This topic introduces the basic concepts related to CloudSSO.

Term Description
directory The directory is the CloudSSO instance. Before you can use CloudSSO, you must create the CloudSSO directory. The directory is used to manage all CloudSSO resources. To create the CloudSSO directory, you must select a region. Alibaba Cloud stores all data in the directory only in the selected region to prevent security compliance risks. An Alibaba Cloud account can create only one directory.
user A user is a type of CloudSSO identity. CloudSSO allows you to manage users. You can create and manage users who need to access Alibaba Cloud resources in the CloudSSO console. You can also assign access permissions on the accounts in a resource directory to users.
group A group is a type of CloudSSO identity. You can add users to groups and assign permissions to users by group. This helps you centrally manage permissions.
MFA Multi-factor authentication (MFA) is an easy-to-use and effective authentication method. In addition to username and password authentication, MFA provides an extra layer of protection. If a user logs on to the CloudSSO user portal by using the username-password logon method, MFA is enabled by default. CloudSSO allows you to use MFA devices for authentication. For more information, see Manage MFA.
identity synchronization CloudSSO supports user and group synchronization based on System for Cross-domain Identity Management (SCIM). SCIM is also known as identity provisioning or identity push. If you enable identity synchronization, you need only to manage identities in your identity provider (IdP). You do not need to manually manage users and groups, or add users to or remove users from groups in the CloudSSO console. This improves management efficiency and security.
access configuration An access configuration is a configuration template that is used by CloudSSO users to access the accounts in a resource directory. The template contains permission configurations. You can use this template to assign access permissions on the accounts in your resource directory to CloudSSO users. For more information, see Overview.
Resource Directory Resource Directory provided by Alibaba Cloud allows you to manage the relationships among multiple levels of enterprise resources or accounts. For more information, see Resource Directory overview.
account in a resource directory The following list describes two types of accounts in a resource directory:
  • Enterprise management account: An enterprise management account is the account that is used to enable a resource directory and is the super administrator of the resource directory. The enterprise management account has full permissions on the resource directory and the member accounts in the resource directory. Only an Alibaba Cloud account that has passed the enterprise real-name verification can be used to enable a resource directory. Each resource directory has only one enterprise management account.
  • Member account: A member account serves as a container to group resources in a resource directory. A member account indicates a project or an application. The resources of different member accounts are physically isolated.
multi-account authorization You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions and configurations to users or groups. You can assign access permissions on the enterprise management account or member accounts in your resource directory. For more information, see Overview.
access configuration provisioning When you assign access permissions on an account in your resource directory to a user, the configuration template in the specified access configuration is provisioned for the account. Then, the access configuration serves as the RAM role, RAM policy, and IdP for single sign-on (SSO) of the account. You can de-provision access configurations from an account in your resource directory. If an access configuration has been provisioned for an account in your resource directory but you modify the access configuration, you must manually re-provision the access configuration for the modification to take effect. The modification cannot be automatically applied to the account. For more information, see Overview.
asynchronous task When you provision or de-provision an access configuration, CloudSSO automatically creates an asynchronous task. The following list describes the scenarios in which an asynchronous task is created:
  • Assign access permissions on an account in your resource directory to a user.
  • Remove access permissions on an account in your resource directory from a user.
  • Provision an access configuration for an account in your resource directory.
  • De-provision an access configuration from an account in your resource directory.
You can log on to the CloudSSO console and go to the Historical Tasks page to view the asynchronous tasks that are created in the last seven days.
CloudSSO user portal The CloudSSO user portal is an independent portal for CloudSSO users to access Alibaba Cloud resources. After a user logs on to the user portal, the user can view all accounts that the user can access in a resource directory. Then, the user can select an account to go to the Alibaba Cloud Management Console and access Alibaba Cloud resources based on the permissions configured in an access configuration. You can log on to the CloudSSO console and go to the Overview page to view the URL that is used to log on to the user portal dedicated to your CloudSSO directory. For more information, see Log on to the CloudSSO user portal.
CloudSSO administrator A CloudSSO administrator can be the enterprise management account that is used to enable a resource directory. A RAM user that is created by the enterprise management account and is assigned the management permissions on CloudSSO can also serve as an administrator.
SSO

CloudSSO supports SSO based on Security Assertion Markup Language (SAML) 2.0. Alibaba Cloud is a service provider (SP). The identity management system of an enterprise is an IdP. Enterprise employees can use identities in the IdP to log on to the CloudSSO user portal by using the SSO logon method.

  • An IdP provides identity management services. The most common IdPs include Active Directory Federation Service (AD FS), Azure Active Directory (Azure AD), Okta, and Keycloak.
  • An SP is an application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In some identity systems, such as OpenID Connect, that do not use SAML, SP is the relying party of an IdP.

For more information, see Overview.