All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Configure SSO

Last updated:2021-07-23 16:45:18

To implement SSO, configure SAML on Kingsoft Cloud, which serves as an SP, and in an enterprise IdP to build mutual trust between them.

Step 1: Configure an SAML 2.0 IdP for the enterprise

  1. Obtain the SP metadata file of Kingsoft Cloud for configuring an SAML SP in the enterprise IdP from http://fe.ksyun.com/fs/ksyun-sp-metadata.xml.

  2. Create an SAML SP in the enterprise IdP and configure Kingsoft Cloud as the trusted entity in any of the following ways:

    (1) Enter the URL of Kingsoft Cloud's metadata file obtained in the previous step.

    (2) If your IdP does not support URL configuration, download the metadata file from the URL and upload the metadata file to the IdP.

    (3) If your IdP does not support metadata file uploading, manually set the following parameters:

    • Entity ID: Set the value to urn:ksyun:cloudcomputing.
    • ACS URL: Set the value to https://signin.ksyun.com/saml-role/sso.
    • RelayState: Set the value to the homepage URL of the Kingsoft Cloud console.

Step 2: Configure SAML assertion attributes in the enterprise IdP

As required by Kingsoft Cloud, the SAML assertion generated by the enterprise IdP must contain essential information to confirm the identity of enterprise users. Therefore, SAML assertion attributes must be configured for the enterprise IdP to assume an IAM role to implement SSO with Kingsoft Cloud for enterprise users.

Step 3: Create an SAML IdP on Kingsoft Cloud

  1. Log in to the IAM console.
  2. In the left navigation pane, click SSO.
  3. On the SSO page, click Create IdP.
  4. In the Create IdP dialog box, set IdP Name and Remarks, click Upload, and then select the metadata file to be uploaded.

    • The metadata file is provided by the enterprise IdP.
    • The metadata file is in the XML format generally, and includes the IdP login address, public key used for signature verification, and assertion format.
  5. Click Submit.

Step 4: Grant permissions to the SAML IdP on Kingsoft Cloud

  1. Log in to the IAM console.
  2. In the left navigation pane, click Roles.
  3. On the Roles page, click Create Role.
  4. On the Create Role page, select IdP as the trusted entity.
  5. Set Role Name and Remarks.
  6. In the Set Carrier Information section, select an IdP.
  7. Click Next.

    After the role is created, choose Permissions > Grants or Policies in the left navigation pane to grant permissions or attach policies to the role.

The actual procedure for configuring the SAML SP and assertion varies depending on the specific IdP system. An example will be provided to describe how to configure SSO between Azure AD and Kingsoft Cloud, which helps you understand the end-to-end configuration procedures in an enterprise IdP and on Kingsoft Cloud.

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback