This topic describes the application scenarios of two SSO methods supported by Alibaba Cloud: role-based SSO and user-based SSO.

Role-based SSO

Application scenarios:
  • You do not want to create or manage users on Alibaba Cloud to avoid user synchronization and reduce costs.
  • You want to implement SSO to Alibaba Cloud and manage some users on Alibaba Cloud. The users managed on Alibaba Cloud can be used to test new features of Alibaba Cloud and log on to Alibaba Cloud if your network or identity provider (IdP) encounters exceptions.
  • You want to manage the operation permissions on Alibaba Cloud according to the user groups in your local IdP or a specific user attribute. Then, you can manage user permissions by grouping users in your local IdP or changing the attribute of a user.
  • You have multiple Alibaba Cloud accounts and only one IdP. You want to implement SSO to multiple Alibaba Cloud accounts by configuring your IdP only once.
  • You have multiple IdPs and only one Alibaba Cloud account. You want to implement SSO from multiple IdPs to one Alibaba Cloud account by configuring IdPs in the Alibaba Cloud account.
  • You want to implement SSO by using the console or by calling APIs.

User-based SSO

Application scenarios:
  • You want to initiate logon from Alibaba Cloud, not from your IdP.
  • Some of your Alibaba Cloud services cannot be accessed by roles (that is, through STS). For more information about Alibaba Cloud services that can be accessed by roles, see Alibaba Cloud services that work with RAM.
  • Your IdP does not support complex configuration of attributes.
  • You want to simplify IdP configuration.