This topic describes the scenario, process, and configuration of user-based single sign-on (SSO).

Background information

In scenarios where Alibaba Cloud and the identity management system of an enterprise work together to implement user-based SSO, Alibaba Cloud is the service provider (SP) and the enterprise system is the identity provider (IdP). User-based SSO allows an employee in the enterprise to access Alibaba Cloud resources as a RAM user.



After an administrator configures user-based SSO, the employee (Alice) can log on to the Alibaba Cloud console. The process is described as follows:

  1. Alice uses a browser to log on to the Alibaba Cloud console. Then, Alibaba Cloud returns an SAML authentication request to the browser.
  2. The browser forwards the SAML authentication request to the IdP.
  3. Alice is prompted to log on to the IdP portal. After Alice has logged on to the IdP portal, the IdP returns an SAML response to the browser.
  4. The browser forwards the SAML response to the SSO service.
  5. Based on the SAML mutual trust configuration, the SSO service verifies the digital signature in the SAML response to check the authenticity of the SAML assertion. Then, the SSO service maps the value of the NameID element in the SAML assertion to the RAM user identity in Alibaba Cloud.
  6. The SSO service returns the URL of the Alibaba Cloud console to the browser.
  7. The browser redirects Alice to the Alibaba Cloud console.
    Note In Step 1, the employee does not need to initiate the logon from Alibaba Cloud. Instead, the employee can click the Alibaba Cloud logon URL in the IdP portal to send an SAML authentication request to the IdP.


Before you implement user-based SSO, you must configure the required settings to establish trust between Alibaba Cloud and your IdP.

  1. To make sure that your IdP is trusted by Alibaba Cloud, you must configure the IdP in the Alibaba Cloud console.
  2. To make sure that Alibaba Cloud is trusted by the IdP, you must configure Alibaba Cloud as a trusted SAML SP and configure SAML assertions in your IdP.
  3. After the IdP and Alibaba Cloud SAML settings are configured, you must create RAM users that correspond to the users in the IdP by using the software development kit (SDK), command line interface (CLI), or RAM console.

    For more information, see Create a RAM user.