This topic provides an example of how to implement user-based single sign-on (SSO) to Alibaba Cloud from Okta. It describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
  • An Okta account is created.
    Note A 30-day free trial is available for each Okta account.

Download the metadata file of Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the User-based SSO tab, click Copy next to the SAML Service Provider Metadata URL.
  4. On a new page, paste the URL in the address bar to download the metadata file in the XML format.
    Note The XML file contains the information that is required to configure Alibaba Cloud as an SAML service provider. Save the entityID in the EntityDescriptor element and the Location in the AssertionConsumerService element for subsequent use.

Create an application in Okta

  1. Log on to the Okta portal.
    Note A dynamic 6-digit verification code is required for the logon. The verification code is provided by the Okta Verify app. Therefore, you must install the Okta Verify app on your phone before the logon.
  2. In the upper-right corner, click Admin.
    SSO_Okta_admin
  3. In the top navigation bar, click Applications.
    SSO_Okta_Applications
  4. On the Applications page, click Add Application.
  5. On the Add Application page, click Create New App.
    Create_New_App
  6. In the Create a New Application Integration dialog box, select Web from the Platform drop-down list, select SAML 2.0 from the Sign on method drop-down list, and then click Create.
    SSO_Okta_SAML
  7. In the General Settings step, enter AliyunSSODemo in the App name field, and click Next.
    SSO_Okta_name
  8. In the Configure SAML step, set the parameters as follows, and click Next.
    SSO_Okta_SAML settings
    • In the Single sign on URL field, enter the value of entityID that you obtained in Download the metadata file of Alibaba Cloud.
    • In the Audience URI field, enter the value of Location that you obtained in Download the metadata file of Alibaba Cloud.
    • In the Default Relay State field, enter a URL. A user is redirected to the URL after logon.
      Note For security concerns, you must specify an Alibaba Cloud website URL, for example, the homepage URL of the Alibaba Cloud Management Console. Otherwise, the setting is invalid. If this field is left empty, a user is redirected to the homepage of the Alibaba Cloud Management Console by default after logon.
    • Select Persistent from the Name ID format drop-down list.
    • Use the default values of the Application username and Update application username on parameters.
  9. Select an application type based on your business requirements, and click Finish.
    SSO_Okta_Finish

Download the metadata file of Okta

  1. Log on to the Okta portal.
  2. In the top navigation bar, click Applications.
  3. Click the application name (AliyunSSODemo).
  4. On the Sign On tab, click Identity Provider metadata to download the metadata file.
    SSO_Okta_Sign On

Enable user-based SSO in Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. Click the User-based SSO tab.
  4. Click Modify next to SSO Settings.
  5. In the SSO Settings pane, select Enabled under SSO Status.
    Note User-based SSO is a global feature. If you select Enabled under SSO Status, user-based SSO is enabled for all RAM users. This means that all RAM users can log on to the Alibaba Cloud Management Console only through SSO. If you are using a RAM user, select Disabled under SSO Status in this step. You must complete the SSO settings for the RAM user before you enable user-based SSO. Otherwise, logon based on the RAM user will fail. To avoid this issue, you can use the Alibaba Cloud account to configure user-based SSO.
  6. Click Upload under Metadata File. In the dialog box that appears, select the metadata file that you downloaded in Download the metadata file of Okta, and click Open.
  7. Turn on the Auxiliary Domain switch. In the field that appears, enter the domain name of the email address that you use as the Okta username.
    Note If usernames under your Okta account are suffixed with different domain names, only the users whose usernames are suffixed with the specified domain name can log on to the Alibaba Cloud Management Console.
  8. Click OK.

Add a user and assign the application to the user in Okta

  1. Log on to the Okta portal.
  2. In the top navigation bar, choose Directory > People.
    OSS_Okta_poeple
  3. On the People page, click Add Person. In the Add Person dialog box, enter test@example.com in the Primary email field, and set other parameters.
  4. Select Send user activation email now from the Password drop-down list, and click Save.
    Note Activate the Okta user as prompted.
    OSS_Okta_New poeple
  5. In the top navigation bar, click Applications.
  6. Click the application name (AliyunSSODemo). On the Assignments tab, choose Assign > Assign to People.
    SSO_Okta_Assign to people
  7. In the dialog box that appears, click Assign to the right of the test@example.com user.
    SSO_Okta_done
  8. Click Save and Go Back.
  9. Click Done.

Create a RAM user in Alibaba Cloud

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. Create a RAM user named test@{id}.onaliyun.com.
    Note
    • The username must be the same as the prefix of the Okta username.
    • For information about how to create a RAM user, see Create a RAM user.

Test user-based SSO

  • Logon from Alibaba Cloud
    1. Log on to the RAM console by using the Alibaba Cloud account. On the Overview page, copy the logon URL of RAM users.
    2. Move the pointer over the profile picture in the upper-right corner, and select Sign out from the shortcut menu. Paste the copied logon URL in the address bar. Alternatively, paste the URL in the address bar of another browser.
    3. On the page that appears, click Logon with Organization Account. You are redirected to the logon page of Okta.
    4. On the logon page of Okta, enter the username (test@example.com) and password, and then click Sign In.

    You are redirected to the page that is specified by the Default Relay State parameter. If the Default Relay State parameter is invalid or left empty, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, it indicates that user-based SSO is successful.

    SSO_test
  • Logon from Okta

    Log on to the Okta portal as an Okta user. On the page that appears, click the AliyunSSODemo application.

    SSO_Okta_success

    After the logon to the Alibaba Cloud Management Console is successful, you are redirected to the page that is specified by the Default Relay State parameter. If the Default Relay State parameter is invalid or left empty, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, it indicates that user-based SSO is successful.

    SSO_test