This topic describes how to use a RAM user to log on to the RAM console in a single sign-on manner for better user experience.

Background

Some employees who want to access the RAM console have multiple Alibaba Cloud accounts. Frequent account switching is time-consuming and deteriorates user experience.

Solution

IDaaS allow RAM users to log on to the RAM console in a single sign-on manner. If a user has multiple Alibaba Cloud accounts, you simply have to add the multiple Alibaba Cloud console applications with different names on IDaaS. Thus single sign-on for different Alibaba Cloud accounts is implemented.

Procedure

Step 1: Prepare a RAM user

  1. Log on to Alibaba Cloud with your Alibaba Cloud account.
  2. Choose Products > Monitor and Management > Resource Access Management.
  3. Configure domain name settings.

    In the left-side navigation pane, click SSO. You can see the tenantID on the User-based SSO tab.

Step 2: Add the application on IDaaS

  1. Find RAM - User-based SSO from the application list and click Add Application in the Actions column.
  2. Add a SigningKey (certificate).
  3. Configure SAML.

    Find a SigningKey in the list and click Select in the Actions column to configure SAML. Set the parameters such as RAM User Domain, IDaaS IdentityId, and SP Entity ID. You can use the default values for most parameters. The IDaaS IdentityId must be the user ID and NameIdFomat must be urm:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    The following figure shows an example based on the RAM account information.

    Set RAM User Domain to a value such as 1694154688671682.onaliyun.com. Replace the number part with the tenantID that you see on the User-based SSO tab in Step 1.

  4. Save your settings. Go to the Application List page and view Application Details. Export the SAML metadata to the Metadata.xml file.

Step 3: Configure SSO in the RAM console

  1. Log on to the RAM console and upload the Metada.xml file: In the left-side navigation pane, click SSO. Click Modify on the User-based SSO tab. Set SSO Status to Enabled and upload the metadata file.

Step 4: Log on to the RAM console from IDaaS in a single sign-on manner

  1. Enable the application.
  2. Create an account in the IDaaS console.
  3. Authorize the application on the Application Authorization page.
  4. Bind the application account to the user account in the IDaaS console. The application account is the RAM user created in the RAM console. The domain name part of the RAM user can be omitted when you enter the RAM user in the IDaas console.

  5. Log on to the IDaaS console as a common user and copy the following links.
    Note View the following links in the IDaaS console.
  6. Enter the account created in IDaaS to log on to IDaaS. After successful logon, click the RAM - User-based SSO icon on the My Applications page to perform single sign-on.

If all preceding operations are successful, the RAM user logs on to the RAM console in a single sign-on manner.

FAQ

  1. The following error is displayed, check whether the metadata file is uploaded in the RAM console.
  2. If the following error is displayed, check whether the IDaaS IdentityId and SP Entity ID are correct.