Last updated：2021-07-23 16:45:18
Kingsoft Cloud supports single sign-on (SSO) based on Security Assertion Markup Language 2.0 (SAML 2.0). SSO implements login based on identity federation.
If your organization has its own account system and expects to manage the use of Kingsoft Cloud resources for members, you can use SSO. With SSO, you do not need to create an IAM account for each member. Instead, you can use SSO to manage identities of members and authorize them to use your Kingsoft Cloud resources. To better understand SSO, learn about the following terms related to SAML and SSO.
A service provider (SP) is an application that uses the identity management services and user information provided by an IdP to serve users. Some non-SAML identity systems, such as OpenID Connect, also refer to an SP as a relying party.
It is a standard protocol to implement enterprise-class authentication and a technical means to implement communication between an SP and an IdP. SAML 2.0 is a de facto standard that implements enterprise-class SSO currently.
It is a core element that describes authentication requests and responses. For example, specific attributes of a user are included in the assertion of an authentication response.
It is a mechanism built between an SP and an IdP for mutual trust, and is implemented with a public key and a private key. An SP obtains SAML metadata from an IdP through a trust relationship. The metadata contains a public key that is used to verify SAML assertion signed by the IdP. The SP verifies the integrity of the assertion by using the public key.
No need to create Kingsoft Cloud accounts Enterprises do not need to create Kingsoft Cloud accounts for members, which avoids security issues caused by the leak of access certificates, such as tokens for calling the API operations of Kingsoft Cloud services.
Federated SSO Enterprises that have an authentication system can implement federated SSO through IdPs.