Resource Access Management (RAM) - CloudSSO in Public Preview
Aug 20 2021Resource Access Management (RAM)
Target customers: large-sized and medium-sized enterprises that own multiple Alibaba Cloud accounts. These enterprises include multinational enterprises and enterprises in the finance, Internet, new retail, and automotive industries. Features released: 1. CloudSSO allows you to create the CloudSSO directory to help you manage users in a centralized manner. You can use the directory to manage all users who want to access Alibaba Cloud resources. You can manually manage users and groups. You can also use System for Cross-domain Identity Management (SCIM) to synchronize users and groups from your identity provider (IdP) to the directory. 2. CloudSSO allows you to configure SSO access to Alibaba Cloud resources from an IdP. A user in the CloudSSO directory can use the username-password logon method and multi-factor authentication (MFA) to access Alibaba Cloud resources. To improve user experience and reduce risks, we recommend that you configure SSO access from an IdP. CloudSSO supports SSO logon for enterprises based on Security Assertion Markup Language (SAML) 2.0. You need only to configure the settings once in both CloudSSO and IdP to allow access to SSO. 3. CloudSSO is deeply integrated with Resource Directory, which allows you to centrally assign access permissions on all member accounts in your resource directory to CloudSSO identities. An identity in CloudSSO can be a user or a group. A CloudSSO administrator can specify the CloudSSO identities that are allowed to access member accounts in your resource directory based on the organizational structure of the resource directory. The administrator can assign access permissions to the identities. The administrator can also modify or remove the assigned permissions. 4. CloudSSO provides a unified user portal. After an enterprise employee logs on to the user portal, the employee can view all accounts that the employee are allowed to access in the resource directory. Then, the employee can select an account to log on to the Alibaba Cloud Management Console. The employee can also switch between the accounts based on business requirements. 5. CloudSSO is integrated with Alibaba Cloud CLI. A CloudSSO user can use a browser or Alibaba Cloud CLI to log on to the CloudSSO user portal. After the user logs on to the user portal, the user can select an account in a resource directory and the specified access configuration and use CLIs to access Alibaba Cloud resources.