Implement SAML 2.0-based SSO

This topic describes the process for implementing SSO based on SAML 2.0.

Background

During the SSO process, Kingsoft Cloud acts as the SP, and an enterprise’s identity management system acts as the IdP. With SSO, the enterprise can manage member information in the on-premises IdP without synchronization with Kingsoft Cloud, and the members can log in to Kingsoft Cloud with designated roles.

Process

With SSO, enterprise members can access Kingsoft Cloud services in the Kingsoft Cloud console.

1. Member A selects Kingsoft Cloud as the destination service on the IdP login page in the browser.
   For example, if the enterprise IdP is Microsoft AD FS, the URL of the login page is https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.

Some IdPs may require users to log in first before they select Kingsoft Cloud SSO.

2. The IdP generates an SAML response and returns it to the browser.
3. The browser redirects member A to the SSO service page and forwards the SAML response to SSO.
4. SSO requests a temporary security certificate from Security Token Service (STS) of Kingsoft Cloud based on the SAML response, and generates a URL that can be used to log in to the Kingsoft Cloud console with the temporary security certificate.

If the SAML response contains attributes that map multiple roles, the system will remind member A to select a role to access Kingsoft Cloud services. 

5. SSO returns the URL to the browser.
6. The browser redirects member A to this URL, through which member A logs in to the Kingsoft Cloud console with the selected role.