This topic describes the scenario, process, and configuration of role-based single sign-on (SSO).

Background information

In scenarios where Alibaba Cloud and the identity management system of an enterprise are used to perform role-based SSO, Alibaba Cloud is a service provider (SP) and the identity management system is an identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, enterprise employees can log on to Alibaba Cloud by using a specific RAM role.

Role-based SSO process

Through role-based SSO, you can access Alibaba Cloud either by logging on to the Alibaba Cloud console or by using a program.

Access Alibaba Cloud by using the console

Access Alibaba Cloud by using the console

After an administrator configures role-based SSO, enterprise employees can log on to the Alibaba Cloud console. The following process takes an employee named Alice as an example to describe how to log on to the Alibaba Cloud console.

  1. Alice uses a browser to select Alibaba Cloud as the target service on the logon page of the IdP.

    For example, if the IdP is Microsoft Active Directory Federation Service (AD FS), the logon URL is https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx.

    Note Some IdPs require users to first log on and then select the SSO application that represents Alibaba Cloud.
  2. The IdP generates an SAML response and returns it to the browser.
  3. The browser redirects Alice to the SSO service page and forwards the SAML response to the SSO service.
  4. The SSO service uses the SAML response to request an STS token from the Alibaba Cloud STS service. Then, the SSO service generates a URL for Alice to log on to the Alibaba Cloud console by using the STS token.
    Note If the SAML response contains attributes that map to multiple RAM roles, users are prompted to first select a role.
  5. The SSO service returns the URL to the browser.
  6. The browser redirects Alice to the URL, and Alice logs on to the Alibaba Cloud console as the specified role.

Access Alibaba Cloud by using a program

Access Alibaba Cloud by using a program

The following process takes an employee named Alice as an example to describe how to access Alibaba Cloud by using a program.

  1. Alice initiates an authentication request to the IdP by using a program.
  2. The IdP generates an SAML response that contains the SAML assertion, and returns the SAML response to the program.
  3. The program calls the AssumeRoleWithSAML API operation of the Alibaba Cloud STS service, and forwards the information including the ARN of the IdP, the ARN of the role to be assumed, and the SAML assertion obtained from the IdP.
  4. The STS service verifies the SAML assertion and returns an STS token to the program.
  5. The program calls Alibaba Cloud API operations by using the STS token.

Configure role-based SSO

Before you use role-based SSO, you must set configurations to establish trust between Alibaba Cloud and your IdP.

  1. To make sure that your IdP is trusted by Alibaba Cloud, you must configure the IdP in the Alibaba Cloud console.
  2. You must use a program or log on to the RAM console to create RAM roles and grant permissions to them.

    For more information, see Create a RAM role for a trusted IdP

  3. To make sure that Alibaba Cloud is trusted by the IdP, you must configure Alibaba Cloud as a trusted SAML SP and configure SAML assertions in your IdP.