SSO overview

Last updated:2021-07-23 16:45:18

Kingsoft Cloud supports single sign-on (SSO) based on Security Assertion Markup Language 2.0 (SAML 2.0). SSO implements login based on identity federation.

Scenarios

If your organization has its own account system and expects to manage the use of Kingsoft Cloud resources for members, you can use SSO. With SSO, you do not need to create an IAM account for each member. Instead, you can use SSO to manage identities of members and authorize them to use your Kingsoft Cloud resources. To better understand SSO, learn about the following terms related to SAML and SSO.

Terms

IdP

  • An identity provider (IdP) is an entity that contains metadata related to an external identity provider. An IdP provides identity management services.
  • On-premises IdPs include Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
  • Cloud IdPs include Azure AD, Google G Suite, Okta, and OneLogin.

SP

A service provider (SP) is an application that uses the identity management services and user information provided by an IdP to serve users. Some non-SAML identity systems, such as OpenID Connect, also refer to an SP as a relying party.

SAML 2.0

It is a standard protocol to implement enterprise-class authentication and a technical means to implement communication between an SP and an IdP. SAML 2.0 is a de facto standard that implements enterprise-class SSO currently.

SAML assertion

It is a core element that describes authentication requests and responses. For example, specific attributes of a user are included in the assertion of an authentication response.

Trust

It is a mechanism built between an SP and an IdP for mutual trust, and is implemented with a public key and a private key. An SP obtains SAML metadata from an IdP through a trust relationship. The metadata contains a public key that is used to verify SAML assertion signed by the IdP. The SP verifies the integrity of the assertion by using the public key.

Benefits

  • No need to create Kingsoft Cloud accounts
    Enterprises do not need to create Kingsoft Cloud accounts for members, which avoids security issues caused by the leak of access certificates, such as tokens for calling the API operations of Kingsoft Cloud services.

  • Federated SSO
    Enterprises that have an authentication system can implement federated SSO through IdPs.

  • Simple authentication and login process
    With the login code provided by an IdP, enterprises can complete federated authentication with Kingsoft Cloud at low expense, simplifying the process of using Kingsoft Cloud resources.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈