This topic describes how to create a Resource Access Management (RAM) role for a trusted identity provider (IdP). This type of RAM role is used to implement single sign-on (SSO) between Alibaba Cloud and a trusted IdP.


An IdP is created. For more information, see Create an IdP.


  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, select IdP for Select Trusted Entity and click Next.
  5. Specify the RAM Role Name and Note parameters.
  6. Select a trusted IdP, read the conditions, and then click OK.
    Note Only the saml:recipient condition key is supported. This condition key is required and cannot be changed.
  7. Click Close.

What to do next

After the RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.