CloudSSO supports single sign-on (SSO) logon based on Security Assertion Markup Language (SAML) 2.0. Alibaba Cloud is a service provider (SP). The identity management system of an enterprise is an identity provider (IdP). SSO logon allows enterprise employees to access CloudSSO by using the user identities in the IdP. If you use CloudSSO, you need only to configure settings only once to implement SSO logon from an IdP to Alibaba Cloud in an easy manner.

Procedure

  1. Specify Alibaba Cloud as a trusted SAML SP in an IdP and configure SAML assertions. For example, configure the NameID attribute in the assertions.

    The operations vary based on IdPs. For more information, see the documentations of IdPs.

  2. Specify the IdP as a trusted SAML IdP in the CloudSSO console.

    You must upload the metadata file of the IdP and enable SSO logon. For more information, see Enable SSO logon.

  3. Use System for Cross-domain Identity Management (SCIM) to synchronize users, or create users that have the same usernames as the IdP users in the CloudSSO console.

    If the IdP supports SCIM and contains a large number of users, you can directly synchronize the users in the IdP to CloudSSO. For more information about how to use SCIM synchronization, see Synchronize users or groups in Azure AD by using SCIM.

    If the IdP contains a small number of users, you can create users that have the same usernames as the IdP users in the CloudSSO console. When you create a user, set the name of the user to the value of the NameID attribute in the SAM assertions. For more information, see Create a user.

  4. Log on to the Alibaba Cloud Management Console as an IdP user by using the SSO logon method.

References