All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term


SSO overview

Last updated:2021-07-23 16:45:18

Kingsoft Cloud supports single sign-on (SSO) based on Security Assertion Markup Language 2.0 (SAML 2.0). SSO implements login based on identity federation.


If your organization has its own account system and expects to manage the use of Kingsoft Cloud resources for members, you can use SSO. With SSO, you do not need to create an IAM account for each member. Instead, you can use SSO to manage identities of members and authorize them to use your Kingsoft Cloud resources. To better understand SSO, learn about the following terms related to SAML and SSO.



  • An identity provider (IdP) is an entity that contains metadata related to an external identity provider. An IdP provides identity management services.
  • On-premises IdPs include Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
  • Cloud IdPs include Azure AD, Google G Suite, Okta, and OneLogin.


A service provider (SP) is an application that uses the identity management services and user information provided by an IdP to serve users. Some non-SAML identity systems, such as OpenID Connect, also refer to an SP as a relying party.

SAML 2.0

It is a standard protocol to implement enterprise-class authentication and a technical means to implement communication between an SP and an IdP. SAML 2.0 is a de facto standard that implements enterprise-class SSO currently.

SAML assertion

It is a core element that describes authentication requests and responses. For example, specific attributes of a user are included in the assertion of an authentication response.


It is a mechanism built between an SP and an IdP for mutual trust, and is implemented with a public key and a private key. An SP obtains SAML metadata from an IdP through a trust relationship. The metadata contains a public key that is used to verify SAML assertion signed by the IdP. The SP verifies the integrity of the assertion by using the public key.


  • No need to create Kingsoft Cloud accounts Enterprises do not need to create Kingsoft Cloud accounts for members, which avoids security issues caused by the leak of access certificates, such as tokens for calling the API operations of Kingsoft Cloud services.

  • Federated SSO Enterprises that have an authentication system can implement federated SSO through IdPs.

  • Simple authentication and login process With the login code provided by an IdP, enterprises can complete federated authentication with Kingsoft Cloud at low expense, simplifying the process of using Kingsoft Cloud resources.
On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen