The company maintains multiple employee identities in Okta, corresponding to multiple Okta users, and hopes to be able to access them to the role role1 under the Volcano Engine account. In this example, there is a user user1 in Okta who wants to be able to configure the role SSO single sign-on, and user1 directly jumps to the Volcano Engine login page from Okta to log in to the Volcano Engine account as role1, and exercises the corresponding permissions of the role.

Step 1: Obtain SAML Service Provider (SP) metadata in the Volcano Engine console #

1. Log in to your Volcano Engine account's Access Control (IAM) console .
2. In Identity Management - Identity Provider click on Create Identity Provider.
3. Select the Identity Provider Type as SAML and the SSO Type as Role SSO in the newly opened drawer. At the service provider metadata URL of the role SSO, click URL, and the information in the newly opened page of this URL will be used in subsequent steps.

Step 2: Create a new Okta app #

As an Identity Provider (IdP), Okta needs to sense the service provider Volcano Engine as an "application" to enable single sign-on. To do this, you need to create an application corresponding to the Volcano Engine at Okta.

1. Log in to the Okta portal and click Admin in the upper right corner.
2. After logging in to Okta as an administrator, click Applications - Applications in the left navigation bar, click Create APP Integration, enter the Create a new app integration pop-up window, select SAML2.0, and click Next.
3. In the Create SAML Integration- General Settingsinterface, enter the application name App name (for display only at the IDP, you can fill in "VolcineDemo" in this example) and click Next.
4. In the Create SAML Integration- Configure SAMLstep, complete the SAML configuration in step 3.

Step 3: Complete the SAML configuration of the Okta application #

Next, you need to configure SAML-based single sign-on for your IdP.

1. In the Create SAML Integration - Configure SAML step of the just created application VolcineDemo, configure the General bar based on the SP metadata obtained in the first step:
   1. At the Single sign on URL, fill in the Location value of the AssertionConsumerService element, which is: https://signin.volcengine.com/saml/sso
   2. Also check "Use This for Recipient URL and Destination URL".
   3. At Audience URI ( SP Entity ID), fill in the value of 'EntityID' of the EntityDescriptor element: https://www.volcengine.com/
   4. NameID format: Select Unspecified, and the configuration of the corresponding value can be customized according to requirements. This field is mainly used to supplement the identity of the user. During the role SSO process, Volcano Engine does not rely on this value for user identification, but it needs to ensure that the field is not empty.
   5. In Attribute Statements (optional), configure the following two custom attributes:
      1. The first custom property name is configured as: https://www.volcengine.com/SAML/Attributes/Identity, NameFormat is configured as Unspecified, and value is customized as the trn of the role to log in to. In this example, the attribute values need to be configured as: trn:iam::210******:role/role1,trn:iam::210*******:saml-provider/Okta_role*, where Okta_role is the identity provider name created in step 5 and rol1 is the role name to be logged in created in step 6.
      2. The second custom name is configured as: https://www.volcengine.com/SAML/Attributes/SessionName, NameFormat is configured as Unspecified, and value is customized as the value used to identify the session name after login, which can be a constant value. In this example, you can configure user.email to identify and audit logged-in employee identities after subsequent logins.
2. Click Next, fill in the Feedback step as needed, and click Finishto save the configuration.
3. In the current application, click the Sign Ontab, find SAML SigningCertificates, hover over Actions in the Certificate status as Active, click View IdP metadata, and right-click on the new page to store the identity provider's metadata (IdP Metadata).

Step 4: Create a user in Okta and assign it to the app #

This step defines the Okta users or user groups in Okta that have access to the VolcineDemo app.

1. Click on the top navigation of the page Users- Users, click New User in the upper right corner.

2. After configuring the basic information of user user1, click Save User in the upper right corner.

3. Click on the left navigation of the user page Applications, click the plus sign on the right, select the VolcineDemo application, click Continue and add.

Step 5: Complete Role SSO Identity Provider Creation in Volcano Engine #

1. Return to the Access Control (IAM) console of your Volcano Engine account.

2. In the Identity Management- Identity Provider - New Identity Provider drawer in Step 1, fill in the Identity Provider name as needed, such as Okta_role. Finally, upload the IdP Metadata metadata file obtained in step 3 and click Submit.

Step 6: Create an IAM Character in Volcano Engine #

In Access Control, Identity Management - Roles, click New Role, create a new Volcano Engine account, and configure the corresponding permissions.

1. Select Trusted Identity as: Identity Provider, Identity Provider Type as SAML, and select the Identity Provider Okta_role created in Step 4.

2. Configure role information: Enter a role name, display name, and description. Please note that this will be displayed in the identity column of the official website as the name of the login identity after single sign-on. It is recommended that you name it according to the actual role name, such as admin, ITservice, etc. This example is represented by a role 1.

3. Add permissions: You can add an IAM permissions policy to a role and specify the scope of the permissions policy.

Click Submit to complete the creation.

Result verification #

After completing the SSO login configuration, you can verify that you initiated single sign-on from Okta.
After logging in to Okta as user1, go directly to the portal and click VolcineDemo in the My Applications dashboard to test the SSO login for user1. If you successfully jump to the Volcano Engine SSO login page and can log in to account 210****** as the role of Volcano Engine role1, the configuration is successful.

Or you can verify that you initiated single sign-on from Volcano Engine.
In the login page of Volcano Engine, select "Enterprise Federal Login" login method, enter the account ID 210***** and select the corresponding identity provider Okta_role, jump to Okta and log in to Okta's user1 identity. After successful login, if you can jump to the Volcano Engine SSO login page and log in to the role1 identity of the corresponding Volcano Engine account, the single sign-on configuration is successful.