If Alibaba Cloud and the identity management system of an enterprise work together to implement role-based single sign-on (SSO), Alibaba Cloud is the service provider (SP) and the identity management system is the identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can access Alibaba Cloud by using a specific RAM role.
Process
Role-based SSO allows employees of the enterprise to access Alibaba Cloud by logging on to the Alibaba Cloud Management Console or by using a program.
- Access Alibaba Cloud by logging on to the Alibaba Cloud Management Console
The following figure shows how Alice, an employee, accesses Alibaba Cloud by logging on to the Alibaba Cloud Management Console after an administrator configures role-based SSO.
The following list describes the process:
- Alice opens the logon page of the IdP on a browser and selects Alibaba Cloud as the
required service.
In this example, the IdP is Microsoft Active Directory Federation Services (AD FS). Therefore, the logon URL is
https://ADFSServiceName/adfs/ls/IdpInitiatedSignOn.aspx
.Note Some IdPs require users to log on before users can select the SSO application that represents Alibaba Cloud. - The IdP generates a Security Assertion Markup Language (SAML) response and returns the response to the browser.
- The browser redirects Alice to the SSO service page and forwards the SAML response to the SSO service.
- The SSO service uses the SAML response to request an STS token from the Alibaba Cloud
STS service. Then, the SSO service generates a URL that Alice can use to log on to
the Alibaba Cloud Management Console by using the STS token.
Note If the SAML response contains attributes that map to multiple RAM roles, Alice is prompted to first select a role.
- The SSO service returns the URL to the browser.
- The browser redirects Alice to the URL, and Alice logs on to the Alibaba Cloud Management Console as the specified role.
- Alice opens the logon page of the IdP on a browser and selects Alibaba Cloud as the
required service.
- Access Alibaba Cloud by using a program
The following figure shows how Alice accesses Alibaba Cloud by using a program.
The following list describes the process:
- Alice initiates a logon request to the IdP by using a program.
- The IdP generates a SAML response that contains the SAML assertion and returns the SAML response to the program.
- The program calls the AssumeRoleWithSAML operation of the Alibaba Cloud STS service and forwards the following information:
The Alibaba Cloud Resource Name (ARN) of the IdP, the ARN of the role to be assumed, and the SAML assertion that is obtained from the IdP
- The STS service verifies the SAML assertion and returns an STS token to the program.
- The program calls Alibaba Cloud API operations by using the STS token.
Configure role-based SSO
Before you can implement role-based SSO, you must establish trust between Alibaba Cloud and your IdP.
Examples
The following list provides examples on how to implement role-based SSO to Alibaba Cloud from common enterprise IdPs, such as AD FS, Okta, Azure AD, and OneLogin: