This topic introduces the basic concepts related to CloudSSO.
|directory||The directory is the CloudSSO instance. Before you can use CloudSSO, you must create the CloudSSO directory. The directory is used to manage all CloudSSO resources. To create the CloudSSO directory, you must select a region. Alibaba Cloud stores all data in the directory only in the selected region to prevent security compliance risks. An Alibaba Cloud account can create only one directory.|
|user||A user is a type of CloudSSO identity. CloudSSO allows you to manage users. You can create and manage users who need to access Alibaba Cloud resources in the CloudSSO console. You can also assign access permissions on the accounts in a resource directory to users.|
|group||A group is a type of CloudSSO identity. You can add users to groups and assign permissions to users by group. This helps you centrally manage permissions.|
|MFA||Multi-factor authentication (MFA) is an easy-to-use and effective authentication method. In addition to username and password authentication, MFA provides an extra layer of protection. If a user logs on to the CloudSSO user portal by using the username-password logon method, MFA is enabled by default. CloudSSO allows you to use MFA devices for authentication. For more information, see Manage MFA.|
|identity synchronization||CloudSSO supports user and group synchronization based on System for Cross-domain Identity Management (SCIM). SCIM is also known as identity provisioning or identity push. If you enable identity synchronization, you need only to manage identities in your identity provider (IdP). You do not need to manually manage users and groups, or add users to or remove users from groups in the CloudSSO console. This improves management efficiency and security.|
|access configuration||An access configuration is a configuration template that is used by CloudSSO users to access the accounts in a resource directory. The template contains permission configurations. You can use this template to assign access permissions on the accounts in your resource directory to CloudSSO users. For more information, see Overview.|
|Resource Directory||Resource Directory provided by Alibaba Cloud allows you to manage the relationships among multiple levels of enterprise resources or accounts. For more information, see Resource Directory overview.|
|account in a resource directory|| The following list describes two types of accounts in a resource directory:
|multi-account authorization||You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions and configurations to users or groups. You can assign access permissions on the enterprise management account or member accounts in your resource directory. For more information, see Overview.|
|access configuration provisioning||When you assign access permissions on an account in your resource directory to a user, the configuration template in the specified access configuration is provisioned for the account. Then, the access configuration serves as the RAM role, RAM policy, and IdP for single sign-on (SSO) of the account. You can de-provision access configurations from an account in your resource directory. If an access configuration has been provisioned for an account in your resource directory but you modify the access configuration, you must manually re-provision the access configuration for the modification to take effect. The modification cannot be automatically applied to the account. For more information, see Overview.|
|asynchronous task||When you provision or de-provision an access configuration, CloudSSO automatically creates an asynchronous task. The following list describes the scenarios in which an asynchronous task is created:
|CloudSSO user portal||The CloudSSO user portal is an independent portal for CloudSSO users to access Alibaba Cloud resources. After a user logs on to the user portal, the user can view all accounts that the user can access in a resource directory. Then, the user can select an account to go to the Alibaba Cloud Management Console and access Alibaba Cloud resources based on the permissions configured in an access configuration. You can log on to the CloudSSO console and go to the Overview page to view the URL that is used to log on to the user portal dedicated to your CloudSSO directory. For more information, see Log on to the CloudSSO user portal.|
|CloudSSO administrator||A CloudSSO administrator can be the enterprise management account that is used to enable a resource directory. A RAM user that is created by the enterprise management account and is assigned the management permissions on CloudSSO can also serve as an administrator.|
CloudSSO supports SSO based on Security Assertion Markup Language (SAML) 2.0. Alibaba Cloud is a service provider (SP). The identity management system of an enterprise is an IdP. Enterprise employees can use identities in the IdP to log on to the CloudSSO user portal by using the SSO logon method.
For more information, see Overview.