IdP Management Overview
最終更新日:2026-03-25 15:13:48
Scenario to be used
CDNetworks supports single sign-on with the SAML and OIDC Protocols. If your enterprise organization already has its own user account system and you want to manage members of the organization to use the CDNetworks console, you can use the Identity Provider (IdP) function, without having to create sub-users for each organization member under your CDNetworks account. Using an identity provider, you can use a single user account within your organization to log in to the CDNetworks console.
SSO basic concepts
| Concept | Description |
|---|---|
| Identity Provider (IdP) | A service that stores user identity information, including usernames and passwords, and is responsible for authenticating users at login. When an enterprise and CDNetworks perform joint identity login, the identity provider refers to the enterprise’s own identity provider. |
| Service Provider (SP) | For applications that use the IdP’s identity management function to provide specific services to users, the SP uses the user information provided by the IdP. When the enterprise and CDNetworks perform joint login, the service provider refers to CDNetworks. |
| Security Assertion Markup Language (SAML 2.0) | a standard protocol for enterprise-level user identity authentication. It is one of the technical implementation types for communication between SP and IdP. SAML 2.0 is already a de facto standard for enterprise-level SSO. |
| SAML Assertion | The core elements used in the SAML protocols to describe authentication requests and authentication responses. The specific attributes of the user are included in the assertions of the authentication response. |
| OIDC | OIDC stands for OpenID Connect, which is an authentication protocol built on top of OAuth 2.0. OAuth is an authorization protocol, while OIDC adds an identity layer to the OAuth protocol. In addition to the authorization capabilities provided by OAuth, it allows clients to verify the identity of the end user and obtain basic user information through the API (in HTTP RESTful format) provided by the OIDC protocol. |
| OIDC token | OIDC can issue identity tokens on behalf of logged-in users, known as OIDC tokens. These tokens are used to obtain basic information about the logged-in user. |
| Client ID | When your application is registered with an external IdP, a Client ID is generated. You must use this Client ID when requesting the issuance of an OIDC token from the external IdP. The issued OIDC token will also carry this Client ID in the aud field. When creating an OIDC identity provider, configure this Client ID, and then when exchanging the OIDC token for an STS token, the Client ID carried in the aud field of the OIDC token will be validated against the Client ID configured in the OIDC identity provider. Only if they match will login be permitted. |
| Identity Provider URL | OIDC identity provider identifier. This is the address used to obtain OIDC metadata, typically ending with /.well-known/openid-configuration. |
| Mapping Fields | The field in the OpenID Connect identity provider that maps to the CDNetworks Console username. |
| Signature Public Key | The public key used to verify the signature of the OpenID Connect identity provider’s ID token. |
SSO Type
Two SSO Types are provided: user SSO and role SSO. There is not much difference between the usage scenarios of the two types. The main differences are:
1.Support status
| SSO Type | SP initiated SSO | IDP initiated SSO | Multiple IDPs | Authentication Protocol |
|---|---|---|---|---|
| User SSO | Not supported at the moment (Coming Soon) | Support | Not supported | SAML and OIDC |
| Role SSO | Not supported | Support | Support | SAML |
2. SAML response content formats are different
Role SSO supports identifying Login Account information in the AttributeStatement element of SAML assertion, while user SSO identifies it through the NameID element.
- The following is the AttributeStatement element of role SSO:
<saml2:AttributeStatement>
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/LoginName" >
<saml2:AttributeValue>wsc:iam::${parentLoginName}:login-name/${loginName},wsc:iam::${parentLoginName}:saml-provider/${provider}</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://login.cdnetworks.com/SAML/Attributes/RoleSessionName">
<saml2:AttributeValue>${NameID}</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
For More response information, see: Role SSO SAML response
- The following is the NameID element of user SSO:
<saml2:Subject>
<saml2:NameID>${NameID}</saml2:NameID>
<saml2:SubjectConfirmation>
...
</saml2:SubjectConfirmation>
</saml2:Subject>
For More response information, see: User SSO SAML response