This topic describes the scenario, process, and configuration of role-based single sign-on (SSO).
In scenarios where Alibaba Cloud and the identity management system of an enterprise are used to perform role-based SSO, Alibaba Cloud is a service provider (SP) and the identity management system is an identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, enterprise employees can log on to Alibaba Cloud by using a specific RAM role.
Role-based SSO process
Through role-based SSO, you can access Alibaba Cloud either by logging on to the Alibaba Cloud console or by using a program.
Access Alibaba Cloud by using the console
After an administrator configures role-based SSO, enterprise employees can log on to the Alibaba Cloud console. The following process takes an employee named Alice as an example to describe how to log on to the Alibaba Cloud console.
- Alice uses a browser to select Alibaba Cloud as the target service on the logon page
of the IdP.
For example, if the IdP is Microsoft Active Directory Federation Service (AD FS), the logon URL is
https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.Note Some IdPs require users to first log on and then select the SSO application that represents Alibaba Cloud.
- The IdP generates an SAML response and returns it to the browser.
- The browser redirects Alice to the SSO service page and forwards the SAML response to the SSO service.
- The SSO service uses the SAML response to request an STS token from the Alibaba Cloud
STS service. Then, the SSO service generates a URL for Alice to log on to the Alibaba
Cloud console by using the STS token.
Note If the SAML response contains attributes that map to multiple RAM roles, users are prompted to first select a role.
- The SSO service returns the URL to the browser.
- The browser redirects Alice to the URL, and Alice logs on to the Alibaba Cloud console as the specified role.
Access Alibaba Cloud by using a program
The following process takes an employee named Alice as an example to describe how to access Alibaba Cloud by using a program.
- Alice initiates an authentication request to the IdP by using a program.
- The IdP generates an SAML response that contains the SAML assertion, and returns the SAML response to the program.
- The program calls the AssumeRoleWithSAML API operation of the Alibaba Cloud STS service, and forwards the information including the ARN of the IdP, the ARN of the role to be assumed, and the SAML assertion obtained from the IdP.
- The STS service verifies the SAML assertion and returns an STS token to the program.
- The program calls Alibaba Cloud API operations by using the STS token.
Configure role-based SSO
Before you use role-based SSO, you must set configurations to establish trust between Alibaba Cloud and your IdP.
- To make sure that your IdP is trusted by Alibaba Cloud, you must configure the IdP
in the Alibaba Cloud console.
For more information, see Configure the SAML settings of Alibaba Cloud for role-based SSO.
- You must use a program or log on to the RAM console to create RAM roles and grant
permissions to them.
For more information, see Create a RAM role for a trusted IdP
- To make sure that Alibaba Cloud is trusted by the IdP, you must configure Alibaba
Cloud as a trusted SAML SP and configure SAML assertions in your IdP.
For more information, see Configure the SAML settings of an IdP during role-based SSO.