Implement role-based SSO from AD FS - SSO Management| Alibaba Cloud Documentation Center

Background information

You can use AD FS to manage your users and configure enterprise applications such as Alibaba Cloud. After role-based SSO is configured, your AD administrators can manage user access to Alibaba Cloud. In this example, you have two Alibaba Cloud accounts (Account1 and Account2) and four AD user groups (Aliyun-<account-id>-ADFS-Admin and Aliyun-<account-id>-ADFS-Reader). An employee's AD user account named Alice belongs to these groups. You want to implement role-based SSO from AD FS to Account1 and Account2.

Note <account-id> in the name of each user group refers to the ID of Account1 or Account2.

SSO process

The following figure shows the process of role-based SSO.

After an AD administrator completes the configurations of role-based SSO, Alice can log on to the Alibaba Cloud console by following the process shown in the figure. For more information, see Overview of role-based SSO.

The SSO process shows that users can be authenticated without the need to provide Alibaba Cloud usernames and passwords during logon.

Configure AD FS as a trusted SAML IdP in Alibaba Cloud

Log on to the Alibaba Cloud RAM console by using Account1. Create an IdP named ADFS and upload a metadata file. You can obtain the metadata file of AD FS from the URL: https://<ADFS-server>/federationmetadata/2007-06/federationmetadata.xml.

Note <ADFS-server> in the URL is the domain name or IP address of your AD FS server.

For more information, see Configure the SAML settings of Alibaba Cloud for role-based SSO.
Create two RAM roles named ADFS-Admin and ADFS-Reader. When creating the roles, select IdP for the Trusted entity type parameter and select ADFS from the Select IdP drop-down list. Then, attach the AdministratorAccess policy to the ADFS-Admin role and attach the ReadOnlyAccess policy to the ADFS-Reader role.
For more information, see Create a RAM role for a trusted IdP.
Repeat the preceding steps to create an IdP and two RAM roles under Account2 and attach policies to the RAM roles.

Note After you complete the configurations, Account1 and Account2 will trust the user identity and role information that are included in Security Assertions Markup Language (SAML) requests sent from your AD FS server.

Configure Alibaba Cloud as a trusted SAML SP in AD FS

In AD FS, a SAML service provider (SP) is also known as a relying party. To configure Alibaba Cloud as a trusted SAML SP in AD FS, follow these steps:

On the Server Manager page, choose Tools > AD FS Management.
Select Add Relying Party Trust.
Set the SAML SP metadata of Alibaba Cloud for the relying party. The metadata URL is https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
Complete the configurations as instructed.

Configure SAML assertion attributes for the Alibaba Cloud SP

The SAML assertion issued by AD FS must contain the attributes such as NameID, Role, and RoleSessionName. AD FS can provide these attributes by issuing transform rules.

NameID
Follow these steps to configure the NameID attribute in the SAML assertion to contain the Windows account name of AD:
1. Right-click the display name of the relying party and select Edit Claim Rules.
2. Click Issuance Transform Rules.
  
  Note Issuance transform rules indicate how to transform a known user attribute and issue it as an attribute in the SAML assertion. You need to issue the Windows account name of a user in AD as NameID. This means that a new rule is required.
3. Select Transform an Incoming Claim from the Claim rule template drop-down list.
4. Configure the claim rule as follows, and then click Finish.
  - Specify the Claim rule name parameter as NameID.
  - Select Windows account name for the Incoming claim type parameter.
  - Select Name ID for the Outgoing claim type parameter.
  - Select Persistent Identifier for the Outgoing name ID format parameter.
  - Select the Pass through all claim values option.
  After you complete the configurations, AD FS will send the required NameID attribute to Alibaba Cloud. The following is an example:
```
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
    YourDomain\rolessouser
</NameID>
```
RoleSessionName
Follow these steps to configure the value of the RoleSessionName attribute in the SAML assertion to be the User Principal Name (UPN) of AD:
1. Click Add Transform Claim Rule.
2. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
3. Configure the claim rule as follows, and click Finish.
  - Specify the Claim rule name parameter as RoleSessionName.
  - Select Active Directory from the Attribute store drop-down list.
  - Select User-Principal-Name in the LDAP Attribute column. You can select other attributes, such as Email, as needed.
  - Select https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName in the Outgoing Claim Type column.
After you complete the configurations, AD FS will send the required RoleSessionName attribute to Alibaba Cloud. The following is an example:
```
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName">
    <AttributeValue>rolessouser@example.com<AttributeValue>
</Attribute>
```
Role
Follow these steps to configure a custom attribute whose value contains the name of the Alibaba Cloud RAM role that is associated with the AD group of the user:
1. Click Add Transform Claim Rule.
2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list and click Next.
3. Configure the claim rule as follows, and click Finish.
  - Specify the Claim rule name parameter as Get AD Groups.
  - Specify the Custom rule parameter as follows:
```
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccount
name", Issuer == "AD AUTHORITY"] => add(store = "Active Directory",
types = ("http://temp/variable"), query = ";tokenGroups;{0}", param =
c.Value);
```
  Note This rule is used to obtain the AD group to which the user belongs and save it to http://temp/variable.
4. Click Add Transform Claim Rule.
5. Repeat the preceding steps to create a custom rule, configure the rule as follows, and then click Finish.
  - Specify the Claim rule name parameter as Role.
  - Specify the Custom rule parameter as follows:
```
c:[Type == "http://temp/variable", Value =~ "(? i)^Aliyun-([\d]+)"]
 => issue(Type = "https://www.aliyun.com/SAML-Role/Attributes/Role",
Value = RegExReplace(c.Value, "Aliyun-([\d]+)-(.+)", "acs:ram::
$1:role/$2,acs:ram::$1:saml-provider/ADFS"));
```
  Note According to this rule, if the user belongs to the Aliyun-<account-id>-ADFS-Admin or Aliyun-<account-id>-ADFS-Reader group, a SAML attribute will be generated and sent to Alibaba Cloud to match the RAM role ADFS-Admin or ADFS-Reader.
After you complete the configurations, your IdP will return a required SAML assertion to Alibaba Cloud. The following is an example:
```
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/Role">
    <AttributeValue>acs:ram::<account-id>:role/ADFS-Admin,acs:ram::<account-id>:saml-provider/ADFS</AttributeValue>
</Attribute>
```

Test role-based SSO

Log on to the AD FS SSO portal (URL: https://<ADFS-server>/adfs/ls/IdpInitiatedSignOn.aspx). Select the Alibaba Cloud application, and enter the username and password.

Note <ADFS-server> in the URL is the domain name or IP address of your AD FS server. If the URL is unavailable, run the Set-AdfsProperties -EnableIdpInitiatedSignonPage $True command in PowerShell.
On the Role-based SSO page of Alibaba Cloud, select the target role and click Sign In.

Note If your user belongs to only one AD group, the user logs on without selecting a role.