This topic describes how to use a RAM role to log on to the RAM console in a single sign-on manner for better user experience.


Some employees who want to access the RAM console have multiple accounts and each account has different permissions and roles. The traditional logon method requires frequent account switching, and as a result is time-consuming and not user-friendly.


IDaaS allow RAM roles to log on to the RAM console in a single sign-on manner. If an employee already has many RAM roles with different permissions, you only need to add the RAM - Role-based SSO application and then add RAM roles to application accounts. Thus single sign-on for multiple RAM roles is implemented.


Step 1: Prepare a RAM account

  1. Create a user.

    In the left-side navigation pane, choose Identities > Users. Create a new user or click the name of an existing user to go to the details page.

  2. Obtain the AccessKey ID and AccessKey secret, which are required to create an application in IDaaS console and query the RAM role list.
  3. Grant the user AliyunRAMFullAccess permissions.

Step 2: Add the application on IDaaS

  1. Find RAM - Role-based SSO from the application list and click Add Application in the Actions column.
  2. Add a SigningKey (certificate).

  3. Configure SAML.

    Find a SigningKey in the list and click Select in the Actions column to configure SAML. Set the parameters such as IDaaS IdentityId, SP Entity ID, and SP ACS URL (SSO Location). You can use the default values for most parameters. The IDaaS IdentityId must be the user ID and NameIdFomat must be urm:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    The following figure shows an example based on the RAM account information. The AccessKeyID and AccessKeySecret parameters are required and provided by the owner of the RAM account.

    SP Entity ID:urn:alibaba:cloudcomputing:international

    SP ACS URL (SSO Location):
  4. Save your settings. Go to the Application List page and view Application Details. Export the SAML metadata to the Metadata.xml file, which must be uploaded when a new SP is created.

Step 3: Create a role in the RAM console

  1. Log on to Alibaba Cloud with the Alibaba Cloud account.
  2. Access RAM.

    Choose Products > Monitor and Management > Resource Access Management.

  3. Create an identity provider.

    In the left-side navigation pane, click SSO. Click Create IdP on the Role-based SSO tab. Set IdP Name and upload the metadata file provided by IDaaS.

  4. Create a RAM role.

    After the identity provider is created, click Create RAM Role. Set RAM Role Name and select an existing identity provider in the Select IdP field.

    After the role is created, you must authorize the role. Click Add Permissions to RAM Role and grant the role the AliyunRAMReadOnlyAccess permissions at least. If no access permissions are granted, the "You are not authorized" message is displayed.

Step 4: Configure an application account on IDaaS

  1. Find the target application in the application list and click Details in the Actions column. In the Account Information - Application Accounts section, click View Application Accounts. Click Link Accounts. The RAM Role drop-down list shows the RAM roles created in the RAM console. You must select the identity provider for the RAM role that uploads the metadata file.

Step 5: Log on to the RAM console from IDaaS in a single sign-on manner

  1. Enable the application.
  2. Create an account in the IDaaS console.
  3. Authorize the application on the Application Authorization page.
  4. Log on to the IDaaS console as a common user and copy the following links.
    Note View the following links in the IDaaS console.
  5. Enter the account created in IDaaS to log on to IDaaS. After successful logon, click the RAM - Role-based SSO icon on the My Applications page to perform single sign-on.

If all preceding operations are successful, the RAM role will log on to the RAM console in a single sign-on manner.