Before you can start setting up Single Sign On (SSO) for Tencent Cloud and Okta, we need to check the following:
Log in to your Okta account as an administrator (with administrator access).
Under Applications> Applications, click Create App Integration.
Select SAML 2.0.
On the "Create SAML Integration" page, fill in the options.
On the next page, fill in more details, you can put in these placeholder details for now. Use the Tencent Cloud International or Tencent Cloud China details depending on which one you are using:
Tencent Cloud International users
Tencent Cloud China users
We will also configure some role attributes, as this is something that Tencent Cloud needs to operate.
Where you will put your details in the "value" field.
For example:
This will then look like the following format for Tencent Cloud will digest it.
This is screenshots of the Tencent Cloud settings for where you can find your AccountID and RoleName in Tencent Cloud.
Located at: Tencent Cloud> Account Center> Account Information> Account ID
Located at Tencent Cloud> Access Management> Role > Role > click on one of your roles
Leave the rest default settings and click Next.
On the next page, select "I'm an Okta customer adding an internal app", and then click Next.
Then click on the "Sign On" tab.
Scroll down and look for "Identity Provider metadata".
Right click on "Identity Provider metadata".
Click "Save Link As..." from the right click menu.
Save this to your computer.
Give it a name, for example "metadata.xml". Please make sure you save it as .xml file extension.
We will now be able to proceed to Tencent Cloud to configure settings there.
Later we will be uploading this metadata.xml file in Tencent Cloud via an option that looks like this.
In a new browser tab, log in to your Tencent Cloud account as an administrator (with administrator access).
In Tencent Cloud, open your Single Sign-On (SSO) settings.
Tencent Cloud Access Management > Identity provider > New Provider
If you have trouble finding it, you can try this direct link to SAML settings, https://console.cloud.tencent.com/cam/idp
Click "New Identity Provider" button.
Configure your Identity Provider settings and click "Next Steps" when you are done.
Upload the metafile.xml file.
When you are ready, click on Next Step.
You will then see a summary of the settings just configured.
(Optional) If you click on it, it will look like this.
When you are ready, let's test that it works.
In Okta Admin Console, let's assign a user to the application. (Applications> Applications> Tencent Cloud apt our test user, click "Assign" and then "Done".
Now let's log into our Okta instance as a test user. You may need to refresh your browser if you had the browser window already open.
Then click on "Tencent Cloud" application icon (chiclet).
Success, you will be logged in successfully to your Tencent Cloud account!
Sign In Fail
The role in the SAML assertion does not exist.(Error Code:100101;Request ID:pfx8.....)
Please contact your administrator to confirm the SAML message and then log back in.
Sign In Fail
The SAML Response does not have the Roles attribute.(Error Code:911022;Request ID:pfx8.....)
Sign In Fail
SAML parsing failed(Error Code:-1;Request ID:BJj....)
Please contact your administrator to confirm the SAML message and then log back in.
Please contact your administrator for authorization and then log in again.
Solution:
If you see the role attribute errors, it means you have set up the Role Attributes incorrectly in Okta.
Tencent Cloud is expecting Role Attributes to be sent to them in a specific format, so do check that your RoleName, Profile ID, and Provider exists in Tencent Cloud and you have set it correctly in Okta.
For example:
This will then look like the following format for Tencent Cloud will digest it.
When creating my Role in Tencent Cloud, I also choose the "Identity Providers" option.