Hanzo
PlatformHanzo IAMConnecting to IAMSAML

Tencent Cloud (SAML)

Use Hanzo IAM as SAML IdP for Tencent Cloud CAM.

This guide configures Hanzo IAM as a SAML identity provider for Tencent Cloud (CAM).

Get SAML metadata from Hanzo IAM

  1. In Hanzo IAM, add an X.509 certificate (RSA).
  2. Copy the SAML metadata from the application (or metadata URL).

Add cert Copy Saml metadata

Add SAML IdP and role in Tencent Cloud

  1. Log in to Tencent Cloud and open Access Management (CAM).
  2. Create a new Identity provider and upload the Hanzo IAM SAML metadata.
  3. Create a new Role and select that identity provider.

Login Access Management Saml idp create Saml role create

Configure the application in Hanzo IAM

  1. On the application edit page, select the certificate and add the Tencent Cloud domain to Redirect URLs.
  2. Set the ACS URL and configure SAML attributes as follows:

Select cert and add redirect URLs Add acs url and configure saml attribute

NameName FormatValue
https://cloud.tencent.com/SAML/Attributes/RoleUnspecifiedqcs::cam::uin/{'{'}AccountID{'}'}:roleName/{'{'}RoleName1{'}'};qcs::cam::uin/{'{'}AccountID{'}'}:roleName/{'{'}RoleName2{'}'},qcs::cam::uin/{'{'}AccountID{'}'}:saml-provider/{'{'}ProviderName{'}'}
https://cloud.tencent.com/SAML/Attributes/RoleSessionNameUnspecifiediam

:::info Replace placeholders using:

See Tencent Cloud SAML IdP documentation. :::

Log in via SAML

Flow: User → Tencent Cloud (unauthenticated) → redirect to Hanzo IAM → sign in → Tencent Cloud (authenticated). The initial redirect URL can be built from SAML metadata and IdP SSO URL. Example (Go) that fetches metadata, builds the auth URL, and prints it:

func main() {
    res, err := http.Get("your iam application saml metadata url")
    if err != nil {
        panic(err)
    }

    rawMetadata, err := ioutil.ReadAll(res.Body)
    if err != nil {
        panic(err)
    }

    metadata := &types.EntityDescriptor{}
    err = xml.Unmarshal(rawMetadata, metadata)
    if err != nil {
        panic(err)
    }

    certStore := dsig.MemoryX509CertificateStore{
        Roots: []*x509.Certificate{},
    }

    for _, kd := range metadata.IDPSSODescriptor.KeyDescriptors {
        for idx, xcert := range kd.KeyInfo.X509Data.X509Certificates {
            if xcert.Data == "" {
                panic(fmt.Errorf("metadata certificate(%d) must not be empty", idx))
            }
            certData, err := base64.StdEncoding.DecodeString(xcert.Data)
            if err != nil {
                panic(err)
            }

            idpCert, err := x509.ParseCertificate(certData)
            if err != nil {
                panic(err)
            }

            certStore.Roots = append(certStore.Roots, idpCert)
        }
    }

    randomKeyStore := dsig.RandomKeyStoreForTest()

    sp := &saml2.SAMLServiceProvider{
        IdentityProviderSSOURL:      metadata.IDPSSODescriptor.SingleSignOnServices[0].Location,
        IdentityProviderIssuer:      metadata.EntityID,
        ServiceProviderIssuer:       "https://cloud.tencent.com",
        AssertionConsumerServiceURL: "https://cloud.tencent.com/login/saml",
        SignAuthnRequests:           true,
        AudienceURI:                 "https://cloud.tencent.com",
        IDPCertificateStore:         &certStore,
        SPKeyStore:                  randomKeyStore,
    }

    println("Visit this URL To Authenticate:")
    authURL, err := sp.BuildAuthURL("")
    if err != nil {
        panic(err)
    }

    println(authURL)
}

After running the code, open the printed URL to test login.

![Final result](/img/how-to-connect/saml/saml_tencent-cloud_login_test.gif)

How is this guide?

Last updated on

Appgate (SAML POST)

Use Hanzo IAM as SAML IdP for Appgate SDP (POST SAMLResponse).

MCP server overview

Use Hanzo IAM’s MCP server for programmatic access via JSON-RPC 2.0.

On this page

Get SAML metadata from Hanzo IAM
Add SAML IdP and role in Tencent Cloud
Configure the application in Hanzo IAM
Log in via SAML