User Federation with Keycloak (SAML 2.0)

V1.2 – October 2024

Version Author Description
V1.0 – 2024-10-14 Diogo Hatz d50037923 Initial Version
V1.0 – 2024-10-14 Wisley da Silva Paulo 00830850 Document Review
V1.1 – 2024-11-11 Diogo Hatz d50037923 Document Update
V1.2 – 2024-12-19 Diogo Hatz d50037923 Document Update

Objective

This document aims to present the procedures required to implement identity federation configuration in Huawei Cloud (Service Provider) through an identity provider (IdP), such as RedHat SSO or Keycloak. In this example, the protocol used for identity federation will be SAML 2.0, mapping users from the identity provider to virtual users in Huawei Cloud.

In the diagram below, you can see the authentication process flow in Huawei Cloud using an IdP.

Keycloak

First, you need to obtain the XML configuration file from the Huawei Cloud service provider (SP) to perform the configuration in Keycloak.

In a web browser, go to the following page and save its contents in an XML file: https://auth.huaweicloud.com/authui/saml/metadata.xml.

Note: For private cloud-based deployments, such as HCSO, the public endpoint to obtain SAML 2.0 XML will have the following structure: .

Once done, go to the IdP (Keycloak) settings page and navigate to the “Clients” section. Click “Create” to create a new client.

Click “Select file” to import the Huawei Cloud XML configuration file saved in the previous step, and then click “Save”.

Navigate to the Huawei Cloud client you created, and then click “Edit” to edit the client settings.

Turn off the “Encrypt Assertions” option and click “Save” to save the changes made.

Navigate to the “Mappers” section, still in the Huawei Cloud client settings, and click “Create” to create a mapper for the username.

Select the “Mapper Type” as “User Property” and fill in the fields as shown in the image below.

Navigate once again to the “Mappers” section, still in the Huawei Cloud client settings, and click “Create” to create a mapper for the group.

Select the “Mapper Type” as “Group list” and fill in the fields as shown in the image below.

To federate Huawei Cloud users, you must first create users. If no user has been created in Keycloak, create a new user.

Navigate to the “Realm Settings” section and click “SAML 2.0 Identity Provider Metadata” in the “Endpoints” subsection. Save the opened web page locally as an XML file.

IAM

Access the IAM service in the Huawei Cloud console and navigate to the “Identity Providers” section. Click “Create Identity Provider” to create an identity federation configuration.

Select the SAML protocol and “SSO Type” as “Virtual User”. Click the “OK” button to save the IdP creation settings.

Once done, select the “Modify” option next to the identity provider you created and click “Select File” to upload the saved XML configuration file for the identity provider (Keycloak). After selecting the file, select “Upload” to upload the XML file and load the IdP settings.

After confirming the file upload, click “OK” on the settings extracted from Keycloak by the XML file to save.

Finally, in the “Identity Conversion Rules” section, click “Create Rule” to create users and groups conversion rule from the IdP to the corresponding users and groups in Huawei Cloud. You can use the example translation rule below.

Important: The translation rule below maps all Keycloak users to IAM groups in Huawei Cloud that have the same names as the groups configured in Keycloak. For example: In Keycloak, the user “Test” belonging to the “admin” group will be mapped to the virtual user “Test” in the “admin” group in Huawei Cloud. It is not necessary to create the “Test” user in Huawei Cloud in advance. However, it is mandatory to create the “admin” group in Huawei Cloud with the appropriate access control policies.

[
    {
        "remote": [
            {
                    "type": "UserName"
            },
            {
                    "type": "Group"
            }
        ],
        "local": [
            {
                    "user": {
                            "name": "{0}"
                    }
            },
            {
                    "group": {
                            "name": "{1}"
                    }
            }
        ]
    }
]

Once done, click “OK” to save the changes made to the IdP.

Example

The following is an example of validating login to the Huawei Cloud console through identity federation.

Accessing the Huawei Cloud console and selecting the option to log in through a federated user.

Entering the account name and selecting the configured IdP from the dropdown.

Logging in to the configured identity provider.

Authentication successful, redirecting to the Huawei Cloud console.

Important: You can also log in to the console via identity federation using the hyperlink generated in the Identity Provider configuration in the Huawei Cloud console.

References