Huawei Cloud Two-factor authentication
Overview
This article shows how to set up two-factor authentication for the Huawei Cloud.
Huawei Cloud supports federated SAML authentication (Single Sign-On). It allows you to configure Huawei Cloud access for your existing user base and set up multifactor authentication with centralized access management via Multifactor.
Manually created Huawei Cloud accounts will continue to work for administrative purposes.
Multifactor does not request and store your users' passwords. Accounts and first-factor authentication methods are managed and verified locally with your Identity Provider (IDP) of choice.
List of supported IDPs:
Active Directory
GSuite (Google)
Yandex
List is extending
Operational Principle
- Huawei Cloud and Multifactor establish mutual trust by sharing public certificates and setting up a Single Sign-On and Single Log Out addresses.
- After the authentication request, Huawei Cloud forwards the user to the Multifactor page.
- Multifactor redirects user to IdP's authentication page (GSuite, Active Directory, Yandex).
- After confirmation of the first factor, Multifactor requests two-factor authentication and returns the signed request to Huawei Cloud.
Configure Multifactor
- Visit your account page and create new Site->SAML application in "Resources" section:
- Title: arbitrary
- Address: Huawei cloud address
- Identity provider:
- Gsuite for using Google accounts
- Yandex for using Yandex accounts
- Active Directory for Microsoft domain accounts
- Portal address:
- If you selected the Active Directory account provider, enter the address (either configured internally or externally) of a self-service portal.
- Save settings.
- Press "upload metada" and enter the address:
https://HUAWEI_CLOUD_DOMAIN/authui/saml/metadata.xml
- Download the file with Multifactor metadata as you will need it for further configuration.
Configure Huawei Cloud
- Navigate to "Management & Deployment" -> "Identity and Access Management."
- In the "Identity Providers" menu, create a new provider:
- title: Multifactor
- protocol: SAML and save the changes
- In the "Identity Providers" menu, click "Modify" in the Multifactor item
- save Login Link — this is a multifactor authentication login address
- upload the Multifactor metadata file to the "Metadata Configuration" section
- Save changes
Assign roles to users
By default, users connected via federated access have read-only rights. To configure roles, use the "Identity Conversion Rules" section by Huawei Cloud instructions.
Try it out
Log out of the Huawei Cloud Management Console and log in with your local account or via Single Sign-On.