This topic provides an example on how to implement role-based single sign-on (SSO) from Azure Active Directory (Azure AD) to Alibaba Cloud. The example includes the steps that are required to configure role-based SSO on both an identity provider (IdP) and Alibaba Cloud.

Background information

Before you start, you must create an Alibaba Cloud account (Account 1) and an Azure AD tenant. An administrator and an organization user (u2) are added to the Azure AD tenant. The administrator is assigned the global administrative rights. You want to configure the required settings to enable the u2 user to access the resources of Account 1 by using role-based SSO.

To complete the configurations in Azure AD, you must log on to the Azure portal as an administrator that is assigned the global administrative rights. For more information about how to create and authorize users in Azure AD, see Azure AD documentation.

Step 1: Create an application in Azure AD

  1. Log on to the Azure portal as the administrator.
  2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
  5. Enter Alibaba Cloud Service (Role-based SSO) in the search box and click Alibaba Cloud Service (Role-based SSO) in the search results.
  6. In the panel that appears, enter a name for the application and click Create.
    In this example, use the default application name Alibaba Cloud Service (Role-based SSO). You can also enter a custom name for the application.
  7. In the left-side navigation pane of the Alibaba Cloud Service (Role-based SSO) page, click Properties. Then, copy and save the value of Object ID for subsequent use.

Step 2: Configure SSO in Azure AD

  1. In the left-side navigation pane of the Alibaba Cloud Service (Role-based SSO) page, click Single sign-on.
  2. In the Select a single sign-on method section, click SAML.
  3. In the Set up Single Sign-On with SAML section, configure SSO information.
    1. In the upper-left corner, click Upload metadata file, select a file, and then click Add.
      Note You can obtain the metadata file from the following URL: https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
    2. In the Basic SAML Configuration panel, configure the following parameters and click Save.
      • Identifier (Entity ID): Set this parameter to the value of entityID that is read from the preceding metadata file.
      • Reply URL (Assertion Consumer Service URL): Set this parameter to the value of Location that is read from the preceding metadata file.
      • Relay State: Set this parameter to the URL of the page that is displayed after a user logs on to the Alibaba Cloud Management Console by using role-based SSO.
        Note For security purposes, you must enter a URL that points to an Alibaba website for Relay State. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you enter a URL that does not point to an Alibaba website, the configuration is invalid. If you leave this parameter empty, you are redirected to the homepage of the Alibaba Cloud Management Console.
    3. In the User Attributes & Claims section, click the Edit icon.
    4. Click Add new claim, configure the following parameters, and then click Save.
      • Name: Enter Role .
      • Namespace: Enter https://www.aliyun.com/SAML-Role/Attributes.
      • Source: Select Attribute.
      • Source attribute: Select user.assignedroles from the drop-down list.
    5. Repeat the previous step to add another claim.
      • Name: Enter RoleSessionName.
      • Namespace: Enter https://www.aliyun.com/SAML-Role/Attributes.
      • Source: Select Attribute.
      • Source attribute: Select user.userprincipalname from the drop-down list.
    6. In the SAML Signing Certificate section, click Download next to Federation Metadata XML to obtain the required XML file.

Step 3: Create an IdP in Alibaba Cloud

  1. Log on to the RAM console by using Account 1.
  2. In the left-side navigation pane, click SSO.
  3. On the Role-based SSO tab, click Create IdP.
  4. In the panel that appears, set IdP Name to AAD and set Note.
  5. In the Metadata File section, click Upload.
    Note You must upload the federation metadata XML file that is downloaded in Step 2: Configure SSO in Azure AD.
  6. Click OK.

Step 4: Create a RAM role in Alibaba Cloud

  1. After the IdP is created, click Create RAM Role.
  2. On the page that appears, click Create Role.
  3. In the panel that appears, select IdP as the type of trusted entity and click Next.
  4. Set RAM Role Name to AADrole and set Note.
  5. Select AAD from the Select IdP drop-down list and click OK.
    Note
    • You can grant permissions to the RAM role based on your business requirements. For more information, see Grant permissions to a RAM role.
    • After you create the IdP and the RAM role, save the Alibaba Cloud Resource Names (ARNs) of the IdP and the RAM role for subsequent use. For more information about how to obtain the ARN of a RAM role, see View the basic information about a RAM role.
  6. Click Close.

Step 5: Associate the RAM role with the Azure AD user

  1. Create a role in Azure AD.
    1. Log on to the Graph Explorer of Azure AD as the administrator.
    2. Click the settings icon next to your account.
    3. Click Select permissions.
    4. In the Permissions panel, select the following permissions and click Consent.
      Permissions
      Note After the permissions are granted, you are redirected to Graph Explorer.
    5. In Graph Explorer, select GET from the first drop-down list and beta from the second drop-down list. Enter https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the search box. objectID indicates the value of Object ID that is saved on the Properties page. Then, click Run query.
      Note If you have multiple directories, enter https://graph.microsoft.com/beta/contoso.com/servicePrincipals in the search box.
    6. On the Response preview tab, copy and save the value of the appRoles property for subsequent use.
       "appRoles": [
                      {
                          "allowedMemberTypes": [
                              "User"
                          ],
                          "description": "msiam_access",
                          "displayName": "msiam_access",
                          "id": "7dfd756e-8c27-4472-b2b7-38c17fc5****",
                          "isEnabled": true,
                          "origin": "Application",
                          "value": null
                      }
                  ],
    7. Go to Graph Explorer. Select PATCH from the first drop-down list and beta from the second drop-down list. Enter https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the search box. objectID indicates the value of Object ID that is saved on the Properties page. Copy and paste the following sample script into the Request body section and click Run query.
      { 
        "appRoles": [
          { 
            "allowedMemberTypes":[
              "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "7dfd756e-8c27-4472-b2b7-38c17fc5****",
            "isEnabled": true,
            "origin": "Application",
            "value": null
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Admin,AzureADProd",
          "displayName": "Admin,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476078c****", //The custom ID.
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD" //The ARNs of the IdP and the RAM role.
          }
        ]
      }
      Note You can create multiple roles based on your business requirements. Azure AD sends the ARNs of the roles as the claim value in a SAML response. In this case, the roles can be appended only after the msiam_access part.
  2. Assign roles to the Azure AD user u2.
    1. Log on to the Azure portal as the administrator.
    2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
    3. In the Name column, click Alibaba Cloud Service (Role-based SSO).
    4. In the left-side navigation pane of the page that appears, click Users and groups.
    5. In the upper-left corner of the page that appears, click Add user/group.
    6. On the page that appears, click Users. In the Users panel, select u2 and click Select.
    7. Click Assign.
    8. View the roles that are assigned to u2.
      View the assigned roles
      Note After you select u2, the created role is assigned to u2. If multiple roles are created, you must assign the roles to the Azure AD user based on your business requirements.

Verify the configuration results

  1. Obtain the user access URL.
    1. Log on to the Azure portal as the administrator.
    2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
    3. In the Name column, click Alibaba Cloud Service (Role-based SSO).
    4. In the left-side navigation pane of the page that appears, click Properties and obtain the value of User access URL.
      User access URL
  2. Enter the obtained URL in the address bar of your browser and enter the username and password of u2 for the logon.

    You are redirected to the page that is specified by Relay State. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

    Successful role-based SSO

(Optional) Configure the role-based SSO between Azure AD and multiple Alibaba Cloud accounts

Assume that you have two Alibaba Cloud accounts, Account 1 and Account 2. If you want the Azure AD user u2 to access the resources of both Account 1 and Account 2 by using role-based SSO after u2 logs on to Azure AD, perform the following operations:

  1. Create an application in Azure AD.
    For more information, see Step 1: Create an application in Azure AD.
  2. Configure SSO in Azure AD.
    For more information, see Step 2: Configure SSO in Azure AD.
  3. Create IdPs in Alibaba Cloud.
    You must create the AAD IdP for both Account 1 and Account 2. For more information, see Step 3: Create an IdP in Alibaba Cloud.
  4. Create RAM roles in Alibaba Cloud.
    You must create RAM roles for both Account 1 and Account 2. In this example, create two RAM roles for Account 1 and one RAM role for Account 2.
    • Create the adminaad and readaad RAM roles for Account 1.
    • Create the financeaad RAM role for Account 2.

    For more information, see Step 4: Create a RAM role in Alibaba Cloud.

  5. Associate the RAM roles with the Azure AD user (u2).
    In addition to the operations in Step 5: Associate the RAM role with the Azure AD user, the following operations are required:
    1. Create a role in Azure AD.
      In Graph Explorer of Azure AD, configure the following information:
      {
        "appRoles": [
          {
            "allowedMemberTypes":[
              "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "7dfd756e-8c27-4472-b2b7-38c17fc5****",
            "isEnabled": true,
            "origin": "Application",
            "value": null
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Accout1Admin,AzureADProd",
          "displayName": "Accout1Admin,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476078c****", //The custom ID.
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::187125022711****:role/adminaad,acs:ram::187125022711****:saml-provider/AAD" //The ARNs of the IdP and one RAM role for Account 1.
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Accout1Read,AzureADProd",
          "displayName": "Accout1Read,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476077c****", //The custom ID.
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::187125022711****:role/readaad,acs:ram::187125022711****:saml-provider/AAD" //The ARNs of the IdP and the other RAM role for Account 1.
          },
          { "allowedMemberTypes": [
              "User"
          ],
          "description": "Accout2Finance,AzureADProd",
          "displayName": "Accout2Finance,AzureADProd",
          "id": "68adae10-8b6b-47e6-9142-6476046c****", //The custom ID.
          "isEnabled": true,
          "origin": "ServicePrincipal",
          "value": "acs:ram::177125022722****:role/financeaad,acs:ram::177125022722****:saml-provider/AAD" //The ARNs of the IdP and the RAM role for Account 2.
          }
        ]
      }
    2. Assign the following roles to the Azure AD user u2:
      You must assign the Accout1Admin,AzureADProd, Accout1Read,AzureADProd, and Accout2Finance,AzureADProd roles to u2.
  6. Use u2 to access Alibaba Cloud by using role-based SSO.
    You must select the Alibaba Cloud account whose resources that you want to access and its role as prompted.