All Products
Search

This Product

    CloudSSO:Terms

    Document Center

    CloudSSO:Terms

    Last Updated:Dec 22, 2023

    This topic introduces the basic concepts related to Cloud SSO.

    Term

    Description

    directory

    The CloudSSO directory is the CloudSSO instance. Before you can use CloudSSO, you must create the CloudSSO directory. The directory is used to manage all CloudSSO resources. To create the CloudSSO directory, you must select a region. Alibaba Cloud stores all data in the directory only in the selected region to prevent security compliance risks. An Alibaba Cloud account can create only one directory.

    user

    A user is a type of CloudSSO identity. CloudSSO allows you to manage users. You can create and manage users who need to access Alibaba Cloud resources in the CloudSSO console. You can also assign access permissions on the accounts in a resource directory to users.

    group

    A group is a type of CloudSSO identity. You can add users to groups and assign permissions to users by group. This helps you centrally manage permissions.

    MFA

    Multi-factor authentication (MFA) is a security enhancement that adds an extra layer of protection in addition to your username and password. If a user logs on to the CloudSSO user portal by using the username-password logon method, MFA is enabled by default. CloudSSO allows you to use MFA devices for authentication. For more information, see Manage MFA.

    identity synchronization

    CloudSSO supports user and group synchronization based on System for Cross-domain Identity Management (SCIM). SCIM is also known as identity provisioning or identity push. If you enable identity synchronization, you need only to manage identities in your identity provider (IdP). You do not need to manually manage users and groups, or add users to or remove users from groups in the CloudSSO console. This improves management efficiency and security.

    access configuration

    An access configuration is a configuration template that is used by CloudSSO users to access the accounts in a resource directory. The template contains permission configurations. You can use this template to assign access permissions on the accounts in your resource directory to CloudSSO users. For more information, see Overview.

    Resource Directory

    Resource Directory is a service that is provided by Alibaba Cloud. Resource Directory allows you to manage the relationships among multiple levels of enterprise resources or accounts. For more information, see Resource Directory overview.

    account in a resource directory

    The following list describes two types of accounts in a resource directory:

    • Management account: an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

    • Member: a member is a resource account that is created in a resource directory. A member is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

    multi-account authorization

    You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions and configurations to users or groups. You can assign access permissions on the enterprise management account or member accounts in your resource directory. For more information, see Overview.

    access configuration provisioning

    When you assign access permissions on an account in your resource directory to a user, the configuration template in the specified access configuration is provisioned for the account. Then, the access configuration serves as the Resource Access Management (RAM) role, RAM policy, and IdP for single sign-on (SSO) of the account. You can de-provision access configurations from an account in your resource directory. If an access configuration has been provisioned for an account in your resource directory but you modify the access configuration, you must manually re-provision the access configuration for the modification to take effect. The modification cannot be automatically applied to the account. For more information, see Overview.

    asynchronous task

    When you provision or de-provision an access configuration, Cloud SSO automatically creates an asynchronous task. The following list describes the scenarios in which an asynchronous task is created:

    • Assign access permissions on the accounts in your resource directory to the CloudSSO user.

    • Remove access permissions on an account in your resource directory from a user.

    • Provision an access configuration for an account in your resource directory.

    • De-provision an access configuration from an account in your resource directory.

    You can log on to the CloudSSO console and go to the Historical Tasks page to view the asynchronous tasks that are created in the last seven days.

    CloudSSO user portal

    The CloudSSO user portal is an independent portal for CloudSSO users to access Alibaba Cloud resources. After a user logs on to the user portal, the user can view all accounts that the user can access in a resource directory. Then, the user can select an account to go to the Alibaba Cloud Management Console and access Alibaba Cloud resources based on the permissions configured in an access configuration. You can log on to the CloudSSO console and go to the Overview page to view the URL that is used to log on to the user portal dedicated to your CloudSSO directory. For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.

    CloudSSO administrator

    A CloudSSO administrator can be the enterprise management account that is used to enable a resource directory. A RAM user that is created by the enterprise management account and to whom the AliyunCloudSSOFullAccess policy is attached can also serve as an administrator.

    SSO

    CloudSSO supports SSO based on Security Assertion Markup Language (SAML) 2.0. Alibaba Cloud is a service provider (SP). The identity management system of an enterprise is an IdP. SSO allows enterprise employees to log on to the CloudSSO console by using the user identities in the IdP.

    • An IdP provides identity management services. The most common IdPs include Active Directory Federation Service (AD FS), Azure Active Directory (Azure AD), Okta, and Keycloak.

    • An SP is an application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In some identity systems, such as OpenID Connect (OIDC) that do not comply with the SAML protocol, SP is known as the relying party of an IdP.

    For more information, see Overview.