Identity Providers

An Identity Provider is a feature that allows you to manage resources on VNG Cloud using a user directory from your organization's authentication system. It enables centralized user management without the need to create additional IAM user accounts on VNG Cloud. IAM supports the SAML 2.0 protocol for integration with authentication systems and currently supports Azure AD.

Why Use an Identity Provider?

To better understand how IAM Identity Provider works and the benefits it brings to businesses, we present a specific use case for a clearer picture:

Context

Company A has 10 employees managed via Microsoft accounts named nhanvien1 to nhanvien10.

Company A is structured into 3 departments: Administration & Accounting, IT, and Sales.

Company A uses VNG Cloud services, including vServer, vStorage, and vMonitor.

Requirements

  • Single Sign-On (SSO): Simplify access to VNG Cloud using a single enterprise account.

Solution

Using the Identity Provider feature we provide will help your company save time and simplify permission management and user identity within the VNG Cloud system. Refer to the following guide to address your company’s needs.


How to Use Identity Provider?

To use the Identity Provider, follow these steps:

  1. Set up the Identity Provider from the third-party provider (Azure AD).

  2. Configure the Identity Provider connection on VNG Cloud.

  3. Access Azure AD to configure the connection to VNG Cloud IAM using the SAML Entity ID and Reply URL.

  4. Once setup is complete, use the Login URL in IAM to sign in to VNG Cloud with your enterprise’s Azure AD account.


1. Set Up Identity Provider from the Third-Party Provider (Azure AD)

Currently, VNG Cloud IAM only supports Azure AD via the SAML 2.0 protocol. To set up the Identity Provider between VNG Cloud and Azure AD, follow these steps:

  • Go to the Azure homepage: https://portal.azure.com/#home

  • Click on “Azure Active Directory” in the left menu. Note: You must have permission to access your organization’s Azure AD.

  • Under the Enterprise Applications tab, click “New application”, then “Create your own application”, name the app, and click Create (as shown in the example image).

Note:

  • The created application corresponds to the IT department.

  • Add IT department users to the application, such as nhanvien1 and nhanvien2.

  • After creating the application, go to the Single sign-on section and select SAML protocol.

Next, copy the Login URL (as shown) and proceed with the connection setup from VNG Cloud to Azure AD (see Step 2 below).


2. Configure Identity Provider Connection from VNG Cloud

After obtaining the Login URL from Azure AD, proceed with the following steps:

  • Click Add an Identity Provider

  • Fill in the following information:

    • Provider Name: Name of the Identity Provider

    • Provider Type: Leave as default (only SAML is supported)

    • Vendor: Leave as default (currently only Azure AD is supported)

    • Login URL: Paste the Login URL obtained from Step 1

  • Click Create to create the Identity Provider

Once created, you will receive the SAML Entity ID and Reply URL as shown. Proceed to Step 3 to complete the setup.


3. Configure Connection from Identity Provider to VNG Cloud IAM using SAML Entity ID and Reply URL

After obtaining the SAML Entity ID and Reply URL, return to Azure AD and follow these steps:

  • Open the previously created app

  • Go to Single sign-on, then click Edit in the Basic SAML Configuration section

  • Enter the SAML Entity ID and Reply URL from Step 2 into the appropriate fields and click Save


Notification

After completing Steps 1 to 3, the connection between Azure AD and VNG Cloud IAM is successfully established.

Continue to Step 4 to use the IAM Login URL (skip if you already know how to use this feature).


4. Use IAM Login URL to Sign in to VNG Cloud Using Enterprise Azure AD Account

After setup, enterprise users can use the VNG Login URL (shown below) to sign in to VNG Cloud with their Azure AD account. The IAM system will automatically create a user account upon login, which will have no default permissions like other IAM user accounts.

Note:

  • Only nhanvien1 and nhanvien2 can sign in to VNG Cloud via the login URL.

  • They must log in for the first time using the login URL for the system to automatically create IAM User Accounts with corresponding usernames.

  • By default, newly created IAM User Accounts for nhanvien1 and nhanvien2 will have no permissions on the VNG Cloud system.

  • Therefore, the Root User Account representing the company must access the IAM Console to assign access permissions to these two IAM User Accounts.

Once permissions are granted, nhanvien1 and nhanvien2 will be able to access VNG Cloud services (vServer, vStorage, and vMonitor).

Last updated