All Products
Search
Document Center

Resource Access Management:Create a RAM role for a trusted IdP

Last Updated:Feb 22, 2024

A Resource Access Management (RAM) role whose trusted entity is an identity provider (IdP) is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP. Users of a trusted IdP can assume this type of RAM role.

Prerequisites

An IdP is created.

Create a RAM role for a SAML IdP

To implement SAML 2.0-based SSO, you must create a RAM role for a SAML IdP.

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select IdP in the Select Trusted Entity section and click Next.

  5. Specify the RAM Role Name and Note parameters.

  6. Select SAML for the IdP Type parameter.

  7. Select a trusted IdP and read the conditions.

    Note

    Only the saml:recipient condition key is supported. This condition key is required and cannot be changed.

  8. Click OK.

  9. Click Close.

Create a RAM role for an OIDC IdP

To implement OIDC-based SSO, you must create a RAM role for an OIDC IdP.

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select IdP in the Select Trusted Entity section and click Next.

  5. Specify the RAM Role Name and Note parameters.

  6. Select OIDC for the IdP Type parameter.

  7. Select a trusted IdP and specify the conditions.

    The following table describes the supported conditions.

    Condition key

    Description

    Required

    Examples

    oidc:iss

    The issuer. You can assume the RAM role only if the iss field of the OIDC token that you want to use to assume the RAM role meets this condition.

    The conditional operator must be StringEquals. The value must be the URL of the issuer that you specify for the selected OIDC IdP. You can specify this condition to ensure that you can use the OIDC token to assume the RAM role only if the OIDC token is issued by a trusted IdP.

    Yes

    https://dev-xxxxxx.okta.com

    oidc:aud

    The audience. You can assume the RAM role only if the aud field of the OIDC token that you want to use to assume the RAM role meets this condition.

    The conditional operator must be StringEquals. The value can be one or more client IDs that you specify for the selected OIDC IdP. You can specify this condition to ensure that you can use the OIDC token to assume the RAM role only if the OIDC token is generated by using the client ID that you specify.

    Yes

    0oa294vi1vJoClev****

    oidc:sub

    The subject. You can assume the RAM role only if the sub field of the OIDC token that you want to use to assume the RAM role meets this condition.

    The conditional operator can be a string of all types. The value can be up to 10 subjects. You can specify this condition to further limit the identity that you can use to assume the RAM role. You can also leave this condition unspecified.

    No

    00u294e3mzNXt4Hi****

  8. Click OK.

  9. Click Close.

What to do next

After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.