Role SSO #

Role SSO Overview #

Role SSO means that after establishing a mutual trust relationship between the enterprise's own identity management system as the IdP and the Volcano Engine as the SP, users can access the Volcano Engine by playing the corresponding IAM role identity after logging in through the enterprise's own identity management system. A single enterprise user can play one or more IAM roles.
Role SSO applies to:

• To avoid user management costs, you don't want to create too many IAM users in Volcano Engine.

• You simply initiate a login request through the IdP landing page and jump to the Volcano Engine console.

• Your company uses multiple different IDPs internally, and you need to configure single sign-on for multiple IDPs under the same account.

The specific flowchart is as follows:
! [Character SSO Handshake Flow Chart] ( https://lf3-volc-editor.volccdn.com/obj/volcfe/sop-public/upload_8aa5ff59d4acd7f5fa55f719040cbe7c.png = 50% x)

1. Enterprise user browsers initiate single sign-on requests through the third-party IdP login interface Volcano Engine application link.

2. The IdP authenticates the logged-in user and sends a SAML assertion containing the IAM role information for the enterprise user.

3. Enterprise user browsers forward SAML assertions to the Volcano Engine SSO service.

4. The SSO service parses the SAML and verifies the authenticity of the SAML assertion through the SAML mutual trust configuration.

5. After the SAML is parsed, it matches one or more corresponding IAM roles through its internal information.

6. The Volcano Engine SSO service returns the Volcano Engine console URL to the enterprise user's browser.

7. Enterprise user browser redirection, enterprise users select the desired IAM role identity, and log in to the Volcano Engine console through role play to access the corresponding resources.

Basic steps for SAML configuration #

In order to realize role SSO, it is necessary to configure the mutual trust relationship between IdP and SP, and establish the corresponding relationship between enterprise IdP users and IAM users.

1. First configure the enterprise IdP as a trusted identity provider for Volcano Engine. Please refer to the SAML 2.0 role SSO configuration for Volcano Engine . Identity providers of the role SSO type support multiple (up to 100).

2. Next, create an IAM role in the IAM console and give the role the relevant permissions. If you need multiple IAM roles with different permissions, it is recommended that you normalize the IAM role names, such as {$IdP} _role, where the IdP can be ADFS, Okta, etc., and the roles are rd, sre, admin, etc. Refer to Role Management . Please note that the role's trust identity type needs to be an identity provider, and select the identity provider you created in step 1.

3. Secondly, Volcano Engine is configured as a SP as a trusted service provider for the enterprise IdP. Please refer to the SAML 2.0 SSO configuration for enterprise IDPs .

4. The SAML assertion content is then configured at the enterprise IdP to map the final IAM roles to enterprise users. Please refer to the SAML response for the Role SSO .

5. When logging in, enter the SSO login interface and select the role that needs to be logged in to log in to the Volcano Engine console as the IAM role.