百度智能云
All Product Document

          Identity and Access Management

          • Identity and Access Management
          • >
          • Operation Guide
          • >
          • External Account Access
          • >
          • IAM Role Federation

          IAM Role Federation

          Last Updated2020-09-27

          Configure the IAM Role Federation

          By configuring the SAML node of enterprise IdP and "External Account Access > IAM Role SSO", so that, it can realize single sign-on (SSO) from enterprise application to Baidu AI Cloud with the role identity of Baidu AI Cloud.

          Prerequisite

          1. The enterprise IdP supports SAML 2.0 protocol;
          2. Have Baidu AI Cloud account and activate.

          Configuration Process

          To configure the single sign-on based SAML, the configuration of IdP and SP needs to be completed at the same time, among which the IdP configuration includes basic configuration, user attributes configuration and download of metadata, etc. and SP configuration includes the creation of identity service provider and the configuration of role carrier (which is used to generate the ultimate trust policy). This document takes the Azure Active Directory (AAD) developed by Microsoft as IdP, and introduces how to configure SAML IdP and SP of Baidu AI Cloud.

          Configuration of IdP

          1.Register Azure account according to the process; 2.Log in the portal of Azure, enter All Services > Azure Active Directory from the navigation bar on the left; 3.Click Enterprise Application > New Application, and select Non-library Application, and fill in the application name, and then click "Add" to complete the creation of application;

          Note: Non-library applications require opening AAD pro. You can choose to enable a free trial version and choose whether to close the trial version after the configuration.

          4.Enter the application, select Single Sign-on > SAML;

          5.Click the button "Edit" on the upper right corner in the basic SAML configuration, and configure the identifier (object ID) and Reply URL (assertion user service URL) with the field of urn:bce:baidu:webservices and https://login.bce.baidu.com/saml

          6.Click the button "Edit" on the upper right corner in the user attributes and field, add the following the user attribute fields:

          Name Source Source attribute Description
          https://bce.baidu.com/SAML/
          Attributes/Role          		 Attributes accountId:role/roleName, accountId:saml-provider/providerName Replace the accountId field with the actual accountId in Baidu AI Cloud (obtained from the User Center of Baidu AI Cloud); replace the roleName field with the role name field of the federated login (which is configured in SP role management), such as "BCCAdmin"; replace the providerName field with the IdP name, such as azure
          https://bce.baidu.com/SAML/
          Attributes/RoleSessionName          		 Attributes RoleSessionName Replace the RoleSessionName with the username you want to display in Baidu AI Cloud, such as User01

          The above two fields are required, and you can add additional user attribute fields as required. Please refer to the SAML Assertion Configuration of Local Identity Service

          7.In SAML signature certificate, download IdP SAML metadata, the configuration of IdP is completed.

          Configuration of SP

          Create a new SP identity provider

          1.Log in Baidu AI Cloud, move the mouse to the top right corner, enter the Identity and Access Management > External Account Access > IAM Role Federation; 2.Click to add Identity Provider, fill in the name and description, and import the SAML metadata downloaded by Step 7 in the above-mentioned Configuration of IdP, and click Confirmation for saving.

          Note: Here, the identity provider name must be consistent with the user attribute providerName configured in IdP, just as azure filled in the case;

          image.png

          Configure and authorize the IAM role

          Click Role Management from the navigation bar on the left, configure the configurable role when the external identity is used for single sign-on to Baidu AI Cloud. Here, take the administrator of the virtual machine BCC as an example

          1. Click Create a New Role, fill in the role name such as "BCCAdmin", and describe as "BCC Administrator";
          2. Select the carrier type as External Account in Role Carrier , and the select the "azure" added in the last step for the carrier instance;
          3. You can also set the restricted condition for IdP to switch to Baidu AI Cloud, and the attribute fields supported by Baidu AI Cloud are as follows: saml:iss, saml:aud, saml:cn, saml:eduPersonAffiliation, eduPersonPrincipalName. The role to add restriction condition is to refine the permission control further, and only under a certain condition that matches can it SSO to Baidu AI Cloud in the form ofBCCAdmin role;
          4. In Policy Management, grant the "BCCFullControlAccessPolicy" to the current role, and click for completion;
          5. If you need to set different roles for the current IdP, you can continue the configuration according to the above steps, and when you SSO to Baidu AI Cloud with the identity in IdP, you can switch by the https://bce.baidu.com/SAML/Attributes/Role attribute field roleName.

          At this point, you have completed the configuration of SAML SP of Baidu AI Cloud, and next, you can go back to Azure AD to test the effect of SSO.

          Description for SAML Assertion Configuration of Local Identity Service

          Basic configuration

          • The field Recipient in SubjectConfirmationData must be configured as https://login.bce.baidu.com/saml
          • The field Audience in AudienceRestriction needs to be configured as urn:bce:baidu:webservices
          • The attributes needs to have the assertion named https://bce.baidu.com/SAML/Attributes/Role, with the format of "accountId:role/roleName, accountId:saml-provider/providerName", whereas the accountId needs to be replaced with actual accountId of the target account; roleName is configured to be the role that you play when you expect to SSO to Baidu AI Cloud; providerName is configured as the name of identity provider configured in IAM Role Federation;
          • The attributes needs to have the assertion named https://bce.baidu.com/SAML/Attributes/RoleSessionName, and the RoleSessionName is displayed in Baidu AI Cloud, with the format of string.

          Attribute of SAML Assertion

          The name of SAML assertion and the attributes of the IdP trust policy correspond to each other one by one, and currently, the attributes supported by Baidu AI Cloud include: saml:iss, saml:aud, saml:cn, saml:eduPersonAffiliation, saml:eduPersonPrincipalName, and their corresponding SAML attributes are:

          Name Attribute meaning
          saml:iss Issuer field of SAML assertion, not required
          saml:aud Audience field in AudienceRestriction of SAML assertion
          saml:cn urn:oid:2.5.4.3 attribute in SAML assertion
          saml: eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1 attribute in SAML assertion
          saml: eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 attribute in SAML assertion

          Verify the Single Sign-on

          Prerequisite

          The configuration of SAML for IdP and SP has been complete.

          Operation guide

          1.Log in the portal of Azure, navigate to All Services > Azure Active Directory>Enterprise Application > testApp; 2.Click User and Group > New User, and add the user to the application who need authorizing single sign-on;

          3.Click Single Sign-on, and click Validate, and then select to use Login as the Current User, and the test jumps to the page of Baidu AI Cloud;

          4.If you need to embed the login link into the enterprise application, you can get it directly from the following location:

          Note:

          During the development, carry the information in SAMLResponse when it redirects to https://login.bce.baidu.com/saml, and such information shall indicate the specific identity assertion of the user. 

          <RequestedAttribute isRequired="true" Name="https://bce.baidu.com/SAML/Attributes/Role" FriendlyName="RoleEntitlement"/>
<RequestedAttribute isRequired="true" Name="https://bce.baidu.com/SAML/Attributes/RoleSessionName" FriendlyName="RoleSessionName"/>

          These two attributes are required, among which

          1. The attribute https://bce.baidu.com/SAML/Attributes/Role is used to represent the account that the user accesses currently, role and name of IdP, with the format of "accountId:role/roleName, accountId:saml-provider/providerName", whereas accountId is the actual account ID in Baidu AI Cloud; roleName is filled asBCCAdmin configured in the above, indicating that the user who log in via SAML has the permission of administrator; providerNameis the name field of the external identity provider configured;
          2. The attribute https://bce.baidu.com/SAML/Attributes/RoleSessionName is the corresponding username of the user displayed in the console of Baidu AI Cloud, and the name is recorded in operating logs.
          Previous
          IAM User Federation
          Next
          Account Security Audit