Setup Identity Federation Scenarios

Identity Federation allows a Service Provider (SP) [such as SoftLayer Infrastructure Management System (IMS)] to consume security tokens generated from a trusted identity system for authentication and authorization purposes.

SoftLayer SSO supports the following scenarios:

  •  Scenario 1:
  • Users are created in both the identity provider (IdP) and SoftLayer.
  • User permission assignments are done in SoftLayer IMS using the SoftLayer Customer Portal[1] or APIs.
  • Users authenticate with the IdP and federate their credentials.
  • SoftLayer consumes the credentials and makes access control decisions based on the permissions defined for the user in SoftLayer IMS.
  • Scenario 2:
  • Users are only created in the IdP. Roles are also created in the IdP and assigned to the user.
  • Role and permission assignments are set up in SoftLayer IMS, using SoftLayer APIs.
  • Users authenticate with the IdP and federate their credentials and role attributes.
  • SoftLayer consumes the user credentials and role attributes. If the user’s IdP assigned role matches a role in SoftLayer, the user is granted that role’s permissions when logging in to SoftLayer.

A role lets the SP know what the user is authorized to do (through permissions) in their system once the user has been authenticated. For example, the role of “User” may only be permitted to view different screens, but not update or add.

Note that multiple users can be assigned to a single role. Also, if a role exists in the IdP but not in SoftLayer, the user can still log in to SoftLayer; they will not have any permissions assigned to a role.

Scenario 1

Users that need access to SoftLayer are first created in SoftLayer with random passwords. All permissions need to be configured in SoftLayer before the user is able to use SSO through the IdP. Currently, permissions are set up based on the individual user.

User setup steps:

  1. Create users in SoftLayer.
  2. Assign permissions in SoftLayer.
  3. Create users in the IdP.

The steps for creating a new user in SoftLayer are located here.[2] The Email, or User Name, field within the individual user profile is used for the Security Assertion Markup Language  (SAML ) 2.0 token, which maps users between the IdP and SoftLayer.

Figure 1 illustrates the workflow of user login authentication using Identity Federation.

Figure 1: Workflow of user authentication using Identity Federation (Scenario 1)

Scenario 2

Users created in the IdP are considered federated because they, and their roles, are authenticated through SAML 2.0.

Role setup steps:

  1. Set up roles through SoftLayer API.
  2. Set up roles in the IdP.
  3. Make sure that roles defined in SoftLayer and the IdP have the same name.

User setup steps:

  1. Set up users in the IdP.
  2. Assign role(s) to user(s) in the IdP.

In Scenario 2, there is no need for customers to manually create users in SoftLayer. Figure 2 illustrates the workflow for user login authentication using Identity Federation.

Figure 2: Workflow of user authentication using Identity Federation (Scenario 2)

You will need to review your IdPs procedures for setting up new roles and how to associate them with SoftLayer.