Access and identity authentication technologies enable secure Active Directory (AD) environments for on-premises, cloud-only, and hybrid-cloud deployments of applications and services.
If you already have an Active Directory Federation Service (AD FS) system in your organization, you do not need to re-create users on Open Telekom Cloud. Instead, you can configure federated identity authentication to allow users to access Open Telekom Cloud through single sign-on (SSO).
This document shows you how to provision AD FS in your organization and how to configure identity providers on IAM for federated users to access Open Telekom Cloud.
The SSO process is as follows:
- A user opens the login link in a web browser, which then initiates an SSO request to Open Telekom Cloud.
- Open Telekom Cloud finds the corresponding metadata file according to the login link, and sends a SAML request to the web browser.
- The web browser forwards the SAML request to AD FS.
- The user enters the username and password of the AD FS authorization server to complete identity authentication.
- The AD FS authorization server builds a SAML assertion containing the user information, and sends a SAML response to the web browser.
- The web browser forwards the SAML response to Open Telekom Cloud.
- Open Telekom Cloud parses the assertion in the SAML response and matches the assertion to an IAM user according to the configured identity conversion rules. If an IAM user is matched, Open Telekom Cloud issues a token to it.
- The user completes the SSO login and can now access resources on Open Telekom Cloud.