This topic provides an example of how to implement role-based single sign-on (SSO) to Alibaba Cloud from Azure Active Directory (Azure AD). It describes the end-to-end identity SSO process from an identity provider (IdP) to Alibaba Cloud.

Background information

In this example, you have an Alibaba Cloud account (Account1) and an Azure AD user (u2). You want to use Azure AD to manage your users and configure enterprise applications such as Alibaba Cloud services. After configuring role-based SSO, you can better manage your Azure AD users who have access to Alibaba Cloud and manage your accounts in the Azure portal. The AD users can log on to the Alibaba Cloud Management Console by using their Azure AD accounts.

Scenario

Add Alibaba Cloud role-based SSO from the Azure AD gallery

  1. Log on to the Azure portal as an administrator.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
    Azure Active Directory
  3. Click New application.
    New application
  4. In the Add from the gallery section of the Add an application page, enter Alibaba Cloud Service (Role-based SSO) in the field and press Enter. Then, select Alibaba Cloud Service (Role-based SSO).
    Alibaba Cloud Service (Role-based SSO)
  5. On the page that appears, click Add.
    Add
  6. On the Alibaba Cloud Service (Role-based SSO) page, click Properties in the left-side navigation pane, and copy and save the object ID for subsequent use.
    Object ID

Configure SSO in Azure AD

  1. Log on to the Azure portal as an administrator.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the NAME column, click Alibaba Cloud Service (Role-based SSO).
  4. In the left-side navigation pane of the page that appears, click Single sign-on.
    Single sign-on
  5. In the Select a single sign-on method section, click SAML.
    SAML
  6. On the Set up Single Sign-On with SAML page, perform the following steps:
    1. In the upper-left corner, click Upload metadata file, select a file, and then click Add.
      Upload a metadata file
      Note You can obtain the metadata file from the URL: https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
    2. In the User Attributes & Claims section, click the edit icon.
      User Attributes & Claims
    3. Click Add new claim, set the parameters as follows, and then click Save.
      • Enter Role in the Name field.
      • Enter https://www.aliyun.com/SAML-Role/Attributes in the Namespace field.
      • Select Attribute from the Source drop-down list.
      • Select user.assignedroles from the Source attribute drop-down list.
      Manage user claims
    4. Repeat the preceding step to add another claim and specify the parameters as follows.
      • Enter RoleSessionName in the Name field.
      • Enter https://www.aliyun.com/SAML-Role/Attributes in the Namespace field.
      • Select Attribute from the Source drop-down list.
      • Select user.userprincipalname from the Source attribute drop-down list.
    5. In the upper-right corner of the User Attributes & Claims page, click the close icon. In the SAML Signing Certificate section of the page that appears, click Download next to Federation Metadata XML to download the federation metadata XML file for subsequent use.
      Download the federation metadata XML file
    6. In the Set up Alibaba Cloud Service (Role-based SSO) section, copy and save the Login URL, Azure AD Identifier, and Logout URL for subsequent use.
      Set up Alibaba Cloud Service (Role-based SSO)

Configure role-based SSO in Alibaba Cloud

  1. Log on to the Alibaba Cloud RAM console by using Account1.
  2. In the left-side navigation pane, click SSO.
  3. On the Role-based SSO page, click Create IdP.
  4. On the page that appears, set the IdP Name parameter to AAD, and set the Note parameter.
  5. Click Upload below Metadata File to upload the federation metadata file that you downloaded earlier.
    Note You must upload the federation metadata file that you have downloaded from the SAML Signing Certificate section in step 6-e.
  6. Click OK.
  7. After the IdP is created, click Create RAM Role.
  8. Set the RAM Role Name parameter to AADrole, and set the Note parameter.
  9. Select AAD from the Select IdP drop-down list, and click OK.
    Note
    • You can grant permissions to the role based on your business needs. For more information, see Grant permissions to a RAM role.
    • After you create the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the RAM role for subsequent use. For more information about how to obtain the ARN of the RAM role, see View the basic information of a RAM role.

Associate the Alibaba Cloud RAM role with the Azure AD user

  1. Before you associate the RAM role (AADrole) with the Azure AD user (u2), perform the following steps to create a role in Azure AD:
    1. Log on to Azure AD Graph Explorer by using u2.
    2. Click modify permissions to obtain the required permissions.
      Azure AD Graph Explorer
    3. Select the following permissions from the list, and click Modify Permissions.
      Modify permissions
      Note After the permissions are granted, log on to Graph Explorer again.
    4. On the Graph Explorer page, select GET from the first drop-down list, and select beta from the second drop-down list. Then, enter https://graph.microsoft.com/beta/servicePrincipals in the field next to the drop-down lists, and click Run Query.
      Run Query
      Note If you are using multiple directories, enter https://graph.microsoft.com/beta/contoso.com/servicePrincipals in the field next to the drop-down lists.
    5. On the Response Preview tab, extract the appRoles property from the Service Principal object for subsequent use.
       "appRoles": [
                      {
                          "allowedMemberTypes": [
                              "User"
                          ],
                          "description": "msiam_access",
                          "displayName": "msiam_access",
                          "id": "7dfd756e-8c27-4472-b2b7-38c17fc5****",
                          "isEnabled": true,
                          "origin": "Application",
                          "value": null
                      }
                  ],
      Note You can find the appRoles property by entering https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the field next to the drop-down lists. Note that the value of the objectID parameter is the object ID that you have copied from the Azure AD Properties page.
    6. Go back to Graph Explorer, select PATCH from the first drop-down list, and select beta from the second drop-down list. Enter https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the field next to the drop-down lists. Copy and paste the following sample script into the Request Body section, edit the script based on your business needs, and then click Run Query.
      { 
        "appRoles": [
          { 
            "allowedMemberTypes":[
              "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "41be2db8-48d9-4277-8e86-f6d22d35****",//UUID
            "isEnabled": true,
            "origin": "Application",
            "value": null
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Admin,AzureADProd",
          "displayName": "Admin,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476078c****",// The ID that is produced by an ID generator, such as GUID Generator, in real time.
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD"// The ARNs of the IdP and the RAM role that you created in the RAM console.
          }
        ]
      }
      Note You can add multiple roles based on your business needs. Azure AD will send the ARNs of these roles and their corresponding IdPs as the claim value in an SAML response. However, you can add new roles only after the msiam_access part of the patch operation.
  2. Perform the following steps to associate the RAM role with the Azure AD user (u2):
    1. Log on to the Azure portal as an administrator.
    2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
    3. In the NAME column, click Alibaba Cloud Service (Role-based SSO).
    4. In the left-side navigation pane, click Users and groups.
    5. In the upper-left corner, click Add user.
      Add a user
    6. On the page that appears, click Users, select u2 from the user list, and then click Select.
      Select a user
    7. Click Assign.
    8. View the assigned role.
      View the assigned role
      Note After you assign the role to the user (u2), the RAM role is automatically attached to the user. If you have created multiple RAM roles, you need to attach an appropriate role to the user. If you want to implement role-based SSO from Azure AD to multiple Alibaba Cloud accounts, repeat the preceding steps.

Test role-based SSO

  1. Log on to the Azure portal as an administrator.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the NAME column, click Alibaba Cloud Service (Role-based SSO).
  4. In the left-side navigation pane of the page that appears, click Single sign-on.
  5. In the Validate single sign-on with Alibaba Cloud Service (Role-based SSO) section of the page that appears, click Validate.
    Validate
    Note Before you use u2 to test role-based SSO, make sure that u2 has been added to a group in Azure AD.
  6. Click Sign in as current user.
    Sign in as the current user
  7. On the page for selecting a logon account, select u2.
    Select an account

Result

If the following page appears, it indicates that role-based SSO is successful.

Successful role-based SSO