メインコンテンツにスキップ

Tencent Cloud (SAML)

This guide configures Casdoor as a SAML identity provider for Tencent Cloud (CAM).

Get SAML metadata from Casdoor

  1. In Casdoor, add an X.509 certificate (RSA).
  2. Copy the SAML metadata from the application (or metadata URL).

証明書を追加 Copy Saml metadata

Add SAML IdP and role in Tencent Cloud

  1. Log in to Tencent Cloud and open Access Management (CAM).
  2. Create a new Identity provider and upload the Casdoor SAML metadata.
  3. Create a new Role and select that identity provider.

ログインアクセス管理 Saml idpを作成 Saml role create

Configure the application in Casdoor

  1. On the application edit page, select the certificate and add the Tencent Cloud domain to Redirect URLs.
  2. Set the ACS URL and configure SAML attributes as follows:

Select cert and add redirect URLs ACS URLを追加し、Saml属性を設定

名前名前フォーマット
https://cloud.tencent.com/SAML/Attributes/Role指定なしqcs::cam::uin/{'{'}AccountID{'}'}:roleName/{'{'}RoleName1{'}'};qcs::cam::uin/{'{'}AccountID{'}'}:roleName/{'{'}RoleName2{'}'},qcs::cam::uin/{'{'}AccountID{'}'}:saml-provider/{'{'}ProviderName{'}'}
https://cloud.tencent.com/SAML/Attributes/RoleSessionName指定なしcasdoor
情報

Replace placeholders using:

See Tencent Cloud SAML IdP documentation.

Log in via SAML

Flow: User → Tencent Cloud (unauthenticated) → redirect to Casdoor → sign in → Tencent Cloud (authenticated). The initial redirect URL can be built from SAML metadata and IdP SSO URL. Example (Go) that fetches metadata, builds the auth URL, and prints it:

func main() {
    res, err := http.Get("your casdoor application saml metadata url")
    if err != nil {
        panic(err)
    }

    rawMetadata, err := ioutil.ReadAll(res.Body)
    if err != nil {
        panic(err)
    }

    metadata := &types.EntityDescriptor{}
    err = xml.Unmarshal(rawMetadata, metadata)
    if err != nil {
        panic(err)
    }

    certStore := dsig.MemoryX509CertificateStore{
        Roots: []*x509.Certificate{},
    }

    for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
        for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
            if xcert.Data == "" {
                panic(fmt.Errorf("metadata certificate(%d) must not be empty", idx))
            }
            certData, err := base64.StdEncoding.DecodeString(xcert.Data)
            if err != nil {
                panic(err)
            }

            idpCert, err := x509.ParseCertificate(certData)
            if err != nil {
                panic(err)
            }

            certStore.Roots = append(certStore.Roots, idpCert)
        }
    }

    randomKeyStore := dsig.RandomKeyStoreForTest()

    sp := &saml2.SAMLServiceProvider{
        IdentityProviderSSOURL:      metadata.IDPSSODescriptor.SingleSignOnServices[0].Location,
        IdentityProviderIssuer:      metadata.EntityID,
        ServiceProviderIssuer:       "https://cloud.tencent.com",
        AssertionConsumerServiceURL: "https://cloud.tencent.com/login/saml",
        SignAuthnRequests:           true,
        AudienceURI:                 "https://cloud.tencent.com",
        IDPCertificateStore:         &certStore,
        SPKeyStore:                  randomKeyStore,
    }

    println("Visit this URL To Authenticate:")
    authURL, err := sp.BuildAuthURL("")
    if err != nil {
        panic(err)
    }

    println(authURL)
}

After running the code, open the printed URL to test login.

最終結果