This topic provides an example on how to use identity-based single sign-on (SSO) to access Alibaba Cloud from Azure Active Directory (Azure AD). The example includes steps that are required to configure SSO on both the identity provider (IdP) and Alibaba Cloud ends.
Background information
Before you start, you must create an Alibaba Cloud account and an Azure AD tenant. An administrator and an organization user (u2) are added to the Azure AD tenant. The administrator is assigned the global administrator permissions. You want the organization user (u2) to access Alibaba Cloud as a Resource Access Management (RAM) user.
To complete the configuration in Azure AD, you must log on to the Azure portal as the administrator that is granted the global administrator permissions. For more information about how to create and authorize users in Azure AD, see Azure AD documentation.
Step 1: Download the SAML SP metadata file from Alibaba Cloud
Step 2: Create an application in Azure AD
- Log on to the Azure portal as the administrator.
- In the upper-left corner of the homepage, click the
icon.
- In the left-side navigation pane, choose .
- On the page that appears, click New application.
- On the Browse Azure AD Gallery (Preview) page, click Create your own application.
- In the Create your own application pane, enter a name for your application. AliyunSSODemo is entered in this example. Then, select Integrate any other application you don't find in the gallery and click Create.
Step 3: Configure SAML in Azure AD
- On the AliyunSSODemo page, click Single sign-on in the left-side navigation pane.
- On the Select a single sign-on method page, click SAML.
- On the Set up Single Sign-On with SAML page, perform the following steps:
Step 4: Assign a user to the application in Azure AD
Step 5: Create a RAM user in the Alibaba Cloud Management Console
Step 6: Enable identity-based SSO in the Alibaba Cloud Management Console
Verify the identity-based SSO configurations
- Log on from the Alibaba Cloud Management Console
- Log on to the RAM console with the Alibaba Cloud account. On the Overview page, copy the logon URL that is assigned to RAM users.
- Move the pointer over the profile picture in the upper-right corner, and click Log Out and enter the copied logon URL into the address bar. You can also access the URL in a new page.
- On the page that appears, click Login with Organization Account. The system redirects you to the logon page of Azure AD.
- Log on with the Azure AD user (u2).
You are redirected to the page that is specified by Relay State. If the value of Relay State is not specified or invalid, you are redirected to the homepage of the Alibaba Cloud Management Console after you log on to Azure AD.
- Log on from Azure AD
- Obtain the user access URL.
- Log on to the Azure portal as the administrator.
- In the upper-left corner of the page, click the
icon.
- In the left-side navigation pane, choose .
- Click AliyunSSODemo.
- In the left-side navigation pane, click Properties and find the user access URL.
You can enter the user access URL in your browser to access the application AliyunSSODemo.
- After you obtain the user access URL, enter the URL in the browser, and then log on with account u2.
You are redirected to the page that is specified by Relay State. If the value of Relay State is not specified or invalid, you are redirected to the homepage of the Alibaba Cloud Management Console after you log on.
- Obtain the user access URL.