This topic describes how to configure the SAML of an identity provider (IdP) during role-based Single Sign On (SSO). You can configure Alibaba Cloud as a trusted SAML service provider (SP), and configure SAML assertions in the IdP.

Procedure

  1. Obtain the SAML SP metadata URL https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. In the left-side navigation pane, click SSO.
    3. On the Role-based SSO tab, copy the SAML SP metadata URL.
  2. Create an SAML SP in your IdP and configure Alibaba Cloud as the relying party by using one of the following methods:
    • Copy and paste the SAML SP metadata URL of Alibaba Cloud into your IdP.
    • If your IdP does not support URL configuration, click Copy next to SAML Service Provider Metadata URL to download an XML file. Then, when you create an SAML SP, you can upload the XML file.
    • If you fail to upload an XML file to your IdP, configure the following parameters:
      • Entity ID: urn:alibaba:cloudcomputing:international
      • ACS URL: https://signin.alibabacloud.com/saml-role/sso
      • RelayState: Optional. If the RelayState parameter is available in your IdP, you can set this parameter to the URL to be directed after SSO succeeds. If this parameter is left unspecified, the home page of the Alibaba Cloud console is directed after SSO succeeds.
        Note Only the URL in the *.console.aliyun.com or *.console.alibabacloud.com domain can be set for RelayState.

What to do next

After you configure Alibaba Cloud as a trusted SAML SP, you must configure SAML assertions in your IdP.

Alibaba Cloud resolves an SAML assertion to determine a RAM role. Therefore, the SAML assertions generated by your IdP must contain the necessary information of the RAM role.

For more information about SAML assertions, see SAML assertions for role-based SSO.