IdP Mgmt Overview
更新时间:2022-06-09 12:17:17
Overview
CDNetworks supports SAML based SSO and OIDC authentication. If your enterprise organization already has its own account scheme and wants to manage members of the organization to use the CDNetworks console, you can use the Identification Provider (IDP) function without creating sub-accounts for each member of the organization.The ID provider allows you to log in to the CDNetworks console using a single sign on in your organization’s internal account.
Currently, CDNetworks supports SAML and OIDC based SSO authentication login on browser pages.
SSO Basic concept
| Concept | Description |
|---|---|
| Identity Provider (IdP) | Manage user credentials, including user names and password, and is responsible for authenticating users when they log in.In the case of joint authentication between a business and a home network, the provider refers to the company’s own authentication provider. |
| Service Provider (SP) | Using IdP’s identity management function to provide users with specific service applications, SP will use the user information provided by IdP. The service provider refers to CDNetworks when the enterprise and CDNetworks are logged in as a joint identity. |
| Security Assertion Markup Language (SAML2.0) | A standard protocol for enterprise user authentication, one of the technological implementations of communication between SP and IdP.SAML 2.0 is already a de facto standard for enterprise SSO implementation today. |
| SAML Assertion | The core elements used in the SAML Protocols to Description authentication Request and authentication responses. The specific attributes of the user are included in the assertions of the authentication response. |
| OIDC | OIDC stands for OpenID Connect, which is an authentication protocol built on top of OAuth 2.0. OAuth is an authorization protocol, while OIDC adds an identity layer to the OAuth protocol. In addition to the authorization capabilities provided by OAuth, it allows clients to verify the identity of the end user and obtain basic user information through the API (in HTTP RESTful format) provided by the OIDC protocol. |
| OIDC token | OIDC can issue identity tokens on behalf of logged-in users, known as OIDC tokens. These tokens are used to obtain basic information about the logged-in user. |
| Client ID | When your application is registered with an external IdP, a Client ID is generated. You must use this Client ID when requesting the issuance of an OIDC token from the external IdP. The issued OIDC token will also carry this Client ID in the aud field. When creating an OIDC identity provider, configure this Client ID, and then when exchanging the OIDC token for an STS token, the Client ID carried in the aud field of the OIDC token will be validated against the Client ID configured in the OIDC identity provider. Only if they match will login be permitted. |
| Identity Provider URL | OIDC identity provider identifier. This is the address used to obtain OIDC metadata, typically ending with /.well-known/openid-configuration. |
| Mapping Fields | The field in the OpenID Connect identity provider that maps to the Wangsu Console username. |
| Signature Public Key | The public key used to verify the signature of the OpenID Connect identity provider’s ID token. |
SSO Type
Two SSO Type are provided: user SSO and role SSO. There is no big difference between the usage Scenario of the two Type . The main differences are:
1.Support status
| SSO Type | SP initiated SSO | IDP initiated SSO | Multiple IDPs | Authentication Protocol |
|---|---|---|---|---|
| User SSO | Not supported at the moment (Coming Soon) | Support | Not support | SAML and OIDC |
| Role SSO | Not support | Support | Support | SAML |
2. SAML response content formats are different
Role SSO supports identifying Login Account information in the AttributeStatement element of SAML assertion, while user SSO identifies it through the NameID element.
- The following is the AttributeStatement element of role SSO:
<saml2:AttributeStatement>
<saml2:Attribute Name="https://cas.wangsu.com/SAML/Attributes/LoginName" >
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName},wsc:iam::${parentLoginName}:saml-provider/${provider}</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://cas.wangsu.com/SAML/Attributes/RoleSessionName">
<saml2:AttributeValue>${NameID}</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
- The following is the NameID element of user SSO:
<saml2:Subject>
<saml2:NameID>${NameID}</saml2:NameID>
<saml2:SubjectConfirmation>
...
</saml2:SubjectConfirmation>
</saml2:Subject>
本篇文档内容对您是否有帮助?
有帮助
我要反馈