Identity and Access Management

      Documentation Identity and Access Management SSO Configure SSO

      Configure SSO

      Last updated:2021-07-23 16:45:18

      To implement SSO, configure SAML on Kingsoft Cloud, which serves as an SP, and in an enterprise IdP to build mutual trust between them.

      Step 1: Configure an SAML 2.0 IdP for the enterprise

      1. Obtain the SP metadata file of Kingsoft Cloud for configuring an SAML SP in the enterprise IdP from http://fe.ksyun.com/fs/ksyun-sp-metadata.xml.

      2. Create an SAML SP in the enterprise IdP and configure Kingsoft Cloud as the trusted entity in any of the following ways:

        (1) Enter the URL of Kingsoft Cloud’s metadata file obtained in the previous step.

        (2) If your IdP does not support URL configuration, download the metadata file from the URL and upload the metadata file to the IdP.

        (3) If your IdP does not support metadata file uploading, manually set the following parameters:

        • Entity ID: Set the value to urn:ksyun:cloudcomputing.
        • ACS URL: Set the value to https://signin.ksyun.com/saml-role/sso.
        • RelayState: Set the value to the homepage URL of the Kingsoft Cloud console.

      Step 2: Configure SAML assertion attributes in the enterprise IdP

      As required by Kingsoft Cloud, the SAML assertion generated by the enterprise IdP must contain essential information to confirm the identity of enterprise users. Therefore, SAML assertion attributes must be configured for the enterprise IdP to assume an IAM role to implement SSO with Kingsoft Cloud for enterprise users.

      Step 3: Create an SAML IdP on Kingsoft Cloud

      1. Log in to the IAM console.

      2. In the left navigation pane, click SSO.

      3. On the SSO page, click Create IdP.

      4. In the Create IdP dialog box, set IdP Name and Remarks, click Upload, and then select the metadata file to be uploaded.

        • The metadata file is provided by the enterprise IdP.
        • The metadata file is in the XML format generally, and includes the IdP login address, public key used for signature verification, and assertion format.

      5. Click Submit.

      Step 4: Grant permissions to the SAML IdP on Kingsoft Cloud

      1. Log in to the IAM console.
      2. In the left navigation pane, click Roles.
      3. On the Roles page, click Create Role.
      4. On the Create Role page, select IdP as the trusted entity.
      5. Set Role Name and Remarks.
      6. In the Set Carrier Information section, select an IdP.
      7. Click Next.

      After the role is created, choose Permissions > Grants or Policies in the left navigation pane to grant permissions or attach policies to the role.

      The actual procedure for configuring the SAML SP and assertion varies depending on the specific IdP system. An example will be provided to describe how to configure SSO between Azure AD and Kingsoft Cloud, which helps you understand the end-to-end configuration procedures in an enterprise IdP and on Kingsoft Cloud.

      Previous:Implement SAML 2.0-based SSO
      Next:Use IAM to limit the IP addresses that are allowed to access Kingsoft Cloud resources

      Did you find the above information helpful?

      Unhelpful
      Mostly Unhelpful
      A little helpful
      Helpful
      Very helpful

      What might be the problems?

      Insufficient
      Outdated
      Unclear or awkward
      Redundant or clumsy
      Lack of context for the complex system or functionality

      More suggestions

      0/200

      Please give us your feedback.

      Submitted

      Thank you for your feedback.

      问题反馈