This topic provides an example on how to implement user-based single sign-on (SSO) between Okta and Alibaba Cloud. The example describes the end-to-end SSO process between a cloud identity provider (IdP) and Alibaba Cloud.

Step 1: Download the SAML SP metadata file of Alibaba Cloud

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the SSO page, click the User-based SSO tab.
  4. In the SSO Settings section, copy the value of SAML Service Provider Metadata URL.
  5. Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and select Save As to download the SAML service provider (SP) metadata file in the XML format to your computer.
    Note The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the value of entityID in the EntityDescriptor element and the value of Location in the AssertionConsumerService element for subsequent use.

Step 2: Create an application that supports SAML 2.0-based SSO in Okta

  1. Log on to the Okta portal.
  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down list.
  3. In the left-side navigation pane, choose Applications > Applications.
  4. On the Applications page, click Create App Integration.
  5. In the Create a new app integration dialog box, select SAML 2.0 and click Next.
  6. In the General Settings step of the page that appears, enter AliyunSSODemo in the App name field and click Next.
  7. In the Configure SAML step, configure the parameters and click Next.
    Configure SAML
    • In the Single sign on URL field, enter the value of Location that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
    • In the Audience URI field, enter the value of entityID that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
    • In the Default RelayState field, enter a URL. Then, the system redirects you to the URL after logon.
      Note For security purposes, you must enter a URL that points to an Alibaba website in the Default RelayState field. For example, you can enter a URL that contains the following domain names: *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If this field is empty, you are redirected to the homepage of the Alibaba Cloud Management Console after logon.
    • Select Persistent for Name ID format.
    • Select Email for Application username.
  8. In the Feedback step, select an application type based on your business requirements and click Finish.

Step 3: Download the SAML IdP metadata file of Okta

  1. On the Applications page, click AliyunSSODemo. On the page that appears, click the Sign On tab.
  2. In the Settings section of the Sign On tab, click Identity Provider metadata. On the page that appears, right-click the page and click Save As to download the metadata file to your computer.

Step 4: Enable user-based SSO in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, click SSO.
  2. On the SSO page, click the User-based SSO tab.
  3. Click Modify to the right of SSO Settings.
  4. In the SSO Status section of the SSO Settings panel, click Enabled.
    Note User-based SSO takes effect on all RAM users in your Alibaba Cloud account. If you enable this feature, all RAM users in your Alibaba Cloud account must log on to the Alibaba Cloud Management Console by using SSO. If you use a RAM user, set the SSO Status parameter to Disabled in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you cannot log on as the RAM user. To avoid this issue, you can also use your Alibaba Cloud account to configure user-based SSO.
  5. In the Metadata File section, click Upload to upload the IdP metadata file obtained in Step 3: Download the SAML IdP metadata file of Okta.
  6. Select Enabled for Auxiliary Domain. In the field that appears, enter the domain name of the email address that you use as the Okta username.
    Note If the usernames that belong to your Okta account are suffixed with different domain names, only the users whose usernames are suffixed with the specified domain name can log on to the Alibaba Cloud Management Console.
  7. Click OK.

Step 5: Create a user and assign the application to the user in Okta

  1. In the left-side navigation pane, choose Directory > People.
  2. On the page that appears, click Add Person.
  3. In the Add Person dialog box, enter u2@examplecompany.com in the Primary email field, configure other parameters, and then click Save.
  4. In the user list, find u2@examplecompany.com and click Activate in the Status column. In the dialog box that appears, activate the u2@examplecompany.com user as prompted.
  5. In the left-side navigation pane, choose Applications > Applications.
  6. Click the application name AliyunSSODemo. On the Assignments tab, choose Assign > Assign to People.
  7. In the dialog box that appears, click Assign to the right of the u2@examplecompany.com user.
  8. In the dialog box that appears, click Save and Go Back.
  9. Click Done.

Step 6: Create a RAM user in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, choose Identities > Users.
  2. On the Users page, click Create User.
  3. On the Create User page, configure the Logon Name and Display Name parameters.
    Note The logon name and Okta username must have the same prefix. In this example, the prefix of the logon name must be u2.
  4. In the Access Mode section, select Console Access and configure the parameters.
  5. Click OK.

Verify the user-based SSO configurations

After you configure SSO, you can initiate SSO logon from both Alibaba Cloud and Okta.

  • Logon from Alibaba Cloud
    1. Log on to the RAM console by using your Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.
    2. Move the pointer over the profile picture in the upper-right corner of the page and click Log Out. Then, paste the logon URL into the address bar of your browser and press Enter. You can also access the URL on a new tab.
    3. On the page that appears, click Logon with Organization Account. The system redirects you to the logon page of Okta. Log on by using an organization account
    4. On the logon page of Okta, enter the username u2@examplecompany.com and password, and click Login.

    After the logon succeeds, you are redirected to the page that is specified by DefaultRelayState. If DefaultRelayState is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, the user-based SSO configurations are successful.

    SSO_Okta configuration verification
  • Logon from Okta

    Log on to the Okta portal as an Okta user. On the page that appears, click the AliyunSSODemo application.

    After the logon succeeds, you are redirected to the page that is specified by DefaultRelayState. If DefaultRelayState is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page shown in the following figure appears, the user-based SSO configurations are successful.

    SSO_Okta configuration verification