Federated Account Authentication (SSO)
Overview
The Security Assertion Markup Language (SAML), namely the security markup language, is an XML-based communication protocol for exchanging authentication and authorization data between different security domains to achieve SSO of inter-system accounts. The object of the SAML protocol is mainly constrained jointly by identity provider (IdP) and service provider (SP).
Baidu AI Cloud supports the SSO based on SAML 2.0 protocol. The enterprise customer can use the account system supporting SAML protocol as IdP, and Baidu AI Cloud as SP to connect the existing account system of the enterprise and the account system of Baidu AI Cloud to realize single sign-on (SSO for short).
This document will introduce that when customers use enterprise organization products and services, they need to connect to existing enterprise directories to achieve SSO with Baidu AI Cloud, that is, account-level joint authentication.
The other single sign-on methods currently supported by Baidu AI Cloud are:
- IAM role federation: SSO to Baidu AI Cloud in the form of IAM role, please see IAM Role Federation for details.
- IAM user federation: SSO to Baidu AI Cloud as an IAM sub-user. For details, please see IAM User Federation.
For the working principle of federated login based on SAML 2.0, please see Federated Login Overview.
Configure Enterprise Organization Account-level Federated Login
You can configure the SAML node of the enterprise-side IdP and Baidu AI Cloud SP's Enterprise Organization > Setting, to achieve single sign-on for enterprise users from enterprise applications to Baidu AI Cloud enterprise organization sub-accounts.
Prerequisite
- The enterprise IdP supports SAML 2.0 protocol;
- Have an account of Baidu AI Cloud and activate it;
- Baidu AI Cloud account has opened corporate organization services and has administrator rights.
Configuration Process
To configure the single sign-on based SAML, the configuration of IdP and SP needs to be completed at the same time, among which the IdP configuration includes basic configuration, user attributes configuration and download of metadata, etc. and SP configuration includes the creation of identity service provider and the configuration of trust policy. This document takes the Azure Active Directory (AAD) developed by Microsoft as IdP, and introduces how to configure SAML IdP and SP of Baidu AI Cloud.
Configuration of IdP
- Register Azure account according to the process;
- Log in the portal of Azure, enter All Services > Azure Active Directory from the navigation bar on the left;
-
Click Enterprise Application > New Application, and select Non-library Application, and fill in the application name, and then click "Add" to complete the creation of application;
Note: Non-library applications require opening AAD pro. You can choose to enable a free trial version and choose whether to close the trial version after the configuration.
- Enter the application, select Single Sign-on>SAML;
- Click the button "Edit" on the upper right corner in the basic SAML configuration, and configure the identifier (object ID) and Reply URL (assertion user service URL) with the field of
urn:bce:baidu:webservicesandhttps://login.bce.baidu.com/saml
- Click the button "Edit" on the upper right corner in the user attributes and field, add the following the user attribute fields:
| Name | Source | Source attribute | Description |
|---|---|---|---|
| https://bce.baidu.com/SAML/Attributes/Subaccount | Attributes | {masterAccountId}: subAccount/{subAccountId}, {masterAccountId}: saml-provider/{provider} | Replace the {masterAccountId} field with the accountId of the master account (obtained at Enterprise Organization> Account Management), replace the {subAccountId} field with the subaccount accountId name, and replace the {provider} field with the IdP name (a valid string), such as azure |
The above fields are required, and you can add additional user attribute fields as required. Please refer to the [SAML Assertion Configuration of Local Identity Service](#SAML Assertion Configuration of Local Identity Service)
- In SAML signature certificate, download IdP SAML metadata, the configuration of IdP is completed.
Configuration of SP
Configure the SP identity provider
- Log in to Baidu AI Cloud, move your mouse to the upper right, and enter Enterprise Organization > Settings;
- In the account-level joint authentication settings, upload the SAML metadata downloaded in Step 7 of the IdP configuration and switch the function status switch to the on state .
Description for SAML Assertion Configuration of Local Identity Service
Basic configuration
- The field
Recipientin SubjectConfirmationData must be configured ashttps://login.bce.baidu.com/saml - The field Audience in AudienceRestriction needs to be configured as
urn:bce:baidu:webservices - The attribute needs to have an assertion named
https://bce.baidu.com/SAML/Attributes/Subaccount, and the format is" {masterAccountId}: subAccount/{subAccountId}, {masterAccountId}: saml-provider/{provider } ", Where the {masterAccountId} field is replaced with the accountId of the master account (obtained at Enterprise Organization> Account Management), the {subAccountId} field is replaced with the sub-account accountId name, and the {provider} field is replaced with the IdP name (valid characters string)), such asazure.
Attribute of SAML Assertion
The name of SAML assertion and the attributes of the IDP trust policy correspond to each other one by one, and currently, the attributes supported by Baidu AI Cloud include: saml:iss, saml:aud, saml:cn, saml:eduPersonAffiliation, saml:eduPersonPrincipalName, and their corresponding SAML attributes are:
| Name | Attribute meaning |
|---|---|
| saml:iss | Issuer field of SAML assertion, not required |
| saml:aud | Audience field in AudienceRestriction of SAML assertion |
| saml:cn | urn:oid:2.5.4.3 attribute in SAML assertion |
| saml: eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 attribute in SAML assertion |
| saml: eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 attribute in SAML assertion |
Verify the Single Sign-on
Prerequisite
The configuration of SAML for IdP and SP has been complete.
Operation guide
- Log in the portal of Azure, navigate to All Services > Azure Active Directory > Enterprise Application > testApp;
- Click User and Group > New User, and add the user to the application who need authorizing single sign-on;
- Click Single Sign-on, and click Validate, and then select to use Login as the Current User, and the test jumps to the page of Baidu AI Cloud;
- If you need to embed the login link into the enterprise application, you can get it directly from the following location:
Note:
During the development, carry the information in SAMLResponse when it redirects to https://login.bce.baidu.com/saml, and such information shall indicate the specific identity assertion of the user.
<RequestedAttribute isRequired="true" Name="https://bce.baidu.com/SAML/Attributes/Subaccount" FriendlyName="RoleEntitlement"/>These two attributes are required, among which
The attribute https://bce.baidu.com/SAML/Attributes/Subaccount is used to indicate the account, sub-user, and IdP name that the user is currently accessing, and its format is" {masterAccountId}: subAccount/{subAccountId}, {masterAccountId }: saml-provider/{provider} ", where the {masterAccountId} field is replaced with the accountId of the master account (obtained at Enterprise Organization > Account Management), the {subAccountId} field is replaced with the subaccount accountId name, {provider} field is replaced with the IdP name (valid string), such as azure.