This topic describes how to configure the NameID element in an SAML assertion that is issued by your identity provider (IdP) for user-based SSO.

Background information

Alibaba Cloud uses a User Principal Name (UPN) to locate a RAM user. Therefore, the SAML response generated by your IdP must contain the UPN of the RAM user. To implement user-based SSO, Alibaba Cloud resolves the NameID element in the SAML assertion and maps this element to the UPN of the corresponding RAM user.

When you configure the SAML assertion issued by your IdP, you must map the UPN of the target RAM user to the NameID element in the SAML assertion.

Configure the NameID element

The NameID element must contain one of the following suffixes:

  • The domain alias of your Alibaba Cloud account: <username>@<domain_alias>. The <username> sub-element is the username of a RAM user, and the <domain_alias> sub-element is the domain alias. For information about how to specify a domain alias, see Create a domain alias.
  • The auxiliary domain name: <username>@<auxiliary_domain>. The <username> sub-element is the username of the RAM user, and <auxiliary_domain> is the auxiliary domain name. For information about how to specify a default domain name, see Configure the SAML settings of Alibaba Cloud for user-based SSO.
    Note If you specify both the domain alias and auxiliary domain name, the domain alias is used as the suffix for the NameID element.
  • The default domain name of your Alibaba Cloud account: <username>@<default_domain>. The <username> sub-element is the username of a RAM user, and the <default_domain> sub-element is the default domain name. For information about how to specify a default domain name, see Manage the default domain name.
    Note You can use the default domain name of your Alibaba Cloud account as the suffix of the NameID element even when you specify a domain alias or an auxiliary domain name.

Example

This topic uses an example to explain how to configure the NameID element. In this example, a RAM user named Alice is created for your Alibaba Cloud account, and the default domain name of your Alibaba Cloud account is example.onaliyun.com.
  • If you specify the domain alias of your Alibaba Cloud account as example.com, the value of the NameID element in the SAML assertion is Alice@example.onaliyun.com or Alice@example.com.
  • If you do not specify a domain alias and specify the auxiliary domain name as example2.com, the value of the NameID element in the SAML assertion is Alice@example.onaliyun.com or Alice@example2.com.
  • If you specify the domain alias of your Alibaba Cloud account as example.com and the auxiliary domain name as example2.com, the value of the NameID element in the SAML assertion is Alice@example.onaliyun.com or Alice@example.com.