Overview

The Security Assertion Markup Language (SAML), the security markup language, is an XML-based communication protocol for exchanging authentication and authorization data between different security domains to achieve SSO of inter-system accounts. The object of the SAML protocol is mainly constrained jointly by identity provider (IdP) and service provider (SP).

Baidu AI Cloud supports the SSO based on SAML 2.0 protocol. The enterprise customer can use the account system supporting SAML protocol as IdP, and Baidu AI Cloud as SP to connect the existing account system of the enterprise and the account system of Baidu AI Cloud to realize single sign-on (SSO).

Operating Principle

Baidu AI Cloud provides direct access to the account system of the enterprise (IdP) based on SAML 2.0 protocol to realize the capacity of SSO, and its main operating principle is shown in the figure:

1. The enterprise employees or other users log into the IdP of the enterprise through client (usually a browser);
2. The enterprise IdP authenticates the user's identity through the identity storage directory of the enterprise;
3. The enterprise IdP returns the information of logged-in user to the client in the form of a SAML assertion;
4. The client passes the SAML assertion returned by IdP to Baidu AI Cloud (SP) configured for logging in URL;
5. The SSO node of Baidu AI Cloud authenticates the user's identity and goes to Security Token Service (STS) to obtain the identity credentials based on the SAML configuration;
6. Return the message of successful authentication of client, identity credentials and callback address;
7. The client jumps to the home page of Baidu AI Cloud to complete SSO.

Federated Authentication Mode

Currently, Baidu AI Cloud provides two federated authentication modes based on SAML 2.0:IAM User Federation and IAM Role Federation.

• IAM User Federation: The enterprise employees (customers) access the cloud resources as IAM user after passing the authentication from external identity sources;
• IAM role federation: The enterprise employees (customers) access the cloud resources as IAM role identity after passing the authentication from external identity sources.

The differences between these two federated authentication modes are shown as follows:

Applicable Scenarios

Different federated authentication modes are usually selected according to the actual business needs of the enterprise. This section describes how to select the federated login modes according to the needs of the enterprise.

IAM User Federation

• You want to synchronize the users with enterprise IdP to Baidu AI Cloud, and establish one-to-one correspondence to ensure the access accountability;
• Part of the service you need to access does not support the access through roles(by using STS service);
• Your enterprise IdP does not support the relatively complicated attribute configuration;

IAM Role Federation

• You do not want to synchronously create IAM users for each employee in Baidu AI Cloud to reduce the management costs;
• You want to be able to use the administrative capacities of the IAM user while using federated login;
• You hope to distinguish the permission owned on the cloud according to a certain attribute in enterprise IdP. When making permission adjustments, you only need to make attribute changes locally;
• You have multiple accounts of Baidu AI Cloud, but share the unified enterprise IdP, so you hope to configure the enterprise IdP once to realize the federated login to multiple accounts of Baidu AI Cloud;
• If there are multiple IdPs in your enterprise or between your partners, you need to access the same account of Baidu AI Cloud, and you need to configure multiple IdPs in Baidu AI Cloud for federated login;
• In addition to the console, you also hope use API for federated login.