Tenant

Available in Classic and VPC

This section describes how to create and manage tenants from the NAVER Cloud Platform console to manage the flow of authentication protocols and authentication information for Ncloud Single Sign-On integration.

Tenant interface

The basics of using Tenant are as follows:

sso-tenant-01_ko

Component	Description
① Menu name	Current menu name.
② Basic features	Features displayed when you enter the Tenant menu for the first time. [Learn more]: Go to the Ncloud Single Sign-On overview page. [Refresh]: Reload the current page.
③ Creation and settings	Create tenants and change tenant settings.

Create a tenant

To create a tenant:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click on the [Create] in the Tenant information.
- After the tenant is created, the button changes to [Delete].
When the Create tenant popup window appears, check the contents and click the [Create tenant] button after agreeing to the terms and conditions.
When the Tenant creation completed popup window appears, click the [OK].
- Tenant ID and Tenant creation date and time are automatically assigned upon creation.
- Whether or not the main account supports login is initially set to follow application-specific settings and can be changed.
- The authentication URL is initially set using the automatically assigned tenant ID and can be changed.

Change NAVER Cloud login settings

After creating the tenant, you can change the login support of the main account initially set and the authentication URL.

Set support for login with the main account

You can set whether or not you can log in through the main account for each application registered in tenant. To configure settings:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the drop-down list in Support for login with the main account in NAVER Cloud login component, and select whether to support it.
- Allow: Set to enable login with the main account for all registered applications.
- Reject: Set to disable login with the main account for all registered applications.
- Follow application settings: When registering each application, set whether to allow.
Check the information, and then click the [Save].
- If you do not click the [Save], your changes will not be saved.

Note

When it is set to Allow or Deny, it will be automatically reflected in all registered applications.

Set authentication URL

You can set the initial authentication URL that is set to the tenant ID by entering the tenant alias. To configure settings:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
In the Authentication setting in NAVER Cloud login component, enter the desired value for Tenant alias.
- You can only use uppercase and lowercase English letters, numbers, hyphens (-), and the special characters "-" and "_."
- After entering the tenant alias, clicking the [Delete] will initialize the tenant alias and the authentication URL.
Confirm whether the value entered in the Authentication URL has been applied.
- You can click the [Copy] to copy the URL.
Enter the URL, and then click the [Save].
- If you do not click the [Save], your changes will not be saved.

Change external IdP login settings

This describes how to register external IdP information to integrate with an external account and set up a user profile to integrate.

Connect Organization

The master account can integrate and manage SSO user access permissions to resources held by member accounts within the Organization by integrating with the Organization service.

To integrate with the Organization service:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the [Connect Organization] in the external IdP login component.
- When Organization integration is completed, the list of member accounts that can manage access permissions is updated in the assignment menu.

Caution

If you cancel Organization integration, all account information linked to the Permission Set will also be deleted, which may affect the SSO user's permissions.

Register external IdP

You can set up an integration system between the external IdP and the Ncloud Single Sign-On service by registering the metadata of the external IdP to be integrated.

To register external IdP information:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the [Register external IDP] in External IDP metadata in the External IdP login component.
When the identity provider metadata interface appears, enter the metadata of the external IdP to be integrated in the metadata component and then click the [Save].
- When valid metadata is entered, sub-information will be automatically entered.
Click the [Register].

Delete external IdP

You can stop Ncloud Single Sign-On integration with external IdP by deleting the integrated external IdP information.

To delete external IdP information:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the [Delete external IDP] in External IDP metadata in the External IdP login component.

Set login

To change the login settings for an account logged in with an external account:

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Change the desired settings in the login settings of the External IdP login component.
- Session timeout: The session expiration time of the logged-in external account. You can select from among 10 minutes, 30 minutes, 1 hour, or 3 hours, and if there is no activity during the set time, you will be automatically logged out.
- Allow duplicate log-in: Select whether to allow duplicate logins. If duplicate logins are not allowed, only 1 session can be accessed per SSO role.
- Possession authentication: Select whether to apply possession authentication. If you apply possession authentication, you can register and manage the authenticated email/SMS information of the SSO user in NAVER Cloud Platform. You can select whether to apply or not.
- Possession authentication items: Select the method for possession authentication. You can select either email, SMS, or email+SMS.
- Two-factor authentication: Select whether to apply two-factor authentication. If you apply two-factor authentication, you enter the SSO user's ID and password at login and select email/SMS/OTP for further authentication. You can select whether to apply or not.

Note

For the customers who are not using the authentication feature yet, the SSO users' authentication feature can be improved using possession authentication and two-factor authentication features.

The description of possession authentication is as follows:

Perform authentication only once "at the first login to NAVER Cloud Platform after creating an SSO user," or "at the first login to NAVER Cloud Platform after changing the external IdP information."
If the SSO user with applied possession authentication fails to authenticate, the user cannot log in to NAVER Cloud Platform.
Two-factor authentication is performed based on information entered for possession authentication, which is automatically applied along with its application.
For example, if only email were allowed for a possession authentication item, you cannot apply two-factor authentication via SMS.

The description of two-factor authentication is as follows:

Perform two-factor authentication every time you log in to NAVER Cloud Platform.
If the SSO user who has applied two-factor authentication fails to authenticate, the user cannot log in to NAVER Cloud Platform.

Manage user profile

You can enter user profile information to integrate external accounts and Ncloud Single Sign-On accounts.

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the [Attribute mapper] in the External IdP login component.
Enter the user properties information for the external account you wish to integrate.
In sync mode, set the user profile update method.
- None: Do not update user profile.
- Import: Update user profiles only at first login.
- Force: Update the user profile at every login.
Click the [Save].

Manage certificate

You can create and import the service provider certificate and external IdP certificate required for external IdP login, and configure alerts for certificate expiration.

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Tenant menu.
Click the [Manage certificate] in the External IdP login component.
- The [Manage certificate] button becomes available after registering an External IdP.
Certificate types are separated by tabs, and the following features are available for each type:
- Service Provider Certificate: Create new certificate, download certificate, enable certificate, delete certificate, and configure expiration notifications.
- External IdP Certificate: Import certificate, view certificate, delete certificate, and configure expiration notifications.

Caution

You can manage up to 2 certificates per certificate type.
When certificate expiration alarms are enabled, alarm emails are sent 90, 60, 30, 7, and 1 day(s) before expiration.

Delete a tenant

To delete the tenant created:

Caution

Once you delete a tenant, you cannot restore it. So decide with caution.

From the NAVER Cloud Platform console, navigate to > Services > Management & Governance > Ncloud Single Sign-On.
Click the Subscription menu.
Click the Subscribed and then the Delete tenant.
Once the Confirm Tenant deletion popup window appears, enter the text and click [Delete].
- Any values assigned or entered during tenant registration will be deleted as well.