All Products
Search

This Product

    Resource Access Management:Overview of user-based SSO

    Document Center

    Resource Access Management:Overview of user-based SSO

    Last Updated:May 27, 2026

    User-based single sign-on (SSO) lets users from your corporate identity provider (IdP) log on to the Alibaba Cloud Management Console using their existing corporate credentials. Alibaba Cloud maps each external identity to a specific Resource Access Management (RAM) user in your account, and the logged-on user inherits that RAM user's permissions.

    How user-based SSO works

    SSO can be SP-initiated (started from the Alibaba Cloud Management Console) or IdP-initiated (started from your corporate application portal). The following diagram shows the SP-initiated flow.

    用户SSO基本流程

    1. The user goes to the Alibaba Cloud Management Console and initiates SSO. Alibaba Cloud generates a SAML authentication request and redirects the browser to your corporate IdP.

    2. The IdP authenticates the user, prompting for corporate credentials if the user is not already logged on.

    3. After the user authenticates, the IdP generates a SAML response containing an assertion with the user's identity information and posts it to the browser.

    4. The browser forwards the SAML response to the Alibaba Cloud SSO service endpoint.

    5. The SSO service verifies the signature on the SAML response using the certificate from the IdP's metadata.

    6. The SSO service uses the NameID attribute in the assertion to find the matching RAM user in your Alibaba Cloud account.

    7. The user logs on to the Alibaba Cloud Management Console with the permissions of the matched RAM user.

      Note

      In an IdP-initiated flow, the user logs on to your corporate application portal and clicks a link to Alibaba Cloud. The IdP sends the SAML assertion directly to Alibaba Cloud without a prior authentication request.

    Configuration overview

    User-based SSO requires mutual trust between Alibaba Cloud and your IdP. Complete the following steps to establish that trust.

    1. Configure SAML settings in Alibaba Cloud. Upload your IdP's metadata to Alibaba Cloud to establish trust between Alibaba Cloud and your IdP. For more information, see Configure SAML on Alibaba Cloud for user SSO.

    2. Configure SAML settings in your IdP. Register Alibaba Cloud as a trusted SP in your IdP and define the SAML assertion attributes. For more information, see SAML configuration for user-based SSO.

    3. Create RAM users. For each user who needs SSO access, create a RAM user in your Alibaba Cloud account. The RAM user's name must exactly match the NameID attribute that your IdP sends in the SAML assertion. For more information, see Create a RAM user.

    Configuration tutorials

    The following topics provide step-by-step instructions for configuring user-based SSO with common IdPs: