This topic provides an example on how to implement user-based single sign-on (SSO) between Azure Active Directory (Azure AD) and Alibaba Cloud. The example describes the end-to-end SSO process between a cloud identity provider (IdP) and Alibaba Cloud.

Background information

Before you start, you must create an Alibaba Cloud account and an Azure AD tenant. An administrator and an organization user u2 are added to the Azure AD tenant. The administrator is assigned the global administrative rights. You want the organization user u2 to access Alibaba Cloud as a Resource Access Management (RAM) user.

To complete the configurations in Azure AD, you must log on to the Azure portal as an administrator that is assigned the global administrative rights. For more information about how to create and authorize users in Azure AD, see Azure AD documentation.

Step 1: Download the SAML SP metadata file of Alibaba Cloud

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the SSO page, click the User-based SSO tab.
  4. In the SSO Settings section, copy the value of SAML Service Provider Metadata URL.
  5. Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and click Save As to download the SAML service provider (SP) metadata file in the XML format to your computer.
    Note The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the values of the entityID and Location parameters for subsequent use.

Step 2: Create an application in Azure AD

  1. Log on to the Azure portal as the administrator.
  2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
  5. On the Browse Azure AD Gallery page, click Create your own application.
  6. In the Create your own application panel, enter a name for your application. For example, you can enter AliyunSSODemo. Then, select Integrate any other application you don't find in the gallery and click Create.

Step 3: Configure SAML in Azure AD

  1. On the AliyunSSODemo page, click Single sign-on in the left-side navigation pane.
  2. In the Select a single sign-on method section, click SAML.
  3. On the Set up Single Sign-On with SAML page, perform the following steps:
    1. In the upper-left corner of the page, click Upload metadata file, select your metadata file, and then click Add.
      Note In this example, the XML file that you downloaded in Step 1: Download the SAML SP metadata file of Alibaba Cloud is uploaded.
    2. In the Basic SAML Configuration panel, configure the following parameters and click Save.
      • Identifier (Entity ID): By default, this parameter is set to the value of the entityID parameter that is read from the preceding metadata file.
      • Reply URL (Assertion Consumer Service URL): By default, this parameter is set to the value of the Location parameter that is read from the preceding metadata file.
      • Relay State: Enter the URL of the Alibaba Cloud service page to which an Azure AD user is redirected after the user logs on to Azure AD by using SSO.
        Note For security purposes, you must enter a URL that points to an Alibaba website for the Relay State parameter. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If this parameter is empty, you are redirected to the homepage of the Alibaba Cloud Management Console after logon.
    3. In the SAML Signing Certificate section, click Download in the Federation Metadata XML field to download the related XML file.

Step 4: Assign a user to the application in Azure AD

  1. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the Name column, click AliyunSSODemo.
  4. In the left-side navigation pane, click Users and groups.
  5. On the page that appears, click Add user/group.
  6. On the Add Assignment page, click Users. In the Users panel, select u2 and click Select.
  7. Click Assign.

Step 5: Create a RAM user in the Alibaba Cloud Management Console

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, click Create User.
  3. On the Create User page, specify Logon Name and Display Name in the User Account Information section.
    The logon name and Azure AD username must have the same prefix. In this example, the prefix of the logon name must be u2.
  4. In the Access Mode section, select Console Access or API Call-based Access.
  5. Click OK.

Step 6: Enable user-based SSO in the Alibaba Cloud Management Console

  1. In the left-side navigation pane, click SSO.
  2. On the SSO page, click the User-based SSO tab.
  3. Click Modify to the right of SSO Settings.
  4. In the SSO Status section of the SSO Settings panel, click Enabled.
    Note User-based SSO takes effect on all RAM users in your Alibaba Cloud account. If you enable this feature, all RAM users in your Alibaba Cloud account must log on to the Alibaba Cloud Management Console by using SSO. If you use a RAM user, set the SSO Status parameter to Disabled in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you cannot log on as the RAM user. To avoid this issue, you can also use the Alibaba Cloud account to configure user-based SSO.
  5. In the Metadata File section, click Upload to upload the IdP metadata file obtained in Step 3: Configure SAML in Azure AD.
  6. Select Enabled for Auxiliary Domain. In the field that appears, enter the domain name of the email address that you use as the Azure AD username.

    In this example, the domain name is test.onmicrosoft.com because the username of the Azure AD user u2 is u2@test.onmicrosoft.com.

  7. Click OK.

Verify the user-based SSO configurations

After you configure SSO, you can initiate SSO logon from both Alibaba Cloud and Azure AD.

  • Logon from Alibaba Cloud
    1. Log on to the RAM console by using your Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.
    2. Move the pointer over the profile picture in the upper-right corner of the page, and click Log Out. Then, paste the logon URL into the address bar of your browser and press Enter. You can also access the URL on a new tab.
    3. On the page that appears, click Logon with Organization Account. You are redirected to the logon page of Azure AD. Log on by using an organization account
    4. Log on by using the Azure AD user u2.

      After the logon succeeds, you are redirected to the page that is specified by Relay State. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

      Verify the user-based SSO configurations
  • Logon from Azure AD
    1. Obtain the user access URL.
      1. Log on to the Azure portal as the administrator.
      2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.
      3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
      4. Click AliyunSSODemo.
      5. In the left-side navigation pane, click Properties and obtain the user access URL.

        You can enter the user access URL in the address bar of your browser to access the application.

        User access URL
    2. Enter the user access URL in the address bar of your browser and enter the username and password of u2 for the logon. You can obtain the URL from the administrator.

      After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

      Verify the user-based SSO configurations