This topic provides an example of how to implement role-based Single Sign On (SSO) to Alibaba Cloud from Azure Active Directory (Azure AD), detailing the end-to-end identity SSO process from a cloud identity provider (IdP) to Alibaba Cloud. After implementing role-based SSO, you can better manage your Azure AD users who have access to Alibaba Cloud, enable your users to automatically log on to Alibaba Cloud with their Azure AD accounts, and manage your accounts in the Azure portal.

Scenario

You use Azure AD to manage your users and configure enterprise applications such as Alibaba Cloud. In this example, you have an Alibaba Cloud account (Account1) and a user named u2. You want u2 to implement SSO from Azure AD to Account1.

The following figure shows the basic SSO process.

Configurations

To implement role-based SSO, you must configure Azure AD and Alibaba Cloud by following these steps:
  • Add Alibaba Cloud role-based SSO from Azure AD gallery:
    1. Log on to the Azure portal.
    2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

    3. Click New application.

    4. On the displayed page, enter Alibaba Cloud Service (Role-based SSO) in the search box, press Enter, and select Alibaba Cloud Service (Role-based SSO).

    5. On the displayed page, click Add.

    6. On the Alibaba Cloud Service (Role-based SSO) page, click Properties in the left-side navigation pane, and copy and save the object ID for subsequent use.

  • Enable Azure AD SSO in Azure AD:
    1. In the Azure portal, choose Azure Active Directory > Enterprise applications > All applications.
    2. In the NAME column, click Alibaba Cloud Service (Role-based SSO).
    3. On the displayed page, select Single sign-on from the left-side navigation pane.

    4. In the Select a single sign-on method section, click SAML.

    5. On the Set up Single Sign-On with SAML page, follow these steps:
      1. In the upper-left corner, click Upload metadata file to integrate Azure AD with Alibaba Cloud role-based SSO, and click Save.

        Note You can obtain the metadata file from the URL https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
      2. In the User Attributes & Claims section, click the Edit icon.

      3. Click Add new claim. In the Name field, enter Role. In the Namespace field, enter https://www.aliyun.com/SAML-Role/Attributes. Set Source to Attribute, select user.assignedroles from the Source attribute drop-down list, and click Save.

      4. Repeat the preceding step to add a new claim with Name set to RoleSessionName and Source attribute set to user.userprincipalname, and click Save.
        Note You can also enter https://www.aliyun.com/SAML-Role/Attributes in the Namespace field.
      5. In the SAML Signing Certificate section, click Download to download the federation metadata XML for subsequent use.

      6. In the Set up Alibaba Cloud Service (Role-based SSO) section, copy the URLs as needed.

  • Configure role-based SSO in Alibaba Cloud:
    1. Log on to the Alibaba Cloud RAM console by using Account1.
    2. In the left-side navigation pane, select SSO.
    3. On the Role-based SSO tab, click Create IdP.
    4. On the displayed page, enter AAD in the IdP Name field, enter a description in the Note field, click Upload to upload the federation metadata file you downloaded before, and click OK.
    5. After the IdP is successfully created, click Create RAM Role.
    6. In the RAM Role Name filed, enter AADrole, select AAD from the Select IdP drop-down list, and click OK.
    Note You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information page and the role information page.
  • Associate the Alibaba Cloud RAM role (AADrole) with the Azure AD user (u2):
    To associate the RAM role with the Azure AD user, you must create a role in Azure AD by following these steps:
    1. Log on to the Azure AD Graph Explorer.
    2. Click modify permissions to obtain required permissions for creating a role.

    3. Select the following permissions from the list and click Modify Permissions, as shown in the following figure.

      Note After permissions are granted, log on to the Graph Explorer again.
    4. On the Graph Explorer page, select GET from the first drop-down list and beta from the second drop-down list. Then enter https://graph.microsoft.com/beta/servicePrincipals in the field next to the drop-down lists, and click Run Query.

      Note If you are using multiple directories, you can enter https://graph.microsoft.com/beta/contoso.com/servicePrincipals in the field of the query.
    5. In the Response Preview section, extract the appRoles property from the 'Service Principal' for subsequent use.

      Note You can locate the appRoles property by entering https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the field of the query. Note that the objectID is the object ID you have copied from the Azure AD Properties page.
    6. Go back to the Graph Explorer, change the method from GET to PATCH, paste the following content into the Request Body section, and click Run Query:
      
      { 
        "appRoles": [
          { 
            "allowedMemberTypes":[
              "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "41be2db8-48d9-4277-8e86-f6d22d35****",
            "isEnabled": true,
            "origin": "Application",
            "value": null
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Admin,AzureADProd",
          "displayName": "Admin,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476078cdbce",
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD"
          }
        ]
      }
      Note The value is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as needed. Azure AD will send the value of these roles as the claim value in SAML response. However, you can only add new roles after the msiam_access part for the patch operation. To smooth the creation process, we recommend that you use an ID generator, such as GUID Generator, to generate IDs in real time.
    7. After the 'Service Principal' is patched with the required role, attach the role with the Azure AD user (u2) by following these steps:
      1. In the Azure portal, choose Azure Active Directory > Enterprise applications > All applications.
      2. In the NAME column, click Alibaba Cloud Service (Role-based SSO).
      3. On the displayed page, select Users and groups from the left-side navigation pane.
      4. In the upper-left corner, click Add user.

      5. On the Users and groups tab, select u2 from the user list, and click Select. Then, click Assign.

      6. View the assigned role and test role-based SSO.

    Note After you assign the user (u2), the created role is automatically attached to the user. If you have created multiple roles, you need to attach the appropriate role to the user as needed. If you want to implement role-based SSO from Azure AD to multiple Alibaba Cloud accounts, repeat the preceding steps.

Test role-based SSO

After the preceding configurations are completed, test role-based SSO by following these steps:
  1. In the Azure portal, go to the Alibaba Cloud Service (Role-based SSO) page, select Single sign-on, and click Test.

  2. Click Sign in as current user.

  3. On the account selection page, select u2.

The following page is displayed, indicating that role-based SSO is successful.