Application Scenarios of Virtual User SSO and IAM User SSO¶
IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.
Virtual User SSO¶
After a federated user logs in to the cloud platform, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:
To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
You want to assign permissions for cloud resources based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
Your enterprise has branches and may require multiple enterprise IdPs. These IdPs need to access the same cloud account. You need to configure multiple IdPs in the cloud platform for identity federation.
IAM User SSO¶
After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. IAM user SSO is recommended if:
The cloud products you use do not support virtual user SSO.
You do not need virtual user SSO and want to simplify the IdP configuration.
Differences Between Virtual User SSO and IAM User SSO¶
The differences between virtual user SSO and IAM user SSO are described as follows:
Identity conversion: Virtual user SSO uses identity conversion rules while IAM user SSO uses external identity IDs for identity conversion. An IdP user will be mapped to an IAM user if the IAM_SAML_Attributes_xUserId value of the IdP user is the same as the external identity ID of the IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.
User identity in IAM: In virtual user SSO, the IdP user does not have a corresponding IAM user in the IAM user list. After the IdP user logs in, the system automatically creates a virtual user for it. In IAM user SSO, the IdP user has a IAM user mapped by external identity ID on the IAM console.
Permissions assignment in IAM: In virtual user SSO, the permissions of the IdP user are defined by the identity conversion rule. In IAM user SSO, the IdP user inherits the permissions of the user group which the mapped IAM user belongs to.