This topic provides an example of how to implement role-based single sign-on (SSO) from Okta to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
  • An Okta account is created.
    Note A 30-day free trial is available for each Okta account.

Implementation

This topic uses an example to describe how to implement role-based SSO from Okta. In this example, an attribute named approle is added to the profile of an Okta application. The approle attribute is used to specify a Resource Access Management (RAM) role. The following figure shows the procedure to implement role-based SSO in Alibaba Cloud and Okta.

Implementation

Step 1: Create an application in Okta

  1. Log on to the Okta portal.
    Note A dynamic 6-digit verification code is required for the logon. The verification code is provided by the Okta Verify app. Therefore, you must install the Okta Verify app on your smart phone before the logon.
  2. In the upper-right corner of the Okta portal, click the account name, and select Your Org from the drop-down menu.
  3. In the upper-right corner of the page that appears, click Admin.
    SSO_Okta_Admin
  4. In the top navigation bar, click Applications.
    SSO_Okta_Applications
  5. On the Applications page, click Add Application.
  6. On the Add Application page, click Create New App.
  7. In the Create a New Application Integration dialog box, select Web from the Platform drop-down list, select SAML 2.0 as Sign on method, and then click Create.
  8. In the General Settings step, enter role-sso-test in the App name field and click Next.
  9. In the Configure SAML step, set the parameters and click Next.
    SAML General
    • Enter https://signin.alibabacloud.com/saml-role/sso in the Single sign on URL field.
    • Enter urn:alibaba:cloudcomputing:international in the Audience URI field.
    • Enter a URL in the Default RelayState field. A user is redirected to the URL after logon.
      Note For security purposes, you must specify a URL that points to an Alibaba website. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If the URL that you specify does not point to an Alibaba website, the setting is invalid. If this field is left empty, a user is redirected to the homepage of the Alibaba Cloud Management Console by default after logon.
    • Select EmailAddress from the Name ID format drop-down list.
    • Select Email from the Application username drop-down list.
  10. Select an application type based on your business requirements and click Finish.

Step 2: Download the SAML IdP metadata file of Okta

  1. In the top navigation bar of the Okta portal, click Applications.
  2. Click the application name (role-sso-test).
  3. On the Sign On tab, click Identity Provider metadata to download the SAML IdP metadata file of Okta.
    SSO_Okta_Sign On

Step 3: Create an IdP in Alibaba Cloud

  1. Log on to the RAM console with the Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the Role-based SSO tab, click Create IdP.
  4. Enter okta-provider in the IdP Name field and enter a description of the IdP in the Note field.
  5. Click Upload under Metadata File to upload the SAML IdP metadata file that you downloaded in Step 2: Download the SAML IdP metadata file of Okta.
  6. Click OK.

Step 4: Create a RAM role in Alibaba Cloud

  1. In the left-side navigation pane of the RAM console, click RAM Roles.
  2. On the RAM Roles page, click Create RAM Role.
  3. In the Create RAM Role pane, select IdP under Trusted Entity Type and click Next.
  4. Enter admin in the RAM Role Name field and enter a description of the RAM role in the Note field.
  5. Select the IdP that you created in Step 3: Create an IdP in Alibaba Cloud, view the conditions, and then click OK.
  6. Click Close.

Step 5: Configure the profile of the application in Okta

  1. Add an attribute to the profile of the application.
    1. In the top navigation bar of the Okta portal, choose Directory > Profile Editor.
    2. Find the profile, and click the edit profile button in the Actions column.
    3. Click Add Attribute. In the Add Attribute dialog box, set the attribute parameters.
      • Select string from the Data type drop-down list.
      • Enter approle in the Display name field. The display name is displayed in the Okta portal to represent the attribute.
      • Enter approle in the Variable name field. The variable is used to specify the Alibaba Cloud RAM role. You must record the variable name for subsequent use.
      • Select the Define enumerated list of values check box next to Enum.
        Note If you select the Define enumerated list of values check box, only enumeration values of the attribute are valid. You can clear the check box to increase flexibility.
      • Specify an enumeration for the attribute in the Attribute members section. Each enumeration value must be the same as the name of a RAM role that you created in Alibaba Cloud. In this example, the values are admin and reader.
      • Optional. Enter a description of the attribute in the Description field.
      • In this example, you do not need to set Attribute Length. This is because an enumeration is configured for the attribute. If no enumeration is configured for an attribute, set the attribute length.
      • Select the Yes check box next to Attribute required.
      • Clear the User personal check box next to Scope.
    4. Click Save.
  2. Configure the attribute.
    1. In the top navigation bar, choose Applications > Applications.
    2. Click the application name (role-sso-test).
    3. In the SAML Settings section of the General tab, click Edit.
    4. In the ATTRIBUTE STATEMENTS (OPTIONAL) section of the Configure SAML page, specify the following two attribute statements:edit Attribute
      • Attribute statement 1
        • Enter https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName in the Name column.
        • Enter user.email in the Value column.
      • Attribute statement 2
        • Enter https://www.aliyun.com/SAML-Role/Attributes/Role in the Name column.
        • Enter String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle) in the Value column. Replace $approle with an enumeration value of approle. approle is the attribute that you added to the profile. okta-provider is the name of the IdP that you created in Step 3: Create an IdP in Alibaba Cloud. Replace <account_id> with the ID of your Alibaba Cloud account. Example: String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).

Step 6: Add a user and assign the application to the user in Okta

  1. Add a user.
    1. In the top navigation bar of the Okta portal, choose Directory > People.
      OSS_Okta_poeple
    2. On the People page, click Add Person. In the Add Person dialog box, enter the email address of the user in the Primary email field and set other parameters. In this example, the email address is test@example.com.
    3. Select the Send user activation email now check box under the Password field and click Save.
      Note Activate the Okta user as prompted.
  2. Assign the application to the user.

    You can use one of the following methods to complete the assignment:

    • Assign the application to the user.
      1. In the top navigation bar, click Applications.
      2. Click the application name (role-sso-test). On the Assignments tab, choose Assign > Assign to People.
      3. In the dialog box that appears, click Assign next to the test@example.com user.
      4. Select admin from the approle drop-down list.
      5. Click Save and Go Back.
      6. Click Done.
    • Add the user to a group and assign the application to the group.
      1. In the top navigation bar, choose Directory > Groups. On the page that appears, click Add Group to create a group.okta_group
      2. Click the name of the group. On the page that appears, click Manage People to add the user to the group.
      3. In the top navigation bar, click Applications.
      4. Click the application name (role-sso-test). On the Assignments tab, choose Assign > Assign to Groups.
      5. Click Assign next to the group.
      6. Select admin from the approle drop-down list.
      7. Click Save and Go Back.
      8. Click Done.
      Note If the user belongs to multiple groups, only one value of the approle attribute is valid. The valid attribute value is the value that is specified for the group to which the user is first added. The value of the approle attribute changes if the user is added to or removed from groups. For more information, see Okta Product Documentation.

Test role-based SSO

  1. In the top navigation bar of the Okta portal, choose Applications > Applications.
  2. Click the application name (role-sso-test).
  3. In the App Embed Link section of the General tab, copy the logon URL.App Embed Link
  4. Open a new browser window, paste the logon URL in the address bar, and then press Enter. On the logon page, use test@example.com to log on.
    The logon is successful if the page to which the URL specified by the Default RelayState field points or the homepage of the Alibaba Cloud Management Console appears.successful result

(Optional) Assign multiple roles to a user in Okta

If you want to assign multiple roles to a user in Okta, you must create multiple user groups in the required format and create a group attribute statement. To assign multiple roles to a user in Okta, perform the following steps:

  1. Create multiple groups. Each group name must follow the same format as a value of the role attribute in the SAML assertion. For example, you can set the name of a group to acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider.add group
  2. Add the test@example.com user to the groups.
  3. Delete the attribute statements of RAM roles from the SAML Settings section of the application. Create a group attribute statement. Make sure that the filter can match all of the group names. For example, you can set the filter to Start with acs:ram.group Attribute
  4. After the configurations are complete, log on to the Alibaba Cloud Management Console as the test@example.com user. You are prompted to select a role to assume.Role sign in

For more information about how to use Okta, see Okta Product Documentation.