All Products
Search

This Product

    Resource Access Management:Overview of user-based SSO

    Document Center

    Resource Access Management:Overview of user-based SSO

    Last Updated:Mar 24, 2026

    User-based single sign-on (SSO) with SAML 2.0 enables users from your corporate identity provider (IdP) to log on to the Alibaba Cloud Management Console. This is achieved by mapping an external identity from your IdP to a specific Resource Access Management (RAM) user in your Alibaba Cloud account. After logging on, the user has the permissions of the corresponding RAM user.

    How user-based SSO works

    The authentication process can be initiated by either the service provider (SP-initiated) or the identity provider (IdP-initiated). The following flow describes the SP-initiated process, which begins when a user tries to log on from the Alibaba Cloud Management Console.

    用户SSO基本流程

    1. A user navigates to the Alibaba Cloud Management Console logon page and initiates SSO. Alibaba Cloud generates a SAML authentication request and redirects the user's browser to your corporate IdP with this request.

    2. The IdP authenticates the user. If the user is not already logged on, the IdP prompts them for their corporate credentials.

    3. After successful authentication, the IdP generates a SAML response containing an assertion with the user's identity information. It then posts this response back to the user's browser.

    4. The user's browser forwards the SAML response to the Alibaba Cloud SSO service endpoint.

    5. The SSO service verifies the signature on the SAML response using the certificate from the IdP's metadata.

    6. It then uses the NameID claim in the assertion to find the corresponding RAM user in your Alibaba Cloud account.

    7. Upon successful identity mapping, the user is logged on to the Alibaba Cloud Management Console.

      Note

      In an IdP-initiated flow, the user starts by logging on to your corporate application portal and clicking a link to access Alibaba Cloud. This action sends the SAML assertion directly to Alibaba Cloud without an initial request from Alibaba Cloud.

    Configuration overview

    Setting up user-based SSO requires configuration on both sides of the trust relationship: in Alibaba Cloud (the SP) and in your IdP.

    1. Configure SAML settings in Alibaba Cloud. You provide the metadata from your IdP to establish Alibaba Cloud's trust in your IdP. For more information, see Configure SAML on Alibaba Cloud (as SP).

    2. Configure SAML settings in your IdP. You configure Alibaba Cloud as a trusted SP in your IdP and define the SAML assertion attributes. For more information, see Configure Alibaba Cloud as the SP in your IdP.

    3. Create corresponding RAM users. For each user who needs to log on via SSO, you must create a RAM user in your Alibaba Cloud account. The name of the RAM user must exactly match the value of the NameID attribute that your IdP will send in the SAML assertion. For more information, see Create a RAM user.

    Configuration tutorials

    The following topics provide detailed tutorials for configuring user-based SSO with common IdPs: