provider (IdP)	An entity that encompasses metadata about an external IdP, offering identity management services. On-Premise IdP: Microsoft Active Directory Federation Service (ADFS), Shibboleth, etc. Cloud-based IdP: Azure AD, Google Workspace, Okta, OneLogin, etc.
Service Provider (SP)	By using IdP's identity management function and the user's information supplied by IdP, the SP provides users with specific service applications. Some non-SAML protocol identity systems (for example: OpenID Connect) also refer to the SP as the trusted party of IdP.
Security Assertion Markup Language (SAML 2.0)	A criterion protocol for implementing enterprise-level user identification. It is one of the ways to facilitate communication between SP and IdP. SAML 2.0 has become a factual criterion for implementing enterprise-level SSO.
SAML Assertion	The core element in the SAML protocol used to describe the authentication request and response. For example, specific user attributes are included in the assertion of the authentication response.
Trust	A mutual trust mechanism established between an SP and an IdP, typically implemented through the use of public and private keys. The SP obtains the SAML metadata of the IdP in a trustworthy manner. The metadata contains the public key used for signature verification of SAML assertions issued by the IdP. The SP uses this public key to verify the integrity of the assertions.
OIDC	OIDC is an authentication protocol built upon OAuth 2.0. OAuth is an authorization protocol, and OIDC adds an identity layer on top of the existing OAuth protocol. Apart from the authorization capabilities provided by OAuth, it also allows the client to verify the identity of the end user and obtain the user's basic information through the OIDC protocol API (in the form of HTTP RESTful).
OIDC Token	OIDC can issue identity tokens that represent logged-in users, namely OIDC tokens. OIDC tokens are used to obtain basic information of the logged-in user.
Client ID	When your application registers with an external IdP, a client ID will be generated. This client ID is requisite when requesting the issuance of an OIDC token from the external IdP, and the issued OIDC token will also contain this client ID in the 'aud' field. During the setting up the OIDC IdP, the client ID will be configured. Tencent Cloud checks whether the client ID carried in the 'aud' field of the OIDC token is the same as that configured in the OIDC IdP when converting the OIDC token into an STS Token. The role can only be played when both IDs are identical.
Verification Fingerprint	To prevent Issuer URL from being maliciously hijacked or tampered with, you need to configure the verification fingerprint generated by the HTTPS CA certificate of the external IdP. Although Tencent Cloud will assist you in automatically calculating this fingerprint, it is recommended that you compute it locally (for instance, using OpenSSL to calculate the fingerprint), and contrast it with the fingerprint calculated by Tencent Cloud. If the comparison reveals differences, it indicates that the issuer URL might have been attacked. Please confirm again, and input the correct fingerprint.
IdP URL	OpenID Connect Identity Provider Identifier. Corresponds to the value of the "issuer" field in the OpenID Connect metadata document provided by the IdP.
Mapping Field	The field in the OpenID Connect IdP that maps to the Cloud Access Management (CAM) sub-user name. You can use the value of "claims_supported" in the OpenID Connect metadata document provided by the IdP. In this example, the name field maps to the CAM username.
Signature Public Key	Public key for verifying the OpenID Connect IdP ID Token signatures. Corresponds to the content (accessed by visiting the link) linked in the "jwks_uri" field of the OpenID Connect metadata document provided by the corresponding IdP. For the safeguarding of your account, it is advised to periodically rotate your signature public keys.

SSO Method	SP initiated SSO	IdP initiated SSO	Login with Sub-User Account and Password	Configuration of IdP Association with Multiple Tencent Cloud Accounts at a Time	Multiple IdPs
User-based SSO	Supported	Supported	Not supported	Not supported	Not supported
Role-based SSO	Not supported	Supported	Supported	Supported	Supported

tencent cloud

Cloud Access Management

SSO Overview

Fundamental Concepts of SSO

SSO Method

User-based SSO

Role-Based SSO

SSO Method Comparison

도움말 및 지원