VLT-Website-Heading

How to set up SSO for Tencent Cloud with Okta

Sep 30, 2021 9:15:00 PM / by Vu Long Tran

This is a step by step guide on how to set up SSO for Tencent Cloud on Okta.
 tencent-cloud
 

 
  The key steps we will be going through will be:

Prerequisites

Before you can start setting up Single Sign On (SSO) for Tencent Cloud and Okta, we need to check the following:

  • Access to Tencent Cloud Admin Console - Confirm that you have administrator access to Tencent Cloud Admin Console.
  • Access to Okta Admin Console - Confirm that you have administrator access to Okta's Admin Console. If you do not have an Okta account, you can create a free Okta Trial account or Okta Developer account.
  • (Recommended) Use the same email address for your Tencent Cloud administrator account as your Okta administrator account. This will make it easier for you to administer the accounts.

1. Add Tencent Cloud app to your Okta instance

Log in to your Okta account as an administrator (with administrator access).

Under Applications> Applications, click Create App Integration.

add-saml-app

Select SAML 2.0.

add-saml-app.png2

On the "Create SAML Integration" page, fill in the options. 

  • Application name - Name your app (any name is fine), click Next.

add-tencent-cloud-app

On the next page, fill in more details, you can put in these placeholder details for now. Use the Tencent Cloud International or Tencent Cloud China details depending on which one you are using:

Tencent Cloud International users

  • Single sign on URL - https://intl.cloud.tencent.com/login/saml
  • Audience URI (SP Entity ID) -intl.cloud.tencent.com
  • Default RelayState - You can leave blank, this is optional.
  • Name ID format - Email Address
  • Application username - Okta username
  • Update application username on - Create and update

Tencent Cloud China users

  • Single sign on URL -  https://cloud.tencent.com/login/saml
  • Audience URI (SP Entity ID) - cloud.tencent.com
  • Default RelayState - You can leave blank, this is optional.
  • Name ID format - Email Address
  • Application username - Okta username
  • Update application username on - Create and update

configure-tencent-cloud-sso6

Configure role attributes

We will also configure some role attributes, as this is something that Tencent Cloud needs to operate.

configure-tencent-cloud-sso7

Attribute one - Role

Where you will put your details in the "value" field.

  • {AccountID}: Replace this with your Tencent Cloud account ID. You can view this at Account Information - Console.
  • {RoleName}: Replace this with the role name you have created in Tencent Cloud for the identity provider. For more information, see Creating a Role. Role names can be viewed in Role - Console.
    • You can also add more roles, using this format . Separate them using semicolons (;):
      • qcs::cam::uin/{AccountID}:roleName/{RoleName} 
  • {ProviderName}: Replace this with the SAML identity provider name that you created on Tencent Cloud. You can view this at Identity Providers - Console.

For example:

  • AccountID 1000200000'
  • RoleName Enduser
  • ProviderName Okta

This will then look like the following format for Tencent Cloud will digest it. 

  • Value -qcs::cam::uin/1000200000:roleName/Enduser,qcs::cam::uin/1000200000:saml-provider/Okta

This is screenshots of the Tencent Cloud settings for where you can find your AccountID and RoleName in Tencent Cloud.

AccountID (Account ID)

Located at: Tencent Cloud> Account Center> Account Information> Account ID

configure-tencent-cloud-sso-accid

RoleName (Role Name)

Located at Tencent Cloud> Access Management> Role > Role > click on one of your roles

configure-tencent-cloud-sso-role

Attribute two - RoleSessionName

  • Name - https://cloud.tencent.com/SAML/Attributes/RoleSessionName
  • Name format - Unspecified
  • Value - Okta

Leave the rest default settings and click Next.

configure-tencent-cloud-sso8 

On the next page, select "I'm an Okta customer adding an internal app", and then click Next.

configure-tencent-cloud-sso4

 

Then click on the "Sign On" tab.  

add-zoho-saml-okta3

configure-tencent-cloud-sso10

Scroll down and look for "Identity Provider metadata".

configure-tencent-cloud-sso11

Right click on "Identity Provider metadata".

zoho-directory-sign-on-settings2

Click "Save Link As..." from the right click menu.

configure-tencent-cloud-sso9

Save this to your computer. 

Give it a name, for example "metadata.xml". Please make sure you save it as .xml file extension. 

configure-tencent-cloud-sso13

We will now be able to proceed to Tencent Cloud to configure settings there. 

Later we will be uploading this metadata.xml file in Tencent Cloud via an option that looks like this. 

configure-tencent-cloud-sso14

2. Set up SSO settings on Tencent Cloud

Log into your Tencent Cloud account

In a new browser tab, log in to your Tencent Cloud account as an administrator (with administrator access).

Open Single Sign-On Settings

In Tencent Cloud, open your Single Sign-On (SSO) settings. 

Tencent Cloud Access Management > Identity provider > New Provider
configure-tencent-cloud-sso1

configure-tencent-cloud-sso2

If you have trouble finding it, you can try this direct link to SAML settings, https://console.cloud.tencent.com/cam/idp

Click "New Identity Provider" button. 

configure-tencent-cloud-sso3

Configure your Identity Provider settings and click "Next Steps" when you are done. 

  • Provider type - SAML
  • Provider name - Okta
  • Remark - Leave blank
  • Metadata document - Upload the metafile.xml file we downloaded earlier from Okta. 

configure-tencent-cloud-sso13

Upload the metafile.xml file.

configure-tencent-cloud-sso14

When you are ready, click on Next Step.

configure-tencent-cloud-sso15

You will then see a summary of the settings just configured.

configure-tencent-cloud-sso16

configure-tencent-cloud-sso18

(Optional) If you click on it, it will look like this. 

configure-tencent-cloud-sso17

 

3. Test that SSO is working on Tencent Cloud

When you are ready, let's test that it works.

In Okta Admin Console, let's assign a user to the application. (Applications> Applications> Tencent Cloud apt our test user, click "Assign" and then "Done".

Now let's log into our Okta instance as a test user. You may need to refresh your browser if you had the browser window already open.

Then click on "Tencent Cloud" application icon (chiclet).

tencent-cloud

Success, you will be logged in successfully to your Tencent Cloud account!

configure-tencent-cloud-sso30

 

Troubleshooting:

Sign In Fail
The role in the SAML assertion does not exist.(Error Code:100101;Request ID:pfx8.....)
Please contact your administrator to confirm the SAML message and then log back in.

Sign In Fail
The SAML Response does not have the Roles attribute.(Error Code:911022;Request ID:pfx8.....)

Sign In Fail
SAML parsing failed(Error Code:-1;Request ID:BJj....)
Please contact your administrator to confirm the SAML message and then log back in.

Please contact your administrator for authorization and then log in again.

 

Role attribute does not exist

tencent-cloud-troubleshooting3

The role in the SAML assertion does not exist

tencent-cloud-troubleshooting4

Solution: 

If you see the role attribute errors, it means you have set up the Role Attributes incorrectly in Okta. 

Tencent Cloud is expecting Role Attributes to be sent to them in a specific format, so do check that your RoleName, Profile ID, and Provider exists in Tencent Cloud and you have set it correctly in Okta. 

For example:

  • AccountID 1000200000'
  • RoleName Enduser
  • ProviderName Okta

This will then look like the following format for Tencent Cloud will digest it. 

  • Value -qcs::cam::uin/1000200000:roleName/Enduser,qcs::cam::uin/1000200000:saml-provider/Okta

When creating my Role in Tencent Cloud, I also choose the "Identity Providers" option. 

configure-tencent-cloud-sso

More information:

Topics: okta, sso

Vu Long Tran

Written by Vu Long Tran

Solutions Engineer APAC. ex-@Forrester consultant. Writing on #cloud #howto guides and #tech tinkering!