Create and manage organization
Organization is at the top of the KakaoCloud resource hierarchy and represent a company or an organization. Creating and managing organization described in this document is only available to members who have been granted the corresponding IAM roles.
Create organization and set up log in
The following is to create an organization account in KakaoCloud:
-
Access the KakaoCloud portal, then click the [Sign up] button.
Sign Up Path URL [Sign up] at the top of the KakaoCloud portal https://account.kakaocloud.com/signup -
In the terms of agreement, agree to all required terms and click the [Next] button.
-
Enter the required member information for creating a KakaoCloud account, then click [Next].
-
Enter the name of the cloud organization to be used as the KakaoCloud domain and the contact information for the person to be designated as the Org Owner, then click [Complete].
Item Description Organization name KakaoCloud organization name
- Information needed by all users including administrators when accessing the consoleName Name of the person to obtain the Org Owner role Email Email address of the person to obtain the Org Owner role
- Used as an ID when logging into the consoleMobile Contact's phone number -
Open the Invitation and Password Registration email sent to the contact's email address and click the [Register Password] button.
- You must set the initial password within 7 days of receiving the email to log in to the console.
-
Enter the password and click the [Register password] button.
-
Go to the KakaoCloud Console, enter the organization name, and click the [Next] button.
-
Enter your cloud account ID (email) and password, then click the [Login] button.
The user who creates the cloud organization for the first time is designated as the Org Owner and is granted the roles of Org Admin and Billing Admin.
Set organization login
This feature provides methods to strengthen the login security for KakaoCloud users.
Organization login setting permissions
Feature | Org Admin (Admin) | Organization Leader (Reader) | Project Admin (Admin) | Project Member (Member) | Project Leader (Reader) |
---|---|---|---|---|---|
IdP Integration | ✓ | ||||
Two-factor Authentication | ✓ |
In the IAM > Manage organization > Login settings tab, you can check and configure common login account information and security settings applied to the organization.
IdP integration
The IdP (Identity Provider) integration feature allows you to log into KakaoCloud using an external IdP account. Instead of logging in with your KakaoCloud account, you can use the user authentication provided by the IdP to access the KakaoCloud Console. Currently, KakaoCloud supports only Azure AD account credentials from external IdPs.
- KakaoCloud currently supports Azure AD account credentials from external IdPs only.
- When using an external IdP account to access KakaoCloud, some account functionalities within KakaoCloud may be limited.
- To integrate with IdP, the following conditions must be met:
- Create organization must be completed.
- The Org Admin must register a KakaoCloud account password and log into the console.
- An Azure AD tenant must be created and users must be registered.
- Create organization must be completed.
Once the login account is set to an IdP, it cannot be changed back to KakaoCloud. Please proceed with caution.
IdP OAuth Integration
Step 1. Obtain integration information from Azure AD
Azure AD, an external credential provider by Microsoft, can issue the information required to integrate IdP with Azure AD. You need to register an Azure AD app to obtain four pieces of information: Client ID, Client Secret, Authorization URL, and Token URL. The obtained information is used for IdP registration in the KakaoCloud Console > IAM > Login settings.
For detailed instructions on Azure AD IdP integration, refer to the Microsoft ID Platform and OAuth 2.0 Authorization Code Flow and Quickstart: Register an Application with Microsoft ID Platform documents.
-
Log in to the Azure AD Portal, click the menu icon in the top-left, and go to Azure Active Directory.
Azure Active Directory
-
In Azure Active Directory, go to Manage > App Registrations.
App Registration
-
To register KakaoCloud as an app, select New Registration.
New Registration
-
In the Application Registration, authenticate the user so that the authentication response returns to the specified URI.
Application Registration
Field Description Name Enter kakaocloud
(name that will be exposed as the application)Supported Account Types Select Accounts in this organizational directory only to allow login only for specific tenants Redirect URI (Optional) Type: Select Web
Redirect URI: Enter the fixed URIhttps://iam.kakaocloud.com/auth/oidc/callback
-
Copy the Application (Client) ID, which is the Client ID information, from the Overview section.
Registered Application Overview -
Click on Endpoints, then copy the OAuth 2.0 Authorization Endpoint (v2) and OAuth 2.0 Token Endpoint (v2) information.
Copy Endpoint Information
Endpoint Information Description OAuth 2.0 Authorization Endpoint (v2) The information to input in the Authorization URL field when registering the credential provider OAuth 2.0 Token Endpoint (v2) The information to input in the Token URL field when registering the credential provider -
To create a Client Secret, select Certificates & Secrets and then New client secret.
Add Certificate or Secret
-
In the Certificates & Secrets > Client Secrets tab, click New client secret to add a new client secret.
- Once the client secret is added, you can only log in to the KakaoCloud Console within the expiration time set.
Add Client Secret
-
Copy the newly generated client secret value.
- If you exit this screen, you will no longer be able to view the client secret, so make sure to copy it to your clipboard.
Copy Client Secret Value
-
Once these steps are completed, you will have obtained the four pieces of information: Client ID, Client Secret, Authorization URL, and Token URL. Use this information when registering IdP in the login settings.
Step 2. Register IdP
After obtaining the integration information, register the IdP before using the KakaoCloud Console with the external credential provider account.
-
Go to KakaoCloud Console > IAM > Manage organization menu.
-
The Org Admin clicks the [Login settings] button under the Login settings tab.
-
On the login settings detailed page, check the login account information and select the account to use.
- If you select the IdP account, verify the IdP integration information from Step 1 and enter the integration protocol and information at the bottom.
Field Category Description Integration Protocol Select OIDC (OAuth 2.0) Integration Information IdP (Credential Provider) Select Azure Active Directory Authorization Type Select POST body Authorization URL Enter the information obtained from OAuth 2.0 Authorization Endpoint (v2) Token URL Enter the information obtained from OAuth 2.0 Token Endpoint (v2) Client ID Enter the information obtained from Application (Client) ID Client Secret Enter the information obtained from the client secret value string -
Test the IdP integration.
-
In the external credential provider's login screen, enter the ID and password, and the test will complete successfully if the integration is successful.
Integration Test Completed
-
-
After completing the test, click the [Save] button, and in the Manage organization > login settings tab, confirm that the IdP has been applied to the login account.
Step 3. Sign in to the KakaoCloud Console
Change the previously used KakaoCloud Console login account to the external credential provider account integrated with IdP.
When logging in with the account integrated with IdP, the KakaoCloud account will be deactivated.
-
Go to KakaoCloud Console, then log out from the currently logged-in KakaoCloud account.
-
In KakaoCloud > Sign in to the Console, enter the organization name and click the [Next] button.
-
In Microsoft Azure Login > Account Selection, select the Azure AD account integrated with IdP.
Azure AD Account
-
Enter the password entered during IdP integration and click the [Login] button. Ensure that you are successfully redirected to the KakaoCloud Console.
Azure AD Login
IdP SAML Integration
Step 1. Issue integration information from Azure AD
Azure AD, an external credential provider offered by Microsoft, can issue the information required to integrate the IdP. You need to register an Azure AD app to obtain two pieces of information: the Entity ID and Federation Metadata URL. These pieces of information will be used for IdP registration in KakaoCloud Console > IAM > Login settings.
For detailed instructions on integrating with Azure AD IdP, refer to the How to use the SAML protocol with Microsoft Identity Platform and Quickstart: Register an application with Microsoft Identity Platform documentation.
-
Log in to the Azure AD Portal, click the menu icon at the top left, and go to the Azure Active Directory menu.
Azure Active Directory
-
In Azure Active Directory, go to Manage > App Registrations.
App Registration
-
Select New Registration to register KakaoCloud as an app.
New Registration
-
In App Registration, authenticate the user and register the information to return the authentication response to this URI.
App Registration Details
Field Description Name Enter kakaocloud
(The name displayed for the application)Supported Account Types Set to Accounts in this organizational directory only to allow only your directory to log in. Redirect URI (Optional) Type: Select Web
Redirect URI: Enter the fixed URIhttps://iam.kakaocloud.com/auth/saml/acs
-
In Overview, copy the Application (Client) ID as the Client ID.
Registered Application Overview
-
Click Endpoints, then copy the Federation Metadata Document information.
Copy Endpoint Information
Endpoint Information Description Federation Metadata Document This information is entered in the Federation Metadata URL field during the credential provider registration. -
After completing the above steps, you will have obtained the two pieces of information: Entity ID and Federation Metadata URL. Use these when registering the IdP in the Login settings.
Step 2. Register IdP
After obtaining the integration information, register the IdP before using the KakaoCloud Console with an external credential provider account.
-
Go to KakaoCloud Console > IAM > Manage organization menu.
-
The Org Admin clicks the [Login settings] button on the Login settings tab.
-
In the login settings detailed page, verify the login account information and select the account to use.
- If you select the IdP account, verify the IdP integration information from Step 1 and enter the integration protocol and details below.
Item Type Description Integration Protocol Select SAML 2.0 Integration Info IdP (Credential Provider) Select Azure Active Directory Certificate File Upload Certificate Public Key File (.crt), Certificate Private Key File (.key) Federation Metadata URL Enter the information obtained from the Federation Metadata Document Entity ID (App ID) Enter the information obtained from the Application (Client) ID -
Test the IdP integration.
- Enter the ID and password on the external credential provider's login screen, and the test will be completed successfully if the integration is successful.
Integration Test Complete
-
After completing the test, click the [Save] button and verify that the IdP has been applied to the login account on the Manage organization > Login settings tab screen.
Step 3. Sign in to the KakaoCloud Console
When logging into the KakaoCloud Console, change the existing account to the external credential provider account integrated with the IdP.
The KakaoCloud account will be deactivated when logging in with the account integrated with the IdP.
-
Access the KakaoCloud Console and log out of the current KakaoCloud account.
-
In KakaoCloud > Sign in to the Console, enter the organization name and click [Next].
-
In Microsoft Azure Login > Select Account, select the Azure AD account integrated with the IdP.
Azure AD Account
-
Enter the password used during the IdP integration and click the [Login] button. Verify that the KakaoCloud Console opens correctly.
Azure AD Login
Two-factor authentication
You can strengthen your account security by setting up two-factor authentication for logging into the KakaoCloud Console. This requires additional verification via email or phone number during login. Two-factor authentication is only available for organizations using the Cloud Account Login method.
- Organizations using IdP integration cannot set up two-factor authentication.
- Go to KakaoCloud Console > IAM > Manage organization menu.
- Click the [Login settings] button on the Login settings tab. This setting can only be configured by the Org Admin.
- In the login settings detailed page, select the 'Cloud Account' to use for login, set the two-factor authentication option to 'Enable', and click the [Save] button to save.
- Log in to the KakaoCloud Console again to confirm that the two-factor authentication is working correctly. A verification code will be sent to the user's email or phone number. After entering the code, login will be successful.
- If the phone number is not registered, phone number verification will be disabled.
- To enable phone number verification, you must register your phone number by going to the profile at the top after logging in to the console > *Account Information.
Set organization security
This feature provides tools to enhance the security of the KakaoCloud Console for users.
In IAM > Manage organization > Security settings tab, you can view and configure security features that apply to the organization as a whole.
Set organization security
Feature | Org Admin | Org Reader | Project Admin | Project Member | Project Reader |
---|---|---|---|---|---|
Password expiration setting | ✓ | ||||
Session timeout setting | ✓ | ||||
Access control setting | ✓ |
Set password expiration
By applying password expiration settings, you can ensure that all users in the organization change their passwords at regular intervals to strengthen account security. After the password expires, the user must change it to a new one in order to log in to the KakaoCloud Console.
- Once password expiration settings are applied, they apply to all users in the organization.
- The password expiration cycle is based on the last time the KakaoCloud account user changed/set their password. Password changes will be required each time the expiration cycle set by the Org Admin is reached.
- Go to KakaoCloud Console > IAM > Manage organization menu.
- Click the [Security settings] button on the Security settings tab.
- Choose whether to enable the password expiration setting.
- If enabling the password expiration setting, select the expiration cycle and click the [Save] button to save.
Set session timeout
You can enhance security by automatically logging out users who have not interacted with the console within a set time period.
-
Go to KakaoCloud Console > IAM > Manage organization menu.
-
Click the [Security settings] button on the Security settings tab.
-
Set the session timeout period.
Item Description Session Timeout - Choose from 10/30/60/180 days
- Custom settings are available (between 5 minutes and 720 minutes only)
Control console access
You can control console access based on IP addresses, preventing users from accessing the KakaoCloud Console from unauthorized locations.
The console access control features described in this document can only be configured by users with the appropriate IAM role.
- Once console access control settings are applied, they are enforced for all users in the organization. Be aware that any IP not registered in the allowed list will be restricted from accessing the console.
-
Go to KakaoCloud Console > IAM > Manage organization menu.
-
Click the [Security settings] button on the Security settings tab.
-
Choose whether to enable console access control.
- If enabling console access control, input the IPs allowed to access the console, register them, and then click the [Save] button.
Item Description IP address Input the IP addresses allowed to access the KakaoCloud Console
- Up to 20 IPs can be registered
- IPs must be input in the a.b.c.d format (subnet masks are not supported)IP description Provide a description to manage the registered IPs
Request organization deletion
The Org Owner can request the deletion of an organization that is no longer needed. However, before requesting the deletion, all resources and user accounts in the organization must be deleted.
When an organization is deleted, all projects, resources, and data associated with the organization are permanently removed and cannot be recovered.
-
Go to KakaoCloud Console > IAM > Users menu.
-
In the Users menu, delete all users except for the Org Owner.
-
In the Projects menu, delete all projects included in the organization.
-
Go to the Billing service at Billing and check any outstanding payments. Ensure that all bills are paid.
-
Once all the above steps are completed, click the [Request Organization Deletion] button at the top of the IAM > Manage organization page.
-
In the pop-up, review the required confirmation details and check the acknowledgment box. Then, click the [Delete Request] button.
-
Check that the organization deletion request is successfully submitted in the Login settings tab of IAM > Manage organization.