After federated identity authentication is configured, federated users can access the cloud system directly and manage resources in the system by logging in to the enterprise IdP. This section describes how IAM authenticates a federated user after the user is authenticated by the IdP.
Figure 1 Login process model
To view the interactive requests and assertion information more easily, you are advised to use the Google Chrome web browser and install the SAML Message Decoder plug-in.
- Open the login link generated after an IdP is created in a web browser. The web browser initiates SSO.
- IAM finds the metadata file of the enterprise IdP based on the account and IdP carried in the link and constructs a SAML Request to respond to the web browser.
- The web browser responds and forwards the SAML Request to the enterprise IdP.
- Users enter a username and password on the IdP server for identity authentication.
- The IdP server constructs an assertion in a SAML Response to respond to the web browser.
- The web browser responds and forwards the SAML Response to IAM.
- IAM extracts the assertion from the SAML Response and parses the assertion. Based on the configured rules, IAM generates a token to implement the login.
The assertion must carry a signature or the login will fail.