All Products
Search
Document Center

Resource Access Management:SAML response for user-based SSO

Last Updated:Mar 18, 2024

This topic describes the syntax of a Security Assertion Markup Language (SAML) response for user-based single sign-on (SSO). This topic also describes the elements of a SAML assertion in a SAML response.

Background information

During SAML 2.0-based SSO, after the identity of a user is verified, the identity provider (IdP) generates an authentication response and sends this response to Alibaba Cloud by using a browser or a program. This response contains a SAML assertion that complies with the specifications of the HTTP POST binding in SAML 2.0. Alibaba Cloud uses the SAML assertion to determine the logon status and identity of the user. Therefore, the SAML assertion must contain the elements that are required by Alibaba Cloud. If the SAML assertion does not contain the required elements, SSO fails.

SAML response

Make sure that each SAML response that is sent by your IdP to Alibaba Cloud contains the following elements. Otherwise, SSO fails.

<saml2p:Response>
    <saml2:Issuer>...</saml2:Issuer>
    <saml2p:Status>
        ...
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>...</saml2:Issuer>
        <ds:Signature>
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID>${NameID}</saml2:NameID>
            <saml2:SubjectConfirmation>
                ...
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
            <saml2:AudienceRestriction>
                <saml2:Audience>${Audience}</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
            ...
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

Elements in a SAML assertion

  • Common elements in SAML 2.0

    For more information about SAML 2.0, see SAML 2.0.

    Element

    Description

    Issuer

    The value of the Issuer element must match EntityID in the metadata file that you upload for the IdP in the Alibaba Cloud Management Console.

    Signature

    The SAML assertion must be signed. The Signature element must contain information such as the signature value and signature algorithm. The signature is used to confirm that the signed SAML assertion is not modified after the signature is generated.

    Subject

    The Subject element must contain the following sub-elements:

    • Only one NameID sub-element. The sub-element is used to identify a RAM user within your Alibaba Cloud account. For more information, see the description and example of NameID in this topic.

    • Only one SubjectConfirmation sub-element that contains a SubjectConfirmationData sub-element. The SubjectConfirmationData sub-element must contain the following attributes:

      • NotOnOrAfter: the validity period of a SAML assertion.

      • Recipient: the recipient of the SAML assertion. Alibaba Cloud checks the recipient of the SAML assertion based on the value of this attribute. Therefore, you must set this attribute to https://signin-intl.aliyun.com/saml/SSO.

      The following script provides an example of the Subject element:

      <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@example.onaliyun.com</NameID>        
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">   
          <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin-intl.aliyun.com/saml/SSO"/>    
        </SubjectConfirmation>
      </Subject>

    Conditions

    The Conditions element must contain an AudienceRestriction sub-element. The AudienceRestriction sub-element can contain one or more Audience sub-elements. The value of an Audience sub-element must be https://signin-intl.aliyun.com/${accountId}/saml/SSO. ${accountId} specifies the ID of the Alibaba Cloud account.

    The following script provides an example of the Conditions element:

    <Conditions>
      <AudienceRestriction>
        <Audience>https://signin-intl.aliyun.com/${accountId}/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>           
  • NameID element

    Alibaba Cloud uses a User Principal Name (UPN) to locate a RAM user. Therefore, the SAML assertion that is generated by your IdP must contain the UPN of the RAM user. To implement user-based SSO, Alibaba Cloud resolves the NameID element in the SAML assertion and maps this element to the UPN of the corresponding RAM user.

    When you configure the SAML assertion that is issued by your IdP, you must map the UPN of the RAM user to the NameID element in the SAML assertion.

    The value of the NameID element must include one of the following suffixes:

    • The domain alias of your Alibaba Cloud account: <username>@<domain_alias>. <username> specifies the username of a RAM user. <domain_alias> specifies the domain alias. For more information about how to configure a domain alias, see Create and verify a domain alias.

    • The auxiliary domain name: <username>@<auxiliary_domain>. <username> specifies the username of the RAM user. <auxiliary_domain> specifies the auxiliary domain name. For information about how to configure an auxiliary domain name, see Configure the SAML settings of Alibaba Cloud for role-based SSO.

      Note

      If you configure both a domain alias and an auxiliary domain name, the value of the NameID element is suffixed with the domain alias.

    • The default domain name of your Alibaba Cloud account: <username>@<default_domain>. <username> specifies the username of a RAM user. <default_domain> specifies the default domain name. For more information about how to configure the default domain name, see View and modify the default domain name.

      Note

      You can use the default domain name of your Alibaba Cloud account as the suffix of the NameID element even if you have configured a domain alias or an auxiliary domain name.

  • NameID example

    In this example, a RAM user that is named Alice is created for your Alibaba Cloud account and the default domain name of your Alibaba Cloud account is example.onaliyun.com.

    • If you set the domain alias of your Alibaba Cloud account to example.com, the value of the NameID element in a SAML assertion is Alice@example.onaliyun.com or Alice@example.com.

    • If you have set the auxiliary domain name to example.net and no domain aliases are configured, the value of the NameID element in a SAML assertion is Alice@example.onaliyun.com or Alice@example.net.

    • If you set the domain alias of your Alibaba Cloud account to example.com and the auxiliary domain name to example.net, the value of the NameID element in a SAML assertion is Alice@example.onaliyun.com or Alice@example.com. The auxiliary domain name cannot be used.

References

How do I view a SAML response in Google Chrome?