This topic provides an example of how to implement user-based single sign-on (SSO) from Okta to Alibaba Cloud. It describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account creation page.
  • An Okta account is created.
    Note A 30-day free trial is available for each Okta account.

Step 1: Download the SAML SP metadata file of Alibaba Cloud

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the User-based SSO tab, click Copy next to SAML Service Provider Metadata URL.
  4. On a new page, paste the URL in the address bar and download the SAML service provider (SP) metadata file in the XML format.
    Note The XML file contains the information that you use to configure Alibaba Cloud as a SAML SP. Record the value of entityID in the EntityDescriptor element and the value of Location in the AssertionConsumerService element for subsequent use.

Step 2: Create an application in Okta

  1. Log on to the Okta portal.
    Note A dynamic 6-digit verification code is required for the logon. The verification code is provided by the Okta Verify app. Therefore, you must install the Okta Verify app on your smartphone before the logon.
  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down menu.
  3. In the upper-right corner, click Admin.
    SSO_Okta_Admin
  4. In the top navigation bar, click Applications.
    SSO_Okta_Applications
  5. On the page that appears, click Add Application.
  6. On the page that appears, click Create New App.
  7. In the dialog box that appears, select Web for the Platform parameter, select SAML 2.0 for the Sign on method parameter, and then click Create.
  8. Enter AliyunSSODemo in the App name field and click Next.
  9. Configure the parameters and click Next.
    Configure SAML
    • In the Single sign on URL field, enter the value of Location that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
    • In the Audience URI field, enter the value of entityID that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
    • In the Default RelayState field, enter a URL. Then, the system redirects you to the URL after logon.
      Note For security purposes, you must enter a URL that points to an Alibaba website in the Default RelayState field. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If this field is left empty, you are redirected to the homepage of the Alibaba Cloud Management Console after logon.
    • Select Persistent for Name ID format.
    • Select Email for Application username.
  10. Select an application type based on your business requirements and click Finish.

Step 3: Download the SAML IdP metadata file of Okta

  1. In the top navigation bar, click Applications.
  2. Click the application name, AliyunSSODemo.
  3. On the Sign On tab, click Identity Provider metadata to download the metadata file.
    SSO_Okta_Sign On

Step 4: Enable user-based SSO in Alibaba Cloud

  1. In the left-side navigation pane of the RAM console, click SSO.
  2. On the page that appears, click the User-based SSO tab.
  3. Click Modify next to SSO Settings.
  4. In the SSO Settings panel, select Enabled under SSO Status.
    Note User-based SSO is a global feature. If you select Enabled for SSO Status, user-based SSO is enabled for all RAM users. This indicates that all RAM users can log on to the Alibaba Cloud Management Console only by using SSO. If you are using a RAM user, select Disabled for SSO Status in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you may fail to log on to the console as a RAM user. To avoid this issue, you can use the Alibaba Cloud account to configure user-based SSO.
  5. Click Upload under Metadata File to upload the SAML IdP metadata file that you downloaded in Step 3: Download the SAML IdP metadata file of Okta.
  6. Turn Auxiliary Domain. In the field that appears, enter the domain name of the email address that you use as the Okta username.
    Note If usernames under your Okta account are suffixed with different domain names, only the users whose usernames are suffixed with the specified domain name can log on to the Alibaba Cloud Management Console.
  7. Click OK.

Step 5: Create a user and assign the application to the user in Okta

  1. In the top navigation bar, choose Directory > People.
    OSS_Okta_poeple
  2. On the page that appears, click Add Person. In the Add Person dialog box, enter test@example.com in the Primary email field and configure other parameters.
  3. Select Send user activation email now for Password, and click Save.
    Note Activate the Okta user as instructed.
  4. In the top navigation bar, click Applications.
  5. Click the application name (AliyunSSODemo). On the Assignments tab, choose Assign > Assign to People.
  6. In the dialog box that appears, click Assign to the right of the test@example.com user.
  7. Click Save and Go Back.
  8. Click Done.

Step 6: Create a RAM user in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, choose Identities > Users.
  2. On the page that appears, click Create User.
  3. On the page that appears, specify the Logon Name and Display Name parameters.
    Note The logon name and Okta username must have the same prefix.
  4. In the Access Mode section, select Console Password Logon and configure the parameters.
  5. Click OK.

Test user-based SSO

  • Logon from Alibaba Cloud
    1. Log on to the RAM console by using the Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.
    2. Move the pointer over the profile picture in the upper-right corner, and click Log out. Paste the copied logon URL in the address bar. Alternatively, paste the URL in the address bar of a new page.
    3. On the page that appears, click Logon with Organization Account. The system redirects you to the logon page of Okta.
    4. On the logon page of Okta, enter the username (test@example.com) and password, and click Login.

    You are redirected to the page that is specified by the DefaultRelayState. If DefaultRelayState is empty or invalid, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, the user-based SSO configuration succeeds.

    SSO_Okta configuration verification
  • Logon from Okta

    Log on to the Okta portal as an Okta user. On the page that appears, click the AliyunSSODemo application.

    After the logon succeeds, you are redirected to the page that is specified by DefaultRelayState. If DefaultRelayState is empty or invalid, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, the user-based SSO configuration succeeds.

    SSO_Okta configuration verification