This topic provides an example of how to implement user-based single sign-on (SSO) to Alibaba Cloud from Azure Active Directory (Azure AD). It describes the end-to-end identity SSO process from an identity provider (IdP) to Alibaba Cloud.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
  • An Azure AD account is created.

Download the metadata file of Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the User-based SSO tab, click Copy next to the SAML Service Provider Metadata URL.
  4. On a new page, paste the URL in the address bar to download the metadata file in the XML format.
    Note The XML file contains the information that is required to configure Alibaba Cloud as an SAML service provider. Save the entityID and Location for subsequent use.

Create an application in Azure AD

  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
    New application
  5. On the Add an application page, click Non-gallery application.
    SSO_AAD_Application
  6. On the Add your own application page, enter an application name, and click Add.
    Note In this example, the application name is AliyunSSODemo.
    SSO_AAD_Name

Configure SAML in AAD

  1. Click AliyunSSODemo.
  2. On the Overview page, click Single sign-on. On the page that appears, click SAML.
    SSO_AAD_SAML
  3. On the Set up Single Sign-On with SAML page, perform the following steps:
    1. In the upper-left corner, click Upload metadata file, select a file, and then click Add.
      Upload a metadata file
      Note In this example, the XML file that you downloaded in Download the metadata file of Alibaba Cloud is uploaded.
    2. In the Basic SAML Configuration section, click the Edit icon in the upper-right corner.
    3. In the Basic SAML Configuration pane, enter the value of entityID in the Identifier (Entity ID) field, enter the value of Location in the Reply URL (Assertion Consumer Service URL) field, enter https://ram.console.aliyun.com in the Relay State field, and then click Save. You can obtain the value of entityID and Location from the metadata file of Alibaba Cloud.
    4. In the SAML Signing Certificate section, click Download to the right of Federation Metadata XML.
      Download the federation metadata XML

Create a RAM user in Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. Create a RAM user named username@{id}.onaliyun.com.
    Note
    • The username must be the same as the prefix of the Azure AD username. In this example, the username is u2.
    • For information about how to create a RAM user, see Create a RAM user.

Enable user-based SSO in Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. Click the User-based SSO tab.
  4. Click Modify next to SSO Settings.
  5. In the SSO Settings pane, select Enabled under SSO Status.
    Note User-based SSO is a global feature. If you select Enabled under SSO Status, user-based SSO is enabled for all RAM users. This means that all RAM users can log on to the Alibaba Cloud Management Console only through SSO. If you are using a RAM user, select Disabled under SSO Status in this step. You must complete the SSO settings for the RAM user before you enable user-based SSO. Otherwise, logon based on the RAM user will fail. To avoid this issue, you can use the Alibaba Cloud account to configure user-based SSO.
  6. Click Upload under Metadata File. In the dialog box that appears, select the metadata file that you downloaded in Configure SAML in AAD, and click Open.
  7. Turn on the Auxiliary Domain switch. In the field that appears, enter u2.onmicrosoft.com.
  8. Click OK.

Create and assign a user in Azure AD

  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. In the Name column, click AliyunSSODemo.
  5. In the left-side navigation pane, click Users and groups.
  6. In the upper-left corner, click Add user.
    Add a user
  7. On the Add Assignment page, click Users. In the Users pane, click u2 and click Select.
    Select a user
  8. Click Assign.

Test user-based SSO

  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. In the Name column, click AliyunSSODemo.
  5. On the Overview page, click Single sign-on.
  6. On the Set up Single Sign-On with SAML page, click Test.test
  7. In the Test single sign-on with AliyunSSODemo pane, click Sign in as current user.
    Sign in as the current user

If the page shown in the following figure appears, it indicates that user-based SSO is successful.

SSO_test