Identity and Access Management. User Guide. Issue 09 Date

Transcription

1 Issue 09 Date

2 Contents Contents 1 What Is IAM? How Do I Manage User Groups and Grant Permissions to Them? Permission Description How Do I Manage Users? How Do I Create an Agency? How Do I Switch Roles? How Do I Configure Federated Identity Authentication? Introduction to Federated Identity Authentication Interconnection for Federated Identity Authentication SSO Process How Do I Create an Identity Provider and Perform an SSO? How Do I Configure the Name and Permission Information About a Federated User? How Do I Set Account Policies? User Management Mechanism Explained Using a Picture A Change History Issue 09 ( ) ii

3 1 What Is IAM? 1 What Is IAM? (IAM) is an enterprise-level self-service cloud resource management system and provides user identity management and access control functions. With IAM, users can manage user accounts (for example, employees, systems, or applications) and control the operation rights of these accounts over their resources. If multiple users collaboratively operate resources in an enterprise, IAM prevents users from sharing their account keys with other users and allows security administrators to grant only necessary permissions to users. IAM also ensures account security and reduces security risks for enterprise information by allowing users to set login verification policies, password policies, and access control list (ACL). Issue 09 ( ) 1

4 2 How Do I Manage User Groups and Grant Permissions to Them? 2 How Do I Manage User Groups and Grant Permissions to Them? Prerequisites Procedure Users with Security Administrator permissions in an enterprise can plan user groups based on user responsibilities, and grant permissions to the user groups so that users in each user group have the corresponding permissions. This method makes those permissions easier to manage for the users in the user groups. You have Security Administrator permissions. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Choose Management & Deployment >. In the navigation pane, choose User Group. On the User Group page, click Create User Group. Set User Group. (Optional) Set Description. Click OK to return to the user group list. The new user group is displayed in the user group list. Step 7 Click Modify in the Operation column corresponding to the new user group. The Modify User Group page is displayed. Step 8 Step 9 In the User Group Rights area, click Modify in the Operation column corresponding to the target project. In the Available Rights Sets area of the Modify User Group Permission dialog box, select a rights set corresponding to the service. For the default rights sets, see Default Permissions. After you select a rights set name, you can view the JSON-formatted detailed information about this rights set in the Rights Set Information area. For details, see Permission Information. Issue 09 ( ) 2

5 2 How Do I Manage User Groups and Grant Permissions to Them? Step 10 Step 11 Click OK. Select a user from the Group Members drop-down combo box to add it to the user group. You can enter a keyword to quickly find the target user. Step 12 Click OK. ----End Operation Result Follow-up Procedure The created user group is displayed in the user group list. In the user group list, click next to the target user group to view its details. Issue 09 ( ) 3

6 3 Permission Description 3 Permission Description Permissions specify operations that users are allowed to perform on related objects. You can add operations on a certain object to the permissions of a user group and add a user to the user group so that the user inherits the permissions of the user group. User permission management based on user groups is more organized and avoids confusions. Issue 09 ( ) 4

7 3 Permission Description Permission Relationship Default Permissions The system provides two types of default permissions: user management and resource management. Issue 09 ( ) 5

8 3 Permission Description Users with the user management permissions can manage users, user groups, and user group permissions. For details, see Table 3-1. Table 3-1 User management permissions Node Name Base IAM Permission Name Security Administrator Agent Operator Description Users with this permission can: Create, delete, and modify users. Grant permissions to users. Users with this permission can switch to an entrusted user for processing services. Users with resource management permissions can control the operations performed on cloud service resources. For details, see Table 3-2. Object Storage Service (OBS) and other cloud resources are deployed separately. OBS only has Tenant Administrator and Tenant Guest permissions. Table 3-2 Cloud resource management permissions Node Name Permission Name Managed Cloud Resource Description Base Tenant Administrator All services Permissions to operate all cloud resources owned by an enterprise. Server Administrator EVS, Elastic Cloud Server (ECS), and Virtual Private Cloud (VPC) For the EVS service, users with this permission can create, modify, and delete EVS disks. For the ECS service, users with this permission can create, modify, and delete ECSs. For the VPC service, users with this permission can perform any operations on security groups, security group rules, ports, firewalls, elastic IP addresses (EIPs), and bandwidth. The Server Administrator permission depends on the Tenant Guest permission. Tenant Guest All services Permissions to query the usage of all cloud resources owned by an enterprise. Issue 09 ( ) 6

9 3 Permission Description Node Name Permission Name Managed Cloud Resource Description Anti-DDoS Anti-DDoS Administrator Anti-DDoS Permissions to enable, disable, and modify configurations. This permission depends on the Tenant Guest permission and must have permission to query EIPs in VPCs. APM APM Admin ServiceStag e Users with this permission can manage domain monitoring data. CCS CCS Administrator Cloud Catalog Service (CCS) Users with this permission can customize products, product portfolios, and versions, add a product to a product portfolio, assign authorization, add constraints, perform O&M on product instances, and manage quotas. CCS User Cloud Catalog Service (CCS) Users with this permission can view products and manage product instances. CDE CDE Admin ServiceStag e Users with this permission can manage orchestration of domain' applications. CDE Developer ServiceStag e Users with this permission can orchestrate applications. CTS CTS Administrator Cloud Trace Service (CTS) Permissions to enable CTS, create, modify, enable, and disable a tracker, and receive and view traces. This permission depends on Tenant Guest and OBS Tenant Administrator permissions. If the OBS Tenant Administrator permission is unavailable, traces cannot be delivered to the OBS bucket for storage. CRS CRS Administrator Cloud Report Service (CRS) Permissions to: Connent, delete, modify, and query data sources. Create, delete, modify, query, and preview data sets. Create, delete, modify, query, and analyze data in worksheets. Create, delete, modify, and query dashboards. Query quotas. Issue 09 ( ) 7

10 3 Permission Description Node Name Permission Name Managed Cloud Resource Description DWS DWS Administrator Data Warehouse Service (DWS) Management permissions on all DWS resources. The permissions depend on the Tenant Guest and Server Administrator permissions. DWS cannot run properly if either of the permissions is unavailable. If DWS users are to create a VPC or a subnet, the VPC Administrator permission is required. KMS KMS Administrator Key Managemen t Service (KMS) Permissions to: Create, enable, disable, schedule the deletion of, and cancel the scheduled deletion of CMKs. Query the list of CMKs and information about CMKs. Create random numbers. Create DEKs, including plaintext-free DEKs. Encrypt and decrypt DEKs. SVCSTG SvcStg Admin ServiceStag e Users with this permission can approve domain registration requests, service shelving requests, and service subscription requests. SvcStg Developer SvcStg Operator ServiceStag e ServiceStag e Users with this permission can apply for, use, and release resources. They can also configure the code library and perform operations on the software repositories. Users with this permission can monitor global resources, reclaim resources, and back up or restore platform data. SWR SWR Admin ServiceStag e Users with this permission can manage software repositories of domain. MRS MRS Administrator MapReduce Service (MRS) Permissions to view MRS overview information, operation logs, cluster information, job information, HDFS file operation information, alarm list, and MRS Manager portal. Issue 09 ( ) 8

11 3 Permission Description Node Name Permission Name Managed Cloud Resource Description RDS RDS Administrator Relational Database Service (RDS) and Document Database Service(DD S) Users who have this right, plus Tenant Guest and Server Administrator rights, can perform any operations on RDS and DDS, including creating, deleting, rebooting, or scaling up DB instances, configuring database parameters, and restoring DB instances. Users who have this right but not the Tenant Guest or Server Administrator right cannot use RDS and DDS. Users who have the VPC Administrator right can create VPCs or subnets. Users who have the CES Administrator right can add or modify alarm rules for DB instances. DIS DIS Administrator Data Ingestion Service(DIS ) Permissions to: Create, delete, query, and list DIS streams. Push data to DIS streams or pull data from them. Query stream monitoring metrics. DPS DPS Administrator Data Pipeline Service (DPS) Permissions to: Create and delete pipelines; modify, obtain, and check pipeline definitions. Run and pause pipelines; set the schedule configurations for pipelines; stop the schedule of pipelines. Obtain pipeline lists, pipeline instance lists, activity instance lists, compute resources, and activity properties. Permission Information Select a rights set name from the Available Rights Sets or Selected Rights Sets area of the Edit dialog box. The JSON-formatted detailed information about the selected rights set is displayed in the lower part. The JSON-formatted detailed information about each rights set contains one or multiple statements. Each statement describes a group of permissions. The following is a permission information example. Table 3-3 describes the parameters. "Version" : "1.0", "Statement" : [ Issue 09 ( ) 9

12 3 Permission Description "Effect" : "Allow", "Action" : [ "VPC:vpc:*", "VPC:router:*", "VPC:network:*", "VPC:subnet:*", "VPC:privateip:*", "VPC:port:*", "VPC:vpn:*", "Depends" : [ "catalog": "BASE", "display_name": "Tenant Guest" Table 3-3 Parameter description Parameter Description Value Version Indicates a version. Example value: 1.0 Statement (systemdefined JSON statement) Effect Whether an operation included in an action is allowed. Possible values: Allow: The operation is allowed. Deny: The operation is not allowed. Action An operation for a service included in a permission. Service name: Operation name Example value: VPC:subnet:*: indicates all operations performed on a subnet. In this value, VPC is a service name, and the asterisk sign (*) is a wildcard character, indicating all operations. Depends (dependent rights set) catalog display_na me Service that a dependent rights set belongs to. Name of a dependent rights set. Service name Example value: BASE Rights set name Example value: Tenant Guest Issue 09 ( ) 10

13 4 How Do I Manage Users? 4 How Do I Manage Users? When an enterprise needs to create a user for a new employee or for development tools (such as API, CLI, and SDK) to access cloud services, users with Security Administrator permissions can create a user, set access credential for this user, and add this user to a corresponding user group so that this user has the permissions of this user group. Prerequisites You have Security Administrator permissions. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Choose Management & Deployment >. In the navigation pane, choose User. On the User page, click Create User. On the Create User page, enter User Name. Specify Credential Type. Password Access key This option is used for logging in to the management console or enables development tools (such as API, CLI, and SDK) that support password authentication to access cloud services. This option enables development tools (such as API, CLI, and SDK) that support key authentication to access cloud services. Step 6 Select a user group to be added from the User Groups drop-down combo box. You can also enter a keyword to quickly find the target user group. If you set Credential Type to Password, go to Step 7. If you set Credential Type to Access key, click OK to download the generated key. The user creation is complete. Issue 09 ( ) 11

14 4 How Do I Manage Users? The generated key is the access key. Download it as required. Step 7 Step 8 Click Next. Specify Password Type and enter and Mobile Number. Set at first login: The system will send you a one-time login URL using an . You can click this URL to log in to the management console and set the password. If you set Password Type to Set at first login, must be set. Automatically generated: The system randomly generates a 10-byte password. This option enables development tools (such as API, CLI, and SDK) that support password authentication to access cloud services. You can click OK to download the automatically generated password file. Set manually: allows you to customize a login password. SMS-based login verification can be used only when a user is bound with and Mobile Number. For the method of enabling this function, see "How Do I Modify My Credential Information?" in My Credential. You can log in to the system using the configured user name, address, or mobile number. If you forget your password, you can reset your password using the bound address or mobile number. Password requirements are as follows: The password cannot be the user name or the user name spelled backwards. Comparing the password and user name is done case-insensitive. The password must contain 6 to 32 characters. The password must contain at least two of the following character types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters (!"#$%&'()*+,-./:;<=>?@[^`_ ~ and spaces). Step 9 Click OK. The user creation is complete. ----End Follow-up Procedure Viewing user details In the user list, click corresponding to a user to view the details of the user. Modifying basic user information In the user list, click Modify corresponding to a user to modify basic information about the user. Modifying a user group to which a user belongs In the user list, click Modify corresponding to a user. In the User Groups area of the Modify User page, add or delete a user group to which the user belongs. Deleting a user In the user list, click Delete corresponding to a user. Issue 09 ( ) 12

15 4 How Do I Manage Users? Setting user credentials In the user list, click Set Credentials corresponding to a user and modify user credentials or set a key. Issue 09 ( ) 13

16 5 How Do I Create an Agency? 5 How Do I Create an Agency? If an enterprise wants to reduce the operating expense (OPEX) or selects a more professional person or team to manage cloud resources, the user with Security Administrator permissions in the enterprise can create an agency to establish a relationship of trust with another enterprise account. The entrusted enterprise then manages cloud resources. This function implements secure and efficient management of cloud resources. Prerequisites You have Security Administrator permissions. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Choose Management & Deployment >. In the navigation pane, choose Agency. On the Agency page, click Create Agency. On the Create Agency page, specify Agency name and Agency Type. If you set Agency Type to Common domain, enter the agency domain name in Domain name. If you set Agency Type to Cloud service, click Select and set the service domain type. Set Validity Period and enter Description. In the Rights area, click Modify in the Operation column corresponding to the target region or project. In the Modify Permission dialog box, select a required rights set for the entrusted enterprise from the Available Rights Sets area. For details about rights sets, see Permission Description. Step 8 Click OK. The newly created agency is displayed in the agency list. ----End Issue 09 ( ) 14

17 5 How Do I Create an Agency? Operation Result Follow-up Operation After an agency is created, the account of the entrusted enterprise can call an API to manage cloud resources. You can click Modify in the agency list to modify the basic information about the new agency. The information includes the account and validity period of the entrusted domain name. Issue 09 ( ) 15

18 6 How Do I Switch Roles? 6 How Do I Switch Roles? After an agency is created, a user can use the entrusted enterprise administrator account to log in to the cloud service system and switch roles to manage cloud resources for the enterprise that creates the agency. This function implements secure and efficient management of cloud resources. Prerequisites You have the te_agency permission. An agency has been created. Procedure Step 1 Step 2 Step 3 Click the login account in the upper right of the page and choose Switch Role. On the Switch Role page, enter Domain Name and select the target agency from the Agency Name drop-down list. Click OK. The operation page of the agency account is displayed. ----End Follow-up Operation Click the agency account in the upper right corner of the page and choose Switch to to switch back to the original account. Issue 09 ( ) 16

19 7 How Do I Configure Federated Identity Authentication? 7 How Do I Configure Federated Identity Authentication? 7.1 Introduction to Federated Identity Authentication 7.2 Interconnection for Federated Identity Authentication 7.3 SSO Process 7.4 How Do I Create an Identity Provider and Perform an SSO? 7.5 How Do I Configure the Name and Permission Information About a Federated User? Issue 09 ( ) 17

20 7 How Do I Configure Federated Identity Authentication? 7.1 Introduction to Federated Identity Authentication Federated identity authentication is a mechanism for establishing a relationship of trust between an identity provider (IdP) and the service provider (SP). An IdP is an identity provider owned by an enterprise. SP refers to HUAWEI CLOUD. After a relationship of trust between an IdP and the SP is established, the IdP uses the existing credentials to access cloud resources. With federated identity authentication, the enterprise administrator can implement employee identity authentication and authorization using the IdP owned by the enterprise to access HUAWEI CLOUD, without having to repeatedly create employee information in HUAWEI CLOUD. 7.2 Interconnection for Federated Identity Authentication Prerequisites Before interconnection for federated identity authentication, the enterprise IdP and SP need to establish a relationship of trust between the IdP and SP. The time of the IdP server is consistent with that of the SP server. That is, both servers use the Universal Time Coordinated (UTC) time. If the time is inconsistent, federated identity authentication will fail. Issue 09 ( ) 18

21 7 How Do I Configure Federated Identity Authentication? Trust Relationship Procedure Step 1 Step 2 Exchange the metadata files between the enterprise IdP and SP. Upload the metadata file of the enterprise IdP to IAM. For details, see How Do I Create an Identity Provider and Perform an SSO? Enter in the address box of a web browser to obtain the metadata file of IAM and configure this file to the IdP. Create an IdP. For details, see How Do I Create an Identity Provider and Perform an SSO? Step 3 Configure the name and permission information about the federated user. For details, see How Do I Configure the Name and Permission Information About a Federated User? Configure the login link generated in Step 2 to the enterprise portal to facilitate future access. ----End Issue 09 ( ) 19

22 7 How Do I Configure Federated Identity Authentication? 7.3 SSO Process Process Description 1. Open the login link generated after an IdP is created in a web browser, the web browser initiates single sign-on (SSO). 2. IAM finds the metadata file of the enterprise IdP based on domain and IdP carried in the link and constructs a SAML Request to respond to the web browser. 3. The web browser responds and forwards the SAML Request to the enterprise IdP. 4. Users enter a user name and password on the IdP server completes identity authentication. 5. The IdP server constructs an assertion in a SAML Response to respond the web browser. 6. The web browser responds and forwards the SAML Response to IAM. Issue 09 ( ) 20

23 7 How Do I Configure Federated Identity Authentication? 7. IAM extracts the assertion from the SAML Response and parses the assertion. Based on the configured rules, IAM generates a token to implement the login. The assertion must carry a signature. Otherwise, the login will fail. To view the interactive requests and assertion information more easily, you are advised to use the Chrome web browser and install the plug-in SAML Message Decoder. 7.4 How Do I Create an Identity Provider and Perform an SSO? Most of enterprises or organizations have their own identity providers (IdPs), who provide a secure and reliable identity authentication service. For example, the IAM service acts as the IdP for the HUAWEI CLOUD. After single sign-on (SSO) is configured, redirection between an enterprise website and the HUAWEI CLOUD is implemented. SSO is a prerequisite for redirection between an enterprise website and the HUAWEI CLOUD without login. Prerequisites You have Security Administrator permissions. The enterprise has the IdP service, and this IdP supports the SAML2.0 protocol. Security Assertion Markup Language (SAML): An XML-based open standard for exchanging authentication and authorization data between security domains. If you are unfamiliar with the SAML content, you are advised to learn the basic information about SAML2.0 at You have configured the metadata file provided by the HUAWEI CLOUD to the IdP server of the enterprise. a. The website is b. Right-click on the browser and choose Save as, and set a file name, for example, hec-metadata.xml. c. Configure the hec-metadata.xml file to the IdP server of the enterprise. The configuration operation depends on the IdP server brand and version of the enterprise. You have obtained the metadata file of the enterprise IdP. For the acquisition method, consult the corresponding enterprise department. Generally, you can obtain the metadata file of an enterprise IdP using a URL address. Save the obtained file. Context You have a basic knowledge of the following concepts for better understanding how to create and configure an identity provider: Currently, the IAM service of the HUAWEI CLOUD supports entrusted authentication and SSO using the standard SAML2.0 protocol. The enterprise administrator is able to create an IdP in the IAM service ( of HUAWEI CLOUD to implement redirection between the enterprise portal and the HUAWEI Issue 09 ( ) 21

24 7 How Do I Configure Federated Identity Authentication? CLOUD and implement the user and information mapping between IAM of the HUAWEI CLOUD and the enterprise's IdP. IdP: indicates the identity provider of an enterprise in this document. Service provider (SP): indicates the HUAWEI CLOUD in this document. Metadata: indicates a SAML2.0-compliant interface file. The file contains interface addresses and certificate information required by the SAML2.0 protocol. Two such files are available, one for IdP and the other for SP. The IdP and SP set up a trust relationship by exchanging their metadata files and configuring data in the file of each other. The HUAWEI CLOUD uses the address and certificate in the metadata file to communicate with the IdP server. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Choose Management & Deployment >. In the navigation pane, click Identity Provider. On the Identity Provider page, click Create Identity Provider. Set the Name, Status, and Description. Click OK. If information shown in Figure 7-1 is displayed, the IdP has been successfully created. Figure 7-1 IdP created successfully Step 6 Step 7 After this page is closed, click Modify in the Operation column of the target IdP In the Metadata Configuration area on the Modify Identity Provider page, configure metadata. Automatically extracting metadata a. Click on the left of Upload, and select the metadata file of the enterprise IdP. b. Click Upload. A dialog box is displayed, showing the metadata extracted by the system. c. Click OK. If "The uploaded file contains multiple IdPs. Select an IdP as needed." is displayed, select the desired IdP you need from the Entity ID drop-down list box. If a message is displayed indicating that Entity ID in the metadata file is empty or that the signature certificate has expired, check whether the metadata file is correct. Then, upload the file again or manually configure metadata. Manually configuring metadata a. Click manually configure. Issue 09 ( ) 22

25 7 How Do I Configure Federated Identity Authentication? b. On the displayed Manually Configure Metadata page, enter Entity ID, Signature Certificates, SingleSignOnService, and other parameters. Entity ID: uniquely identifies an enterprise IdP. A metadata file can contain multiple IdPs. You need to select your desired IdP. Signature Certificates: indicates a certificate used for verifying the signature and contains a public key. For security purposes, you are advised to use a public key whose length is greater than or equal to 2048 bits. During federated identity authentication, the system checks the credibility and integrity of an assertion based on the signature certificate in the metadata file. SingleSignOnService: indicates the method of sending SAML requests during the SSO process. SingleSignOnService in the metadata file must support HTTP Redirect or HTTP POST. c. Click OK. For details about SSO, see SSO Process Step 8 In the Identity Conversion Rule area, click Create Rule to create an identity conversion rule. For details about how to create an identity conversion rule, see How Do I Configure the Name and Permission Information About a Federated User? Step 9 Step 10 Click OK and save the settings. Attempt to perform an SSO. 1. Click View in the Operation column correspond to the IdP on the Identity Provider page. 2. Click Copy on the right of Login link to copy the address in Login link and open it using the browser. 3. Check whether the login page provided by the IdP server of the enterprise can be displayed. If it is displayed, go to Step If it is not displayed, check whether the obtained enterprise metadata file and the enterprise IdP server are correctly configured. Issue 09 ( ) 23

26 7 How Do I Configure Federated Identity Authentication? 4. Enter a user name and password and check whether you can log in to the HUAWEI CLOUD. ----End If the login is successful, configure this address as a link to your enterprise website. If the login fails, check your user name and password. Follow-up Procedure Viewing IdP information On the Identity Provider page, click View in the Operation column corresponding to an IdP to query the basic information, metadata file status, and identity conversion rules of the IdP. You can click View Identity Provider Information on the Modify Identity Provider page to enter the Modify Identity Provider page. Modifying IdP information On the Identity Provider page, click Modify in the Operation column corresponding to an IdP to enter the Modify Identity Provider page. You can set Status (Enabled or Disabled), Description, Metadata File, and Identity Conversion Rule. Deleting an IdP On the Identity Provider page, click Delete in the Operation column corresponding to an IdP to delete the IdP. 7.5 How Do I Configure the Name and Permission Information About a Federated User? User identity authentication and permission configuration in the HUAWEI CLOUD can be implemented by creating identity conversion rules. This section describes how to create an identity conversion rule. You can set certain rules to set up the mapping between the user and permission information returned by the enterprise IdP server and those of the HUAWEI CLOUD. The user names and permission names returned by the enterprise IdP server and the HUAWEI CLOUD may be different. For example, set demo@example.org of in the attributes to the user name in the HUAWEI CLOUD and allocate the user to the admin user group based on idp_admin in Groups. Prerequisites The basic IdP information has been set and SSO is successful. For details, see How Do I Create an Identity Provider and Perform an SSO? You have Security Administrator permissions. The enterprise has the IdP service, and this IdP supports the SAML2.0 protocol. You have a preliminary understanding of the SAML2.0 protocol and are familiar with metadata files. You have learned the assertion structure displayed after successful SAML2.0 authentication. Issue 09 ( ) 24

27 7 How Do I Configure Federated Identity Authentication? Context IdPs maintain user identity and permission information. After an SSO is complete, the IdP returns an assertion structure to the SP. The assertion structure contains the user identity and permission information that pass the authentication and presents the information as an attribute list. The following example shows the attributes in an assertion.... <saml2:attributestatement> <saml2:attribute FriendlyName="mail" Name="urn:oid: " NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:attributevalue>demo@example.orgsaml2:attributevalue>demo@example.org> </saml2:attribute> <saml2:attribute FriendlyName="GROUPS" Name="urn:oid: " NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:attributevalue>dev-adm;sec-admsaml2:attributevalue>dev-adm;secadm> </saml2:attribute> </saml2:attributestatement>... Procedure Step 1 Step 2 Step 3 Choose Management & Deployment >. In the navigation pane, click Identity Provider. On the Identity Provider page, click Modify in the Operation column corresponding to an IdP. The Modify Identity Provider page is displayed. Step 4 In the Identity Conversion Rule area, click Create Rule to add an identity conversion rule. After you create an IdP, the HUAWEI CLOUD will preconfigure a default rule. The default user name for this rule is FederationUser. This user is allowed to view only certain GUIs. In the Identity Conversion Rule area, click View Rules to view the current rules. In the Identity Conversion Rule area, you can click Create Rule and create a rule to define user names, set user permissions, and specify the scenarios where the rule takes effect. Do not configure sensitive personal information in rules, for example, use a credit card number as a user name. Issue 09 ( ) 25

28 7 How Do I Configure Federated Identity Authentication? The parameters are described as follows: User Name: indicates the user name displayed in the HUAWEI CLOUD after a federated user logs in. You can enter a simple expression in this input box, for example, Federation_user_ . is a placeholder, which is replaced by the value of the attribute in the actual assertion. As indicated by the sample assertion, the user name is Federation_user_demo@example.org. In Editing rules, placeholders, such as 0 and 1, rather than are used. After a rule is created, the system automatically converts the rule. Pay attention to the difference when editing rules. User Group: indicates the user group to which the federated user belongs in the HUAWEI CLOUD after the federated user logs in. The user group of a user determines the permissions of the user. Conditions for Validating This Rule: You can set certain conditions so that a rule takes effect only when it meets the conditions. If the user group admin is specified in a rule and you need to grant the admin permission to only certain users who perform the federated login, you can specify conditions so that the rule takes effect only when these conditions are met. If no rule takes effect, the user is not allowed to log in to the system. The user can click the login link to display the corresponding error message. ----End Follow-up Procedure Viewing rules In the Identity Conversion Rule area, click View Rules. The newly created identity conversion rule is displayed in the JSON file. Editing rules In the Identity Conversion Rule area, click Edit Rule. This function provides flexible syntax for editing rules to meet the federated identity authentication requirements. The following shows a typical editing example. After the rules are edited, you can click Verify Rule in the lower left corner of the page to verify the correctness of the rules. Issue 09 ( ) 26

29 7 How Do I Configure Federated Identity Authentication? Rule file description Each rule is saved in a JSON file. The example is as follows: [ "local": [ "<user> or <group>", "remote": [ "<condition>" local: indicates the user information after conversion. It can be the placeholder 0..n. remote: indicates the expression that is a combination of assertion attributes and operators. condition: The following three conditions are supported: Example of Empty empty: unlimited. That is, the condition is always valid and the returned value is the input attribute value. This value is used to replace the placeholder in the local block. any_one_of: The condition is valid only if the input attributes include any specified value, and a Boolean value is returned. The returned value cannot be used to replace the placeholder in the local block. not_any_of: The condition is valid only if the input attributes do not include any specified value, and a Boolean value is returned. The returned value cannot be used to replace the placeholder in the local block. The Empty condition indicates that a character string value can be returned. This value is used to replace the placeholder 0..n in the local block. The example is as follows: [ "local": [ "user": "name": "0 1", "group": "name": "2", "remote": [ "type": "FirstName", "type": "LastName", "type": "Groups" Issue 09 ( ) 27

30 7 How Do I Configure Federated Identity Authentication? Assume that the HUAWEI CLOUD receives the following assertion. (For easy understanding, the following examples use a simplified assertion structure.) FirstName: Jone LastName: Smith Groups: [admin, manager The following attributes are mapped into the HUAWEI CLOUD: UserName: John Smith Groups: admin; manager Example of Any one of and Not any of Different from the Empty condition, the returned values of the Any one of and Not any of conditions are Boolean values. These values cannot be used to replace the placeholder of in the local block. In the following example, only the placeholder 0 exists and is replaced by the returned value of Empty in the remote block, and the value of group is fixedly set to admin. [ "local": [ "user": "name": "0", "group": "name": "admin", "remote": [ "type": "UserName", "type": "Groups", "any_one_of": [ "idp_admin" Assume that the HUAWEI CLOUD receives the following assertion. UserName: Jone Smith Groups: [idp_user, idp_admin, idp_agency The following attributes are mapped into the HUAWEI CLOUD: UserName: John Smith Groups: admin Oppositely, assume that the HUAWEI CLOUD receives the following assertion. UserName: Jone Smith Groups: [idp_user, idp_agency None of the rules takes effect, and the current user is not allowed to log in to the system. Condition including a regular expression Issue 09 ( ) 28

31 7 How Do I Configure Federated Identity Authentication? You can specify "regix": true in conditions to indicate that the system is calculating the result using a regular expression. This is an advanced function, which is provided for you to have a simple understanding of it. [ Condition combination "local": [ "user": "name": "0", "group": "name": "admin", "remote": [ "type": "UserName", "type": "Groups", "any_one_of": [ ".*@mail.com$", "regex": true Multiple conditions are combined using the logical AND. [ "local": [ "user": "name": "0", "group": "name": "admin", "remote": [ "type": "UserName", "type": "Groups", "not_any_of": [ "idp_user", "type": "Groups", "not_any_of": [ "idp_agent" Issue 09 ( ) 29

32 7 How Do I Configure Federated Identity Authentication? The preceding mapping is similar to the following example: [ Multiple rules "local": [ "user": "name": "0", "group": "name": "admin", "remote": [ "type": "UserName", "type": "Groups", "not_any_of": [ "idp_user", "idp_agent" If multiple rules are combined, the methods for generating user names and user groups are different. The user name in the first valid rule is used as UserName. At least one user name rule among all rules must take effect. Otherwise, the user is not allowed to log in. The collection of the user group names in all valid rules is used as Groups. Separating the configuration of user names and user groups using the multi-rule configuration method makes the configuration easy-to-read. [, "local": [ "user": "name": "0", "remote": [ "type": "UserName" "local": [ "group": "name": "admin", "remote": [ "type": "Groups", "any_one_of": [ "idp_admin" Issue 09 ( ) 30

33 7 How Do I Configure Federated Identity Authentication?, "local": [ "group": "name": "agency", "remote": [ "type": "orgpersontype", "any_one_of": [ "idp_agency" Assume that the HUAWEI CLOUD receives the following assertion. UserName: Jone Smith Groups: [idp_user, idp_admin, idp_agency The following attributes are mapped into the HUAWEI CLOUD: UserName: John Smith Groups: admin; agency Issue 09 ( ) 31

34 8 How Do I Set Account Policies? 8 How Do I Set Account Policies? Users with Security Administrator permissions in an enterprise can set login verification policies, password policies, and the ACL to improve user information and system security. Prerequisites You have Security Administrator permissions. Procedure Step 1 Step 2 Choose Management & Deployment >. Set login verification policies. 1. In the navigation pane, choose Account Settings > Login Authentication Policies. 2. In the Account Locking Policy area, enter Duration, Maximum Number of Attempts, and Locking Duration. If the number of login attempts reaches the specified upper limit within the specified duration, the user account will be locked for a period of time. 3. In the Account Disabling Policy area, select If an account is not used within the validity period, it will be disabled and set Account Expiration. This policy takes effect only for users created by the enterprise administrator. The value range of Account Expiration is 1 to 240. The default value is In the Recent Login Information area, select Display last login information upon a successful login. Users can view login information, such as the last login time, on the Login Verification page. 5. In the Login Verification Information area, customize the verification information displayed upon a successful login. Users can view the customized verification information on the Login Verification page. 6. Click Apply. Step 3 Set password policies. 1. In the navigation pane, choose Account Settings > Password Policies. Issue 09 ( ) 32

35 8 How Do I Set Account Policies? Password requirements are as follows: The password cannot be the user name or the reverse of the user name. The password must contain 6 to 32 characters. The password must contain at least two of the following character types: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters ~ and spaces). 2. In the Setting Policy area, set parameters as follows: Set Minimum Number of Characters. The default value contains 6 characters. Select Disallow same consecutive characters in a password and set Maximum Number of Same Consecutive Characters. Select Disallow password repetition and set Most Recent Passwords Disallowed. 3. In the Expiration Policy area, select Force password change upon password expiration (You are prompted to change your password 15 days before password expiration) and set Password Validity Period. The user must change the password within the time specified in Password Validity Period. Otherwise, the user cannot log in to the system. 4. In the Minimum Password Validity Period Policy area, select A new password can be changed only after it has been used for the specified minimum password validity period and set Min. Password Validity Period. After the password is changed, you can change it again only after the time specified by Min. Password Validity Period. 5. Click Apply. Step 4 Set the ACL. 1. In the navigation pane, choose Account Settings > ACL. The ACL does not take effect for root users of domains (except the domains starting with op_svc). 2. On the ACL page, enter the allowed IP addresses or network segments. Allowed IP Address Ranges: allows users to access the system using only specified IP addresses. You can click Restore Defaults to restore the allowed IP address range to the default value, Allowed IP Addresses or Network Segments: allows users to access the system using only specified IP addresses or network segments. For example: /32 If both Allowed IP Address Ranges and Allowed IP Addresses or Network Segments are set, a user is allowed to access IAM when the IP address of the user meets the condition specified by either of the two parameters. The ACL takes effect for the users who use cloud services on the management console but does not take effect for the users who use cloud services by calling APIs. Issue 09 ( ) 33

36 8 How Do I Set Account Policies? 3. Click Apply. ----End Issue 09 ( ) 34

37 9 User Management Mechanism Explained Using a Picture 9 User Management Mechanism Explained Using a Picture Issue 09 ( ) 35

38 9 User Management Mechanism Explained Using a Picture Issue 09 ( ) 36

39 A Change History A Change History Release Date What's New This issue is the ninth official release. Added the following contents: CTS Administrator permission Description for automatically extracting metadata and manually configuring metadata in chapter How Do I Create an Identity Provider and Perform an SSO? This issue is the eighth official release. Modified the following contents: Server Administrator permission VPC Administrator permission Issue 09 ( ) 37

40 A Change History Release Date What's New This issue is the seventh official release. Added the following contents: Introduction to Federated Identity Authentication Interconnection for Federated Identity Authentication SSO Process APM Admin permission CCS Administrator permission CCS User permission CDE Admin permission CDE Developer permission SvcStg Admin permission SvcStg Developer permission SvcStg Operator permission SWR Admin permission Modified the description for the RDS Administrator permission. Deleted the following contents: te_devcloud_project_admin permission te_devcloud_project_poweruser permission te_devcloud_project_readonly permission te_devcloud_codehub_admin permission te_devcloud_codehub_poweruser permission te_devcloud_codehub_readonly permission te_devcloud_codecheck_admin permission te_devcloud_codecheck_poweruser permission te_devcloud_codecheck_readonly permission te_devcloud_codeci_admin permission te_devcloud_codeci_poweruser permission te_devcloud_codeci_readonly permission te_devcloud_test_admin permission te_devcloud_test_poweruser permission te_devcloud_test_readonly permission te_devcloud_release_admin permission te_devcloud_release_poweruser permission te_devcloud_release_readonly permission Issue 09 ( ) 38

41 A Change History Release Date What's New This issue is the sixth official release. Added the following contents: How Do I Create an Agency? How Do I Switch Roles? DWS Administrator permission This issue is the fifth official release. Synchronized the update on the Create User page and updated How Do I Manage Users? Added the following contents: Agent Operator permission CRS Administrator permission This issue is the fourth official release. Synchronized the update on the Account Settings page and updated How Do I Set Account Policies? This issue is the third official release. Added the following chapters: Permission Description How Do I Create an Identity Provider and Perform an SSO? How Do I Configure the Name and Permission Information About a Federated User? This issue is the second official release. Added the setting of the parameter Min. Password Validity Period This issue is the first official release. Issue 09 ( ) 39