Identity and Access Management

      Documentation Identity and Access Management SSO SSO overview

      SSO overview

      Last updated:2021-07-23 16:45:18

      Kingsoft Cloud supports single sign-on (SSO) based on Security Assertion Markup Language 2.0 (SAML 2.0). SSO implements login based on identity federation.

      Scenarios

      If your organization has its own account system and expects to manage the use of Kingsoft Cloud resources for members, you can use SSO. With SSO, you do not need to create an IAM account for each member. Instead, you can use SSO to manage identities of members and authorize them to use your Kingsoft Cloud resources. To better understand SSO, learn about the following terms related to SAML and SSO.

      Terms

      IdP

      • An identity provider (IdP) is an entity that contains metadata related to an external identity provider. An IdP provides identity management services.
      • On-premises IdPs include Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
      • Cloud IdPs include Azure AD, Google G Suite, Okta, and OneLogin.

      SP

      A service provider (SP) is an application that uses the identity management services and user information provided by an IdP to serve users. Some non-SAML identity systems, such as OpenID Connect, also refer to an SP as a relying party.

      SAML 2.0

      It is a standard protocol to implement enterprise-class authentication and a technical means to implement communication between an SP and an IdP. SAML 2.0 is a de facto standard that implements enterprise-class SSO currently.

      SAML assertion

      It is a core element that describes authentication requests and responses. For example, specific attributes of a user are included in the assertion of an authentication response.

      Trust

      It is a mechanism built between an SP and an IdP for mutual trust, and is implemented with a public key and a private key. An SP obtains SAML metadata from an IdP through a trust relationship. The metadata contains a public key that is used to verify SAML assertion signed by the IdP. The SP verifies the integrity of the assertion by using the public key.

      Benefits

      • No need to create Kingsoft Cloud accounts
        Enterprises do not need to create Kingsoft Cloud accounts for members, which avoids security issues caused by the leak of access certificates, such as tokens for calling the API operations of Kingsoft Cloud services.

      • Federated SSO
        Enterprises that have an authentication system can implement federated SSO through IdPs.

      • Simple authentication and login process
        With the login code provided by an IdP, enterprises can complete federated authentication with Kingsoft Cloud at low expense, simplifying the process of using Kingsoft Cloud resources.

      Previous:Manage projects
      Next:Implement SAML 2.0-based SSO

      Did you find the above information helpful?

      Unhelpful
      Mostly Unhelpful
      A little helpful
      Helpful
      Very helpful

      What might be the problems?

      Insufficient
      Outdated
      Unclear or awkward
      Redundant or clumsy
      Lack of context for the complex system or functionality

      More suggestions

      0/200

      Please give us your feedback.

      Submitted

      Thank you for your feedback.

      问题反馈