IAM User Federation
Configure the Federated Login of IAM User
By configuring the SAML node of enterprise IdP and External Account Access > IAM User Federation of Baidu AI Cloud SP, the enterprise user can realize single sign-on from enterprise application to IAM user of Baidu AI Cloud.
Prerequisite
- The enterprise IdP supports SAML 2.0 protocol;
- Have Baidu AI Cloud account and activate.
Configuration process
To configure the single sign-on based SAML, the configuration of IdP and SP needs to be completed at the same time, among which the IdP configuration includes basic configuration, user attributes configuration and download of metadata, etc. and SP configuration includes the creation of identity service provider and the configuration of trust policy. This document takes the Azure Active Directory (AAD) developed by Microsoft as IdP, and introduces how to configure SAML IdP and SP of Baidu AI Cloud.
Configuration of IdP
- Register Azure account according to the process;
- Log in the portal of Azure, enter All Services > Azure Active Directory from the navigation bar on the left;
- Click Enterprise Application > New Application, and select Non-library Application, and fill in the application name, and then click "Add" to complete the creation of application;
Note: Non-library applications require opening AAD pro. You can choose to enable a free trial version and choose whether to close the trial version after the configuration.
- Enter the application, select Single Sign-on > SAML;
- Click the button "Edit" on the upper right corner in the basic SAML configuration, and configure the identifier (object ID) and Reply URL (assertion user service URL) with the field of
urn:bce:baidu:webservices
andhttps://login.bce.baidu.com/saml
; - Click the button "Edit" on the upper right corner in the user attributes and field, add the following the user attribute fields:
Name | Source | Source attribute | Description |
---|---|---|---|
https://bce.baidu.com/ SAML/Attributes/Subuser |
Attributes | accountId:subuser-name/{subuser_name}, accountId:saml-provider/{providerName} | Replace the accountId field with the actual accountId in Baidu AI Cloud (obtained from the User Center of Baidu AI Cloud); replace the subuser_name field with the IAM user name; replace the providerName field with the IdP field (just a valid string is sufficient), such as azure |
The above fields are required, and you can add additional user attribute fields as required. Please refer to the SAML Assertion Configuration of Local Identity Service
7.In SAML signature certificate, download IdP SAML metadata, the configuration of IdP is completed.
Configuration of SP
Configure the SP identity provider
1.Log in Baidu AI Cloud, move the mouse to the top right corner, enter the Identity and Access Management > External Account Access > IAM User Federation; 2.In the user federation setting, upload the SAML metadata downloaded by Step 7 in the configuration of IdP, and switch feature Status Switch to open state .
Description for SAML Assertion Configuration of Local Identity Service
Basic configuration
- The field
Recipient
in SubjectConfirmationData must be configured ashttps://login.bce.baidu.com/saml
- The field Audience in AudienceRestriction needs to be configured as
urn:bce:baidu:webservices
- The attributes needs to have the assertion named
https://bce.baidu.com/SAML/Attributes/Subuser
, with the format of "accountId:subuser-name/{subuser_name}, accountId:saml-provider/{providerName}", among which, the accountId field is replaced with the actual accountId in Baidu AI Cloud (obtained from the User Center of Baidu AI Cloud); the subuser_name field is replaced with the IAM user name; the providerName field is replaced with the IdP field (just a valid string is sufficient), such asazure
|.
Attribute of SAML Assertion
The name of SAML assertion and the attributes of the IDP trust policy correspond to each other one by one, and currently, the attributes supported by Baidu AI Cloud include: saml:iss, saml:aud, saml:cn, saml:eduPersonAffiliation, saml:eduPersonPrincipalName, and their corresponding SAML attributes are:
Name | Attribute meaning |
---|---|
saml:iss | Issuer field of SAML assertion, not required |
saml:aud | Audience field in AudienceRestriction of SAML assertion |
saml:cn | urn:oid:2.5.4.3 attribute in SAML assertion |
saml: eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 attribute in SAML assertion |
saml: eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 attribute in SAML assertion |
Verify the single sign-on
Prerequisite
The configuration of SAML for IdP and SP has been complete.
Operation guide 1.Log in the portal of Azure, navigate to All Services > Azure Active Directory > Enterprise Application > testApp; 2.Click User and Group > New User, and add the user to the application who need authorizing single sign-on;
3.Click Single Sign-on, and click Validate, and then select to use Login as the Current User, and the test jumps to the page of Baidu AI Cloud;
4.If you need to embed the login link into the enterprise application, you can get it directly from the following location:
Note:
During the development, carry the information in SAMLResponse
when it redirects to https://login.bce.baidu.com/saml
, and such information shall indicate the specific identity assertion of the user.
<RequestedAttribute isRequired="true" Name="https://bce.baidu.com/SAML/Attributes/Subuser" FriendlyName="RoleEntitlement"/>
These two attributes are required, among which
the attribute https://bce.baidu.com/SAML/Attributes/Subuser
is used to represent the account that the user accesses currently, IAM user and name of IdP, with the format of "accountId:subuser-name/{subuser_name}, accountId:saml-provider/{providerName}", whereas accountId
is the actual account ID in Baidu AI Cloud; subuser_name
is the name of IAM user after SSO is passed; providerName
is the name field of the external identity provider configured.