This document describes how to configure single sign-on (SSO) between Alibaba Cloud IDaaS and HUAWEI CLOUD IAM Identity Center. This configuration allows users to access HUAWEI CLOUD IAM Identity Center services using Alibaba Cloud IDaaS for identity authentication. It also automates the synchronization of accounts from IDaaS to HUAWEI CLOUD IAM Identity Center.
Prerequisites
You have administrator permissions for an Alibaba Cloud IDaaS instance.
You have administrator permissions for HUAWEI CLOUD IAM Identity Center.
You have enabled the HUAWEI CLOUD IAM Identity Center service.
SSO configuration steps
1. Configure in IDaaS
Log on to the IDaaS console. In the navigation pane on the left, click EIAM. Find the target IDaaS instance and click Manage in the Actions column.
Click . Search for HUAWEI CLOUD-IAM Identity Center and click Add Application.
Confirm the application name, and then click Add.
On the tab, configure the HUAWEI CLOUD IAM Identity Center application.
SSO: Enable single sign-on.
IAM Identity Center ACS URL: Enter the Assertion Consumer Service (ACS) URL obtained from HUAWEI CLOUD IAM Identity Center.
IAM Identity Center Entity ID: Enter the Entity ID obtained from HUAWEI CLOUD IAM Identity Center. This is the publisher URL for IAM Identity Center.
Application User: Select an application account.
Authorize: Select Manually or All Users as needed.
In the Application Settings section, download the IdP Metadata file. This file is required for configuring the identity provider in HUAWEI CLOUD IAM Identity Center.
Under Application User, add the user accounts that require access.
ImportantEnsure that the username in the IDaaS application matches the username in HUAWEI CLOUD IAM Identity Center.
2. Configure in IAM Identity Center
Log on to the HUAWEI CLOUD IAM Identity Center. In the navigation pane on the left, click Settings.
On the Identity Source tab, click Change To External Identity Provider to open the Change Identity Source page.
Obtain the service provider (SP) information: the IAM Identity Center Assertion Consumer Service (ACS) URL and the IAM Identity Center Publisher URL (Entity ID). Enter this information into the HUAWEI IAM Identity Center application in IDaaS.
In the Identity Provider (IdP) Information section, upload the IdP Metadata file that you downloaded from IDaaS, and then click Next.
Confirm the identity source information. Type CONFIRM and click OK in the lower-right corner.
Create and authorize a user.
In the navigation pane on the left, choose User Management, and then click the Create User button in the upper-right corner. Enter the user information and assign the user to a user group.
In the navigation pane on the left, click to grant permissions to the user.
Click the target account name to open its basic information page, and then click Assign Users/Groups.
Select the checkbox next to the account that requires SSO, and then click Next.
Select the checkbox next to the permission set, and then click Next.
Confirm the user permission set and click OK. The permission is configured successfully.
3. Verify SSO
After the SSO configuration is complete, you can initiate an SSO logon from the IDaaS user portal.
Log on to the IDaaS user portal.
Click the HUAWEI CLOUD IAM Identity Center application.
The system automatically redirects you to the HUAWEI CLOUD IAM Identity Center without requiring you to authenticate again.
SCIM synchronization configuration steps
1. Configure in IAM Identity Center
On the page, click the Automatic SCIM button.
The system automatically generates an SCIM Endpoint and an Access Token.
ImportantThis key is displayed only once. Copy and save it in a secure location. This key is required for the Bearer Token field during the IDaaS configuration.
2. Configure in IDaaS
In the HUAWEI CLOUD IAM Identity Center application, switch to the Provisioning tab. Enable Provision IDaaS Accounts to Application and set the Scope.
NoteEnsure that every account within the synchronization scope has an associated email address.
In the Basic Configuration, enter the SCIM Endpoint and Bearer Token that you obtained from the IAM Identity Center.
Operation Calls. You can subscribe to specific change events to receive instant push notifications. When a user within the IDaaS synchronization scope is modified, the system automatically triggers a synchronization to update the application in real time.
NoteThe application's System for Cross-domain Identity Management (SCIM) protocol interface is not fully compliant with the standard. Because the group details interface cannot return member information, removing a user from a group cannot be synchronized automatically.
Field Mapping. This section displays the field mapping relationships for the SCIM synchronization process. You can edit these mappings as needed.
Mapping Identifiers. Mapping identifiers are the list of fields available for SCIM filter queries. They typically correspond to standard protocol and business fields and usually do not require modification.
Test Connection. After you save the configuration, you can use the Test Connectivity feature to verify that the configuration is correct.
One-Click Push. Administrators can use the Push Now feature to push all accounts within the synchronization scope to HUAWEI CLOUD IAM Identity Center.
3. Verify synchronization
Verification in IDaaS.
After you click One-Click Push, accounts within the synchronization scope are synchronized to HUAWEI CLOUD IAM Identity Center. If the push is successful, the system reports that the task succeeded. You can view the logs on the page.
Verification in HUAWEI CLOUD IAM Identity Center.
In the navigation pane on the left of the IAM Identity Center, go to User Management to view the accounts that were synchronized from IDaaS. The Creation Method column shows Automatic for these accounts.