This topic describes how to configure Alibaba Cloud as a trusted SAML service provider (SP) in your identity provider (IdP) during role-based single sign-on (SSO).

Procedure

  1. Find the SAML SP metadata URL of Alibaba Cloud in the RAM console: https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
    1. Log on to the RAM console with an Alibaba Cloud account.
    2. In the left-side navigation pane, click SSO.
    3. On the Role-based SSO tab, find the SAML SP metadata URL.
  2. Create an SAML SP in your IdP and configure Alibaba Cloud as the relying party by using one of the following methods:
    • Copy and paste the SAML SP metadata URL of Alibaba Cloud into your IdP.
    • If your IdP does not support URL configuration, download the SAML metadata file from the URL. Then, upload the SAML metadata file when you create an SAML SP.
    • If the SAML metadata file cannot be uploaded to your IdP, configure the following parameters:
      • Entity ID: urn:alibaba:cloudcomputing:international.
      • ACS URL: https://signin.alibabacloud.com/saml-role/sso.
      • RelayState: Optional. If the RelayState parameter is available in your IdP, set this parameter to the URL that you want to visit. If this parameter is unspecified, you will be redirected to the homepage of the Alibaba Cloud console after SSO succeeds.
        Note You can only specify a URL in the *.console.alibabacloud.com domain for the RelayState parameter.

What to do next

After you configure Alibaba Cloud as a trusted SAML SP, you must configure SAML assertions in your IdP. For more information, see SAML assertions for role-based SSO.