Create and manage organization

Organization is at the top of the KakaoCloud resource hierarchy and represent a company or an organization. Creating and managing organization described in this document is only available to members who have been granted the corresponding IAM roles.

Manage organization by IAM role

Feature	Org Owner	Org Admin	Org Reader	Project Admin	Project Member	Project Reader
Create organization	✓
Request for deleting organization	✓

Permissions

Project Admin and Project Member cannot view all projects within the organization, but can only view the list of projects they belong to.

Create organization and set up log in

The following is to create an organization account in KakaoCloud:

1. Access the KakaoCloud portal, then click the [Sign up] button.

   Sign Up Path	URL
   [Sign up] at the top of the KakaoCloud portal	https://account.kakaocloud.com/signup

2. In the terms of agreement, agree to all required terms and click the [Next] button.

3. Enter the required member information for creating a KakaoCloud account, then click [Next].

4. Enter the name of the cloud organization to be used as the KakaoCloud domain and the contact information for the person to be designated as the Org Owner, then click [Complete].

   Item	Description
   Organization name	KakaoCloud organization name - Information needed by all users including administrators when accessing the console
   Name	Name of the person to obtain the Org Owner role
   Email	Email address of the person to obtain the Org Owner role - Used as an ID when logging into the console
   Mobile	Contact's phone number

5. Open the Invitation and Password Registration email sent to the contact's email address and click the [Register Password] button.

   • You must set the initial password within 7 days of receiving the email to log in to the console.

6. Enter the password and click the [Register password] button.

7. Access the KakaoCloud Console, enter the organization name, and click the [Next] button.

8. Enter your cloud account ID (email) and password, then click the [Login] button.

info

The user who first creates the organization in KakaoCloud is automatically assigned the roles of Org Owner, Org Admin, and Billing Admin.

Configure login method

KakaoCloud provides features to enhance the security of console access for users. In the IAM > Manage organization tab, you can check and set account information and security features commonly applied to your organization.

IdP integration

You can log in to KakaoCloud using an external IdP (Identity Provider) account by utilizing the IdP integration. This means you can use the KakaoCloud Console with user authentication provided by an IdP, instead of logging in with a KakaoCloud account. KakaoCloud currently only supports account credentials from Azure AD among external IdPs.
The IdP integration-related features described in this document are only available to users who have been granted the corresponding IAM role.

IAM permission for configuring IdP integration

Function	Org Owner	Org Admin	Org Reader	Project Admin	Project Member	Project Reader
IdP Integration	✓

info

• KakaoCloud currently only supports account credentials from Azure AD among external IdPs.
• Some account features of KakaoCloud may be limited when using an external IdP account.
• The following conditions must be met for IdP integration: - Organization creation must be completed.
  - The Org Owner must have registered a KakaoCloud account password and be able to log in to the console.
  - An Azure AD tenant must be created, and users must be registered.
  

caution

Once the login account is set to an IdP, it cannot be changed back to KakaoCloud.

IdP OAuth Integration

Step 1. Issue integration information from Azure AD

Azure AD, an external credential provider offered by Microsoft, allows you to issue the necessary information for integrating with Azure AD as an IdP. You need to obtain a total of four pieces of information by registering an app in Azure AD: Client ID, Client Secret, Authorization URL, and Token URL. The obtained information is used when registering the IdP in the KakaoCloud Console > IAM > Account.
For more detailed explanation of Azure AD IdP integration, please refer to Microsoft ID platform documentation's Microsoft Identity Platform and OAuth 2.0 Authorization Code Flow and Quickstart: Register an application with the Microsoft identity platform.

1. Log in to AzureAD Portal, click the menu icon in the top left corner, and select the Azure Active Directory.

2. In Azure Active Directory, select the Manage > App registrations menu.

3. To register KakaoCloud as an app, select New registration.

4. In Application registration, register information so that the authentication response is returned to this URI when users are authenticated.

   Category	Description
   Name	Enter kakaocloud (the name that will be displayed as the application)
   Supported account types	To ensure only specific tenant can log in, select Accounts in this organizational directory only
   Redirect URI (optional)	Type: Web select Redirect URI: Enter a fixed URI, https://iam.kakaocloud.com/auth/oidc/callback

5. In Basics, copy the Client ID information, the Application (client) ID, to the clipboard or somewhere else.

6. Click on Endpoints and then copy the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) information to the clipboard or somewhere else.

   Endpoint Information	Description
   OAuth 2.0 authorization endpoint (v2)	Information to be entered in the Authorization URL item when registering the credential provider
   OAuth 2.0 token endpoint (v2)	Information to be entered in the Token URL item when registering the credential provider

7. To generate a Client Secret, select Add a certificate or secret.

8. In Certificates & secrets > Client secrets, click New client secret to add a client secret.

   • When adding a client secret, you can log in to the KakaoCloud Console only within the set expiration time.

9. Copy the value of the newly created client secret, the Client Secret information, to the clipboard or somewhere else.

   • Once you leave this screen, you will not be able to see the Client Secret information, so be sure to copy this information to the clipboard.

10. Upon completing the above steps, you will have obtained a total of four pieces of information: Client ID, Client Secret, Authorization URL, and Token URL. Please use this information when registering the IdP in the account settings.

Step 2. Register IdP

After obtaining the integration information, you must register the IdP before using the external credential provider account to access the KakaoCloud Console.

1. Go to Management > IAM in the KakaoCloud Console.

2. If you are the Organ Owner, click the [Modify account] button on the Account tab.

3. Check the account information and select the account to use.

   • If you select an IdP account, confirm the IdP integration information obtained in Step 1 and enter the integration protocol and integration information below.

   Item	Category	Description
   Integration Protocol		Select OIDC(OAuth 2.0)
   Integration Information	IdP(Credential Provider)	Select Azure Active Directory
   	Authorization Integration Type	Select POST body
   	Authorization URL	Enter the required information obtained from OAuth 2.0 authorization endpoint(v2)
   	Token URL	Enter the required information obtained from OAuth 2.0 token endpoint(v2)
   	Client ID	Enter the required information obtained from the application (client) ID
   	Client Secret	Enter the required information obtained from the value string of the client secret

4. Proceed with the IdP integration test.

   • Enter the ID and password on the external credential provider's login screen, and if the integration is successful, the test is completed.

5. After completing the test, click the [Save] button, and then check that the IdP is applied as the login account on the Organization > Account tab.

Step 3. Sign in to KakaoCloud Console

Change the previously used KakaoCloud Console login account to the IdP account.

info

When logging in with an account integrated with the IdP, the KakaoCloud account will be deactivated.

1. Access the KakaoCloud Console and log out of the previously logged-in KakaoCloud account.

2. At KakaoCloud > Sign in to the Console, enter the organization name and click the [Next] button.

3. In Microsoft Azure Login > Select Account, choose the AzureAD account integrated with the IdP.

4. Enter the password set during IdP integration and click the [Login] button. Then, check if you are successfully redirected to the KakaoCloud Console.

IdP SAML Integration

Step 1. Issue integration information from Azure AD

Azure AD, an external credential provider offered by Microsoft, allows you to issue the necessary information for integrating with Azure AD as an IdP through SAML protocol. You need to obtain a total of two pieces of information by registering an app in Azure AD: Entity ID and Federation Metadata URL. The obtained information is used when registering the IdP in the KakaoCloud Console > IAM > Account.
For a more detailed explanation of Azure AD IdP integration through SAML protocol, please refer to the Microsoft ID platform documentation's How to use SAML protocol in Microsoft ID platform and Quickstart: Register an application with the Microsoft identity platform.

1. Log in to AzureAD Portal, click the menu icon in the top left corner, and select the Azure Active Directory.

2. In Azure Active Directory, select the Manage > App registrations.

3. To register KakaoCloud as an app, select New registration.

4. In Application registration, register information so that the authentication response is returned to this URI when users are authenticated.

   Category	Description
   Name	Enter kakaocloud (the name that will be displayed as the application)
   Supported account types	To ensure only specific tenant can log in, select Accounts in this organizational directory only
   Redirect URI (optional)	Type: Web select Redirect URI: Enter a fixed URI, https://iam.kakaocloud.com/auth/saml/acs

5. In Basics, copy the Client ID information, the Application (client) ID, to the clipboard or somewhere else.

6. Click on Endpoints and then copy the Federation Metadata Document information to the clipboard or somewhere else.

   Endpoint Information	Description
   Federation Metadata Document	Information to be entered in the Federation Metadata URL item when registering the credential provider

7. Upon completing the above steps, you will have obtained a total of two pieces of information: Entity ID and Federation Metadata URL. Please use this information when registering the IdP in the account settings.

Step 2. Register IdP

After obtaining the integration information, you must register the IdP before using the external credential provider account to access the KakaoCloud Console.

1. Go to Management > IAM in the KakaoCloud Console.

2. If you are the Org Owner, click the [Modify account] button on the Account tab.

3. On the account page, check the account information and select the account to use.

   • If you select an IdP account, confirm the IdP integration information obtained in Step1 and enter the integration protocol and integration information below.

   Item	Category	Description
   Integration Protocol		Select SAML 2.0
   Integration Information	IdP(Credential Provider)	Select Azure Active Directory
   	Certificate File	Upload public key, vm key
   	Federation Metadata URL	Enter the required information obtained from the Federation Metadata Document
   	Entity ID(App ID)	Enter the required information obtained from the application (client) ID

4. Proceed with the IdP integration test.

   • Enter the ID and password on the external credential provider's login screen, and if the integration is successful, the test is completed.

5. After completing the test, click the [Save] button, and then check that the IdP is applied as the login account on the Organization > Account tab screen.

Step 3. Sign in to the KakaoCloud Console

Change the previously used KakaoCloud Console login account to the external credential provider account integrated with the IdP.

info

When logging in with an account integrated with the IdP, the KakaoCloud account will be deactivated.

1. Access the KakaoCloud Console and log out of the previously logged-in KakaoCloud account.

2. At KakaoCloud > Console Login, enter the organization name and click the [Next] button.

3. In Microsoft Azure Login > Select Account, choose the AzureAD account integrated with the IdP.

4. Enter the password set during IdP integration and click the [Login] button. Then, check if you are successfully redirected to the KakaoCloud Console.

Two-Factor Authentication

Setting up Two-Factor Authentication for login allows you to enhance account security by requiring additional authentication through Email or Mobile when logging into the KakaoCloud Console. Two-factor authentication for login is only available for organizations using the Cloud account login method.
The two-factor login setting-related functions described in this document are only available to users who have been granted the corresponding IAM role.

IAM role-based Two-Factor Authentication Setting Permissions

Function	Org Owner	Org Admin	Org Reader	Project Admin	Project Member	Project Reader
Two-Factor authentication	✓

caution

• Organizations using IdP integration cannot set up two-factor authentication for login.

1. Go to Management > IAM in the KakaoCloud Console.
2. Select the Account tab.
3. If you are the Org Owner, click the Modify account button.
4. On the account detail page, select 'cloud account' as the login method, set the two-step authentification item to 'Active', and then click the [Save] button to save.
5. Log in again to the KakaoCloud Console to check if two-factor authentication is working correctly. An authentication number is sent to the user's email or phone number, and the number must be entered to log in.

info

• If no phone number is registered, Phone number authentication will be disabled.
• To enable phone number authentication, you must register a phone number in Account settings > Account info after logging into the console.

Set password expiration

You can enforce password changes at set intervals for all users in the organization by applying password expiration settings, thereby enhancing account security. After the password period expires, a new password must be set to log into the KakaoCloud Console.

Function	Org Owner	Org Admin	Org Reader	Project Admin	Project Member	Project Reader
Password Expiration	✓	✓

info

• The password expiration settings are applied immediately to all users in the organization.
• KakaoCloud account users must change their password at the time the Org Admin sets the expiration settings, based on the last date the password was changed/set.

1. Go to Management > IAM in the KakaoCloud Console.

2. Select the Security tab.

3. If you are the Org Owner/Org Admin, click the Set password expiration button.

4. On the detail page, select whether to use the password expiration settings.

   • If using the password expiration setting, select the password expiration period and then click the [Save] button.

     Item	Description
     Password expires after	The cycle at which the password must be reset - Select from 60/90/120/180 days - Custom cycle setting is also possible (only within 30 to 180 days)

Control console access

You can prevent users from using the console from unauthorized locations by controlling console access based on IP.
only the corresponding IAM role can access the console settings described in this document.

Function	Org Owner	Org Admin	Org Reader	Project Admin	Project Member	Project Reader
Control Console Access	✓	✓

info

The console access settings are applied immediately to all users in the organization. Be aware, as access from any IP not registered as an access allowed IP will be restricted.

1. Go to Management > IAM in the KakaoCloud Console.

2. Select the Security tab.

3. If you are the Org Owner/Org Admin, click the Control console access button.

4. On the detail page, select whether to use console access control.

   • If using console access control, enter the IP to be allowed for console access, register it, and then click the [Save] button to save.

     Item	Description
     Description	Enter a description for managing the registered IP
     IP	Enter the IP to be allowed for KakaoCloud Console access - Up to 20 IPs can be registered - IP must be entered up to the a.b.c.d class (subnet mask entry is not supported)

Request organization deletion

Org Owners can delete organizations that are no longer needed. However, before deleting organization, all resources and user accounts within the organization must be deleted.

caution

Once the organization is deleted, all information, including projects and resources of the organization, will be deleted, and it cannot be recovered afterwards.

1. Select IAM > Users in the KakaoCloud Console.

2. In the Users menu, delete all users except for the Org Owner.

3. Delete all projects included in the organization from the Projects .

4. Move to the Billing and check the bill to be paid, and pay all charges.

5. After completing all the above steps, select the [Apply for Cloud Organization Deletion] button at the top of the IAM > Manage organization.

6. Check the contents required for organization deletion application, check the precaution, and click the [Request deletion] button.

7. Go to IAM > Manage organization > Acount tab, check that the organization deletion has been properly applied.