Configure Identity Provider
Identity Providers are mainly used to import users to the platform and provide authenticated logins, supporting third-party applications to login to the OneCloud platform. The platform currently supports identity providers for multiple authentication protocols: SQL, LDAP, CAS, SAML (SAML, Azure AD SAML 2.0), OIDC (OIDC, Github, Azure AD OAuth2), OAuth2 (Lark, Dingtalk, WeCom), etc.
Description
- If the identity provider does not enable “Automatically create users”, the identity provider only provides the function of authentication login. Then you need to associate local users with the third-party identity provider in “User Information - Third-party Account Association”.
The following is an example of how to configure the Azure AD SAML 2.0 identity provider. To configure other identity providers, please see Create Identity Provider.
Configure SAML 2.0 on Azure
Only accounts in Azure Global Zone are supported.
-
User login to Azure.
-
To create application in “Azure Active Directory - Enterprise Applications - All Applications” .
-
Click the “Create your own application” button to create SAML app. After selecting “Integrate any other application you don’t find in the gallery”, configure the name and create the application.
-
After successfully creating the application, go to the application details and select SAML on the single sign-on page.
-
Configure the identifier ID and reply URL on the Set up Single Sign-On with SAML page; The platform’s Identifier (Entity ID) and Reply URL can be viewed on the OneCloud platform “Identity Provider” page.
-
The TenantID (tenant ID) is available on the Azure Active Directory - Overview page.
Create Azure AD SAML 2.0 Identity Provider
-
Click on the OneCloud platform in the top left corner navigation menu, and click “IAM & Security/IAM/Identity Provider” menu item in the left menu bar that pops up to enter the “Identity Provider” page.
-
Click the “Create” button at the top of the list to enter the “Identity Provider” page.
-
Configure the following parameters.
- Name: The name of the identity provider.
- Authentication protocol: Select “SAML”.
- Authentication type: Select “Azure AD SAML2.0”.
- TenantId: Refer to Configure SAML 2.0 on Azure to get TenantId.
- Automatically create users: Enabled Automatically create users, that is, users who log in to the platform through this authentication method will automatically create users in the platform.
- User attribution target Domain: Set this parameter only after Enabling automatically create users. That is, the domain of the user who logs into the platform through this authentication method.
Advanced configuration: Hidden by default, can be configured according to requirements.
- Default project: Set the default project for users who log in platform through the identity provider of SAML authentication protocol and are automatically created in the platform to join.
- Default Role: Set the default role joined by users who log in platform through the identity provider of SAML authentication protocol and created automatically in the platform.
-
Click the “OK” button to complete the operation.
User Login
-
After configuring the identity provier, you can sign in platform with Azure AD SAML 2.0 .
-
On the general login page, but set the login domain manually as shown in the figure below.
-
At the domain-specific login form, the icon of the configured identity provider is shown at the bottom of the form. Click on the login Icon to initiate the Single Sign-On with Azure Active Directory.