This topic describes how to provision accounts from IDaaS to RAM to synchronize account information between the two consoles.


More and more enterprise managers are troubled by data synchronization challenges. Different application systems become information islands if their accounts are not synchronized.


The SCIM protocol of IDaaS can be used to synchronize the shared data within an enterprise to RAM.


Step 1: Prepare a RAM account

  1. Log on to Alibaba Cloud with your Alibaba Cloud account.
  2. Access RAM.

    Choose Products > Monitor and Management > Resource Access Management.

  3. Configure domain name settings.

    In the left-side navigation pane, click SSO. You can see the tenantID on the User-based SSO tab.

  4. Create a user.

    In the left-side navigation pane, choose Identities > Users. Create a new user or click the name of an existing user to go to the details page.

  5. Obtain the AccessKey ID and AccessKey secret, which are required to create an application in IDaaS console and query the RAM role list.
  6. Grant the user AliyunRAMFullAccess permissions.

Step 2: Add the application on IDaaS

  1. Find RAM - User-based SSO from the application list and click Add Application in the Actions column.
  2. Add a SigningKey (certificate).
  3. Find a SigningKey in the list and click Select in the Actions column to configure SAML.

    Go to the Select SigningKey page to configure SAML. Set the parameters such as RAM User Domain, IDaaS IdentityId, and SP Entity ID. The following figure shows an example based on the RAM account information.

    • RAM User Domain: Obtain the domain name as specified in step 1, in this example.
    • IDaaS IdentityId: Obtain the identity ID, in this example.
    • SP Entity ID: consistent with IDaaS IdentityId.
    • SP ACS URL(SSO Location): The default value is
    • AccessKeyID and AccessKeySecret: Obtain the values that you saved locally in step 1.
    • NameIdFormat: The default value is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
    • Binding: The default value is POST.
    • SP Logon Type: The default value is Custom Application Logon Page.
    • Account Linking Type: Select Account Linking.
  4. Save your settings. Go to the Application List page and view Application Details. Save the account provisioning URL of the application locally.

  5. Obtain the API Key and API secret used to authenticate the account provisioning URL.

    Choose Application List > Details, turn on the API switch, and save the API Key and API secret locally.

Step 3: Provision accounts on IDaaS

  1. In the left-side navigation pane, choose Applications> Application List. Find the new application and enable the application.
  2. Click Configure SCIM to go to the Configure SCIM page.
    SCIM Service URL: the current IDaaS endpoint + the account provisioning URL obtained in step 2.
    Notice There cannot be any spaces in the middle of the SCIM Service URL. If the API starts with openapi/2020-x-x, remove this part.

    Enable: Turn on this switch.

    Protocol Type: Select OAuth2.

    Oauth url: the current IDaaS endpoint + /oauth/token.

    client_id and client_secret: the API Key and API secret obtained in step 2.
    Note You can obtain the IDaaS endpoint from the IDaaS console.
  3. Create a user in the IDaaS console.
  4. Authorize the new application on the Application Authorization page.
  5. Provision the account to RAM.

    In the left-side navigation pane, choose Users > Organizations and Groups. Find the new account and click Provision Account in the Actions column.

    Click Provision to provision the account.

    Click View Provisioning Records to check the result.

  6. View the provisioned account in the RAM console.

    Log on to the RAM console and choose Identities > Users. You can see the provisioned account in the user list.

    Note: The preceding steps contain key information that must be saved locally. You may need to delete some of the key information accordingly.