All Products
Search
Document Center

Resource Access Management:Implement role-based SSO from Okta

Last Updated:Jul 17, 2023

This topic provides an example on how to implement role-based single sign-on (SSO) from Okta to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Procedure

In this example, an attribute named approle is added to the profile of an Okta application. The approle attribute is used to specify a Resource Access Management (RAM) role. The following figure shows the procedure to implement role-based SSO in Alibaba Cloud and Okta.

Flowchart

Step 1: Create an application that supports SAML 2.0-based SSO in Okta

  1. Log on to the Okta portal.

  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down list.

  3. In the left-side navigation pane, choose Applications > Applications.

  4. On the Applications page, click Create App Integration.

  5. In the Create a new app integration dialog box, select SAML 2.0 and click Next.

  6. In the General Settings step, enter role-sso-test in the App name field and click Next.

  7. In the Configure SAML step, configure the parameters and click Next.

    • In the Single sign-on URL field, enter https://signin.alibabacloud.com/saml-role/sso.

    • In the Audience URI (SP Entity ID) field, enter urn:alibaba:cloudcomputing:international.

    • In the Default RelayState field, enter a URL. A user is redirected to the URL after logon.

      Note

      For security purposes, you must enter a URL that points to an Alibaba website in the Default RelayState field. For example, you can enter a URL that contains one of the following domain names: *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, and *.alipay.com. If you enter a URL that does not point to an Alibaba website, the configuration is invalid. If you leave this parameter empty, a user is redirected to the homepage of the Alibaba Cloud Management Console by default.

    • Select EmailAddress from the Name ID format drop-down list.

    • Select Email from the Application username drop-down list.

    • Retain the default value for the Update application username on parameter.

  8. On the Feedback page, select a type for the application and click Finish.

Step 2: Download the SAML IdP metadata file of Okta

  1. On the Applications page, click role-sso-test. On the page that appears, click the Sign On tab.

  2. In the SAML 2.0 section, copy the metadata URL and download the metadata file to your on-premises machine.

Step 3: Create a SAML IdP in Alibaba Cloud

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the SAML tab and click Create IdP.

  4. On the Create IdP page, set IdP Name to okta-provider and configure Remarks.

  5. In the Metadata File field, click Upload to upload the IdP metadata file obtained in Step 2: Download the SAML IdP metadata file of Okta.

  6. Click OK.

Step 4: Create a RAM role in Alibaba Cloud

  1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.

  2. On the Roles page, click Create Role.

  3. In the Create Role panel, select IdP for Select Trusted Entity and click Next.

  4. Set RAM Role Name to admin and enter the description of the RAM role in the Note field.

  5. Select SAML for the IdP Type parameter.

  6. Select the IdP that you created in Step 3: Create a SAML IdP in Alibaba Cloud, read the conditions, and then click OK.

  7. Click Close.

Step 5: Configure the profile of the application in Okta

  1. Add an attribute to the profile of the application.

    1. In the left-side navigation pane, choose Directory > Profile Editor.

    2. Search for role-sso-test and click its name.

    3. In the Attributes section of the Profile Editor page, click Add Attribute.

    4. In the Add Attribute dialog box, configure the parameters for the attribute.

      • Select string from the Data type drop-down list.

      • In the Display name field, enter approle. The name is displayed in the portal to represent the attribute.

      • In the Variable name field, enter approle. The variable is used to specify the Alibaba Cloud RAM role. You must record the value of Variable name for subsequent use.

      • In the Description field, enter a description for the attribute. This parameter is optional.

      • Select Define enumerated list of values next to Enum.

        Note

        If you select Define enumerated list of values, only enumeration values of the attribute are valid. You can clear Enum to increase flexibility.

      • In the Attribute members section, specify an enumeration value for the attribute. Each enumeration value must be the same as the name of a RAM role that you created in Alibaba Cloud. In this example, the values are admin and reader.

      • In this example, you do not need to set Attribute Length because an enumeration value is configured for the attribute. If no enumeration values are specified for an attribute, configure the Attribute Length parameter.

      • Select Yes next to Attribute required.

      • Clear User personal next to Scope.

    5. Click Save.

  2. Configure the attribute.

    1. In the left-side navigation pane, choose Applications > Applications.

    2. On the Applications page, click the application name role-sso-test.

    3. In the SAML Settings section of the General tab, click Edit.

    4. In the Attribute Statements (optional) section of the Configure SAML page, configure two statements, as shown in the following figure.Edit an attribute

      • Attribute statement 1

        • Enter https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName in the Name field.

        • Select user.email from the Value drop-down list.

      • Attribute statement 2

        • Enter https://www.aliyun.com/SAML-Role/Attributes/Role in the Name field.

        • Select String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle) from the Value drop-down list. Replace $approle with an enumeration value of approle. approle is the attribute that you added to the profile. okta-provider is the name of the IdP that you created in Step 3: Create a SAML IdP in Alibaba Cloud. Replace <account_id> with the ID of your Alibaba Cloud account. Example: String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).

Step 6: Create a user and assign the application to the user in Okta

  1. Create a user.

    1. In the left-side navigation pane, choose Directory > People.

    2. On the page that appears, click Add Person.

    3. In the Add Person dialog box, enter the email address of the user in the Primary email field, configure other parameters, and then click Save. In this example, the email address is username@example.com.

    4. In the user list, find username@example.com and click Activate in the Status column. In the dialog box that appears, activate username@example.com as prompted.

  2. Assign the application to the user.

    You can use one of the following methods to assign the application.

    • Assign the application to the user

      1. In the left-side navigation pane, choose Applications > Applications.

      2. Click the application name role-sso-test. On the Assignments tab, choose Assign > Assign to People.

      3. In the dialog box that appears, click Assign next to the username@example.com user.

      4. Select admin from the approle drop-down list.

      5. In the dialog box that appears, click Save and Go Back.

      6. Click Done.

    • Add the user to a group and assign the application to the group

      1. In the left-side navigation pane, choose Directory > Groups. On the page that appears, click Add Group to create a group.

      2. Click the name of the group. On the page that appears, click Manage People to add the user to the group.

      3. In the left-side navigation pane, choose Applications > Applications.

      4. Click the application name role-sso-test. On the Assignments tab, choose Assign > Assign to Groups.

      5. Click Assign next to the group.

      6. Select admin from the approle drop-down list.

      7. In the dialog box that appears, click Save and Go Back.

      8. Click Done.

      Note

      If the user belongs to multiple groups, only one value of the approle attribute can be used. The used attribute value is the value that is specified for the group to which the user is first added. If the user is added to or removed from groups, the value of the approle attribute changes. For more information, see Okta Documentation.

Verify the user-based SSO configurations

  1. In the left-side navigation pane, choose Applications > Applications.

  2. On the Applications page, click the application name role-sso-test.

  3. In the App Embed Link section of the General tab, copy the logon URL.

  4. Open a new browser window, paste the logon URL in the address bar, and then press Enter. On the logon page, use username@example.com for logon.

    If the page to which the URL specified by the Default RelayState field points or the homepage of the Alibaba Cloud Management Console appears, the logon is successful.Successful result

(Optional) Assign multiple roles to a user in Okta

If you want to assign multiple roles to a user in Okta, you must create multiple user groups in the required format and create a group attribute statement. To assign multiple roles to a user in Okta, perform the following steps:

  1. Create multiple groups. Each group name must follow the same format as a value of the role attribute in the SAML assertion. For example, you can set the name of a group to acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider.Create user groups

  2. Add username@example.com to the groups.

  3. Delete the attribute statements of RAM roles from the SAML Settings section of the application. Then, create a group attribute statement. Make sure that Name is set to https://www.aliyun.com/SAML-Role/Attributes/Role and the filter condition can be used to filter all group names. For example, you can set the filter to Start with acs:ram.Group attribute statements

  4. After the configurations are complete, log on to the Alibaba Cloud Management Console as the username@example.com user. You are prompted to select a role that you want to assume.User-based logon

For more information about how to use Okta, see Okta Documentation.