This topic provides an example on how to implement role-based single sign-on (SSO) from Okta to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Procedure

In this example, an attribute named approle is added to the profile of an Okta application. The approle attribute is used to specify a Resource Access Management (RAM) role. The following figure shows the procedure to implement role-based SSO in Alibaba Cloud and Okta.

Flowchart

Step 1: Create an application that supports SAML 2.0-based SSO in Okta

  1. Log on to the Okta portal.
  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down list.
  3. In the left-side navigation pane, choose Applications > Applications.
  4. On the Applications page, click Create App Integration.
  5. In the Create a new app integration dialog box, select SAML 2.0 and click Next.
  6. In the General Settings step, enter role-sso-test in the App name field and click Next.
  7. In the Configure SAML step, configure the parameters and click Next.
    SAML General
    • In the Single sign on URL field, enter https://signin.alibabacloud.com/saml-role/sso.
    • In the Audience URI field, enter urn:alibaba:cloudcomputing:international.
    • In the Default RelayState field, enter a URL. A user is redirected to the URL after logon.
      Note For security purposes, you must enter a URL that points to an Alibaba website in the Default RelayState field. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If this field is empty, you are redirected to the homepage of the Alibaba Cloud Management Console after logon.
    • Select EmailAddress from the Name ID format drop-down list.
    • Select Email from the Application username drop-down list.
  8. In the Feedback step, select an application type based on your business requirements and click Finish.

Step 2: Download the SAML IdP metadata file of Okta

  1. On the Applications page, click role-sso-test. On the page that appears, click the Sign On tab.
  2. In the Settings section of the Sign On tab, click Identity Provider metadata. On the page that appears, right-click the page and click Save As to download the metadata file.

Step 3: Create an IdP in the Alibaba Cloud Management Console

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the Role-based SSO tab, click Create IdP.
  4. In the Create IdP panel, enter okta-provider in the IdP Name field and enter a description of the IdP in the Note field.
  5. Click Upload under Metadata File to upload the SAML IdP metadata file that you downloaded in Step 2: Download the SAML IdP metadata file of Okta.
  6. Click OK.

Step 4: Create a RAM role in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, click Roles.
  2. On the page that appears, click Create Role.
  3. In the Create Role panel, set Select Trusted Entity to IdP and click Next.
  4. Enter admin in the RAM Role Name field and enter the description of the RAM role in the Note field.
  5. Select the IdP that you created in Step 3: Create an IdP in the Alibaba Cloud Management Console, read the conditions, and then click OK.
  6. Click Close.

Step 5: Configure the profile of the application in Okta

  1. Add an attribute to the profile of the application.
    1. In the left-side navigation pane, choose Directory > Profile Editor.
    2. Click the edit profile icon next to the profile.
    3. Click Add Attribute. In the Add Attribute dialog box, configure the attribute parameters.
      • Select string from the Data type drop-down list.
      • In the Display name field, enter approle. The name is displayed in the portal to represent the attribute.
      • In the Variable name field, enter approle. The variable is used to specify the Alibaba Cloud RAM role. You must record the value of Variable name for subsequent use.
      • In the Description field, enter a description for the attribute. This parameter is optional.
      • Select Define enumerated list of values next to Enum.
        Note If you select Define enumerated list of values, only enumeration values of the attribute are valid. You can clear Enum to increase flexibility.
      • In the Attribute members section, specify an enumeration value for the attribute. Each enumeration value must be the same as the name of a RAM role that you created in Alibaba Cloud. In this example, the values are admin and reader.
      • In this example, you do not need to set Attribute Length because an enumeration value is configured for the attribute. If no enumeration values are configured for an attribute, set the attribute length.
      • Select Yes next to Attribute required.
      • Clear User personal next to Scope.
    4. Click Save.
  2. Configure the attribute.
    1. In the left-side navigation pane, choose Applications > Applications.
    2. On the Applications page, click the application name role-sso-test.
    3. On the General tab, click Edit in the SAML Settings section.
    4. In the Attribute Statements (optional) section of the Configure SAML page, configure two statements, as shown in the following figure. edit Attribute
      • Attribute statement 1
        • Enter https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName in the Name column.
        • Select user.email from the Value drop-down list.
      • Attribute statement 2
        • Enter https://www.aliyun.com/SAML-Role/Attributes/Role in the Name column.
        • Select String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle) from the Value drop-down list. Replace $approle with an enumeration value of approle. approle is the attribute that you added to the profile. okta-provider is the name of the IdP that you created in Step 3: Create an IdP in the Alibaba Cloud Management Console. Replace <account_id> with the ID of your Alibaba Cloud account. Example: String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).

Step 6: Create a user and assign the application to the user in Okta

  1. Create a user.
    1. In the left-side navigation pane, choose Directory > People.
    2. On the page that appears, click Add Person.
    3. In the Add Person dialog box, enter the email address of the user in the Primary email field, configure other parameters, and then click Save. In this example, the email address is test@example.com.
    4. In the user list, find test@example.com and click Activate in the Status column. In the dialog box that appears, activate test@example.com as prompted.
  2. Assign the application to the user.

    You can use one of the following methods to assign the application.

    • Assign the application to the user
      1. In the left-side navigation pane, choose Applications > Applications.
      2. Click the application name role-sso-test. On the Assignments tab, choose Assign > Assign to People.
      3. In the dialog box that appears, click Assign next to the test@example.com user.
      4. Select admin from the approle drop-down list.
      5. Click Save and Go Back.
      6. Click Done.
    • Add the user to a group and assign the application to the group
      1. In the left-side navigation pane, choose Directory > Groups. On the page that appears, click Add Group to create a group.
      2. Click the name of the group. On the page that appears, click Manage People to add the user to the group.
      3. In the left-side navigation pane, choose Applications > Applications.
      4. Click the application name role-sso-test. On the Assignments tab, choose Assign > Assign to Groups.
      5. Click Assign next to the group.
      6. Select admin from the approle drop-down list.
      7. Click Save and Go Back.
      8. Click Done.
      Note If the user belongs to multiple groups, only one value of the approle attribute is used. The used attribute value is the value that is specified for the group to which the user is first added. If the user is added to or removed from groups, the value of the approle attribute changes. For more information, see Okta Documentation.

Verify the role-based SSO configurations

  1. In the left-side navigation pane, choose Applications > Applications.
  2. On the Applications page, click the application name role-sso-test.
  3. In the App Embed Link section of the General tab, copy the logon URL. App Embed Link
  4. Open a new browser window, paste the logon URL in the address bar, and then press Enter. On the logon page, use test@example.com to log on.
    The logon is successful if the following page appears: the page to which the URL specified by the Default RelayState field points or the homepage of the Alibaba Cloud Management Console. successful result

(Optional) Assign multiple roles to a user in Okta

If you want to assign multiple roles to a user in Okta, you must create multiple user groups in the required format and create a group attribute statement. To assign multiple roles to a user in Okta, perform the following steps:

  1. Create multiple groups. Each group name must follow the same format as a value of the role attribute in the SAML assertion. For example, you can set the name of a group to acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider. add group
  2. Add the test@example.com user to the groups.
  3. Delete the attribute statements of RAM roles from the SAML Settings section of the application. Create a group attribute statement. Make sure that the filter condition can be used to filter all the group names. For example, you can set the filter to Start with acs:ram. group Attribute
  4. After the configurations are complete, log on to the Alibaba Cloud Management Console as the test@example.com user. You are prompted to select a role to assume. Role sign in

For more information about how to use Okta, see Okta Documentation.