Integrate Tencent Cloud Organization with Alibaba Cloud IDaaS for SSO and account synchronization - Identity as a Service

This topic describes how to integrate Tencent Cloud Organization with Alibaba Cloud IDaaS for single sign-on (SSO) and to automate account synchronization from IDaaS to the Tencent Cloud Organization platform.

Prerequisites

You have administrator permissions for an Alibaba Cloud IDaaS instance.
You have administrator permissions for Tencent Cloud Organization.
The Tencent Cloud Organization service is enabled.

SSO configuration steps

Step 1: Configure IDaaS

Log on to the IDaaS console. In the navigation pane on the left, choose EIAM. Find your IDaaS instance and click Manage in the Actions column.
Click Application Management > Applications > Add Application. Search for Tencent Cloud-Group Account Management and click Add Application. Confirm the application name and click Add.
On the Sign-In > SSO tab, configure Tencent Cloud-Group Account Management.
1. SSO: Enable SSO.
2. Group Account ACS URL: Enter the ACS URL provided by Tencent Cloud Organization.
3. Group Account Entity ID: Enter the Entity ID provided by Tencent Cloud Organization.
4. Application User: Select an application account.
5. Authorize: Select Manually or All Users as needed.
In the Application Settings section, download the IdP Metadata file. This file is required to configure the identity provider in Tencent Cloud Organization.
In the Application User section, add user access information.
Important
Make sure the username in the IDaaS application matches the username in Tencent Cloud Identity Center.

Step 2: Configure Tencent Cloud Organization

Log on to the Tencent Cloud Organization console. In the Identity Center Management menu bar, click User Management > Settings.
In the SSO Logon section, click the switch to enable SSO.
Obtain the service provider (SP) information: the ACS URL and Entity ID. Enter this information in the Tencent Cloud application in IDaaS.
Click Configure Identity Provider Information and upload the IdP Metadata file that you downloaded from IDaaS.
Configure CAM user logon.
1. In the Identity Center Management > Users menu bar, click Create User. Create a username that is identical to the one used for SSO in the IDaaS Tencent Cloud application.
2. Return to the user list page and click the username.
3. Go to the user details page and select the CAM User Synchronization tab. Click Configure CAM User Synchronization.
  1. On the Multi-account Authorization Management page, in the Root section, select the main account name. Click Configure CAM Synchronization.
  2. On the Configure CAM User Synchronization page, select the users or user groups that require SSO, and then click Next in the lower-left corner.
  3. Set the basic information as needed. If no specific settings are required, you can skip this step and click Next.
  4. Confirm that the configuration is correct, and then click the Submit button in the lower-left corner.

Step 3: Verify SSO

After you configure SSO, you can initiate an SSO logon from either IDaaS or Tencent Cloud.

Initiate logon from Alibaba Cloud IDaaS.
1. Log on to the IDaaS user portal.
2. Click the Tencent Cloud-Group Account Management application.
3. The system automatically redirects you to Tencent Cloud-Group Account Management without requiring you to log on again.
Initiate logon from Tencent Cloud.
1. In the Identity Center Management > Identity Center Overview menu, find the User Logon URL and navigate to it.
2. On the Identity Center logon page, click the Log On button.
3. You are redirected to the IDaaS portal logon page. Enter your username and password to log on.
4. After a successful logon, you are taken to the Identity Center account list page.

System for Cross-domain Identity Management (SCIM) synchronization configuration steps

Step 1: Configure Tencent Cloud Organization

In the Identity Center Management > Settings menu bar, enable SCIM User Synchronization Configuration.
Click Generate New SCIM Key. Select a validity period for the key as needed, and then click the OK button.
Important
This key is displayed only once. Click Download The CSV File or Copy to save the key securely. This key is required for the Bearer Token key configuration in IDaaS.

Step 2: Configure IDaaS

In the Tencent Cloud Organization application in IDaaS, switch to the Account Synchronization tab. Enable Sync From IDaaS To Application and set the Synchronization Scope.
Enter the key information. On the Basic Configuration tab, in the Bearer Token Key Mode field, enter the SCIM key obtained in Step 1.
Note
Enter only the CredentialSecret key.
Operation Calls. You can subscribe to specific change events to receive real-time push notifications. When a user in the IDaaS synchronization scope is modified, the system automatically triggers a sync to update the application in real time.
Field Mapping. This section displays the field mapping for the SCIM synchronization process. You can edit the mapping as needed.
Mapping Identifiers. Mapping identifiers are a list of fields available for SCIM filter queries. They generally correspond to protocol standards and business fields and do not typically require modification.
Test Connection. After you save the configuration, use the Test Connection feature to verify the connection.
One-Click Push. Administrators can use the One-Click Push feature to push all accounts within the synchronization scope to Tencent Cloud Organization at once.

Step 3: Verify synchronization

Verify in IDaaS.
After you click One-Click Push, the accounts in the synchronization scope are synced to Tencent Cloud Organization. If the push is successful, the system displays a success message. You can view the logs in Logs > Synchronization Logs > Task Execution.
Verify in Tencent Cloud.
In the navigation pane on the left of the Tencent Cloud Organization console, choose Identity Center Management > Users. You can view the accounts that are synchronized from IDaaS. The Source column for these accounts displays External Import.