You can implement user-based single sign-on (SSO) or role-based SSO to log on to the Alibaba Cloud Management Console from the identity provider (IdP) of your enterprise. SSO is also known as identity federation.

Background information

Alibaba Cloud supports Security Assertion Markup Language (SAML) 2.0-based SSO. To help you better understand SSO, the following table explains the terms that are related to SAML and SSO.

Term Description
identity provider (IdP)

A RAM entity that provides identity management services. IdPs are classified into the following types:

  • IdPs that use the on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth
  • IdPs that use the cloud-based architecture, such as Azure AD, Google G Suite, Okta, and OneLogin
service provider (SP) An application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In some identity management systems (such as OpenID Connect) that do not comply with the SAML protocol, SP is known as the relying party of an IdP.
Security Assertion Markup Language 2.0 (SAML 2.0) A protocol that is designed for enterprise-level user identity authentication. SAML 2.0 is used for communication between an SP and an IdP. SAML 2.0 is a standard that enterprises use to implement enterprise-level SSO.
SAML assertion A core element that is defined in the SAML protocol. This element describes the authentication request and response. For example, the SAML assertion for an authentication response can contain user attributes.
trust A mutual trust relationship between an SP and an IdP. In most cases, the trust relationship is established by using public and private keys. An SP can obtain the SAML metadata of a trusted IdP. The metadata includes a public key. The SP uses the public key to verify the integrity of the SAML assertion that is issued by the IdP.

SSO methods

You can implement SSO between your enterprise services and Alibaba Cloud by using SAML 2.0-based IdPs, such as AD FS. Alibaba Cloud provides the following two SAML 2.0-based SSO methods:

  • User-based SSO: The RAM user that you can use to log on to the Alibaba Cloud Management Console is determined based on a SAML assertion. This SAML assertion is issued by an IdP. After you log on to the Alibaba Cloud Management Console, you can access Alibaba Cloud resources as a RAM user.
  • Role-based SSO: The RAM role that you can use to log on to the Alibaba Cloud Management Console is determined based on a SAML assertion. This SAML assertion is issued by an IdP. After you log on to the Alibaba Cloud Management Console, you can use the RAM role that is specified in the SAML assertion to access Alibaba Cloud resources.

For more information about the differences between these two SSO methods, see Scenarios of SSO.

Implement user-based or role-based SSO

Add RAM users

After SSO is configured, add other RAM users that want to use DMS to the DMS console at a time as a DMS administrator. To add the RAM users, perform the following steps: Log on to the DMS console. In the top navigation bar, choose System > User. On the User tab, click Synchronize RAM User. For more information, see Add a user.
Note The RAM users that have the AdministratorAccess permission are automatically initialized as DMS administrators. Other RAM users are initialized as regular users. For more information about DMS system roles, see System roles.

Example

The following example shows you how to implement SSO between your enterprise services and Alibaba Cloud by using AD FS.

  1. Enter the logon URL of a RAM user in the address bar of your browser.
  2. Click Login with Enterprise Account.
    You are navigated to the logon page of AD FS.
  3. Enter the username and password, and click Login.
    Note The username and password are provided and maintained by AD FS.
  4. On the Product And Service tab of the Alibaba Cloud Management Console, click Data Management.
    You are connected to the DMS console.