This topic describes how to configure single sign-on (SSO) logon from Azure Active Directory (Azure AD) to CloudSSO. Azure AD is shortened to AAD.

Background information

Assume that an enterprise uses AAD as a local identity provider (IdP) that contains a large number of users and the enterprise has built a multi-account structure in a resource directory. The enterprise wants to configure settings to implement SSO logon. This way, the users in AAD can directly access specific resources within the specified members in the resource directory.

All configuration operations in AAD must be performed by an administrator that is assigned global administrative rights. For more information about how to create a user and assign the global administrative rights to the user in AAD, see AAD documentation.

Preparations

Before you configure SSO logon, perform the following operations:

  1. Synchronize users from AAD to CloudSSO, or create users that have the same usernames as the users in AAD in the CloudSSO console.
    • Synchronize users from AAD to CloudSSO: This method is suitable for scenarios in which a large number of users exist in AAD. We recommend that you use this method. For more information, see Synchronize users or groups in Azure AD by using SCIM.
    • Create users that have the same usernames as the users in AAD in the CloudSSO console: This method is suitable for scenarios in which a small number of users exist in AAD. For more information, see Create a user.
      Note Usernames are used for user logons. When you configure SSO logon, the username of a CloudSSO user must be the same as the value of the field that is used for SSO logon in AAD. For more information, see Step 3: Configure SAML in AAD.
  2. Create access configurations and specify policies in the Cloud SSO console.
    For more information, see Create an access configuration.
  3. Assign access permissions on the accounts in your resource directory to users.

Step 1: Obtain the SP metadata file in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the SSO Logon section of the page that appears, download the service provider (SP) metadata file.

Step 2: (Optional) Create an application in AAD

Note If you have configured System for Cross-domain Identity Management (SCIM) synchronization, skip this step and use the application that is used for SCIM synchronization.
  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
  5. On the Browse Azure AD Gallery page, click Create your own application.
  6. In the Create your own application panel, enter a name for your application. In this example, CloudSSODemo is used. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Step 3: Configure SAML in AAD

  1. In the left-side navigation pane of the CloudSSODemo page, click Single sign-on.
  2. In the Select a single sign-on method section of the page that appears, click SAML.
  3. In the Set up Single Sign-On with SAML section of the page that appears, perform the following steps:
    1. In the upper-left corner, click Upload metadata file. Then, select the SP metadata file that is obtained in Step 1 and click Add.
    2. In the Basic SAML Configuration panel, configure the following parameters and click Save.
      • Identifier (Entity ID): required. After the SP metadata file is imported, the value of this parameter is automatically displayed.
        Note If the value is not automatically displayed, go to the Settings page of the CloudSSO console and copy the value of Entity ID in the SSO Logon section.
      • Reply URL (Assertion Consumer Service URL): required. After the SP metadata file is imported, the value of this parameter is automatically displayed.
        Note If the value is not automatically displayed, go to the Settings page of the CloudSSO console and copy the value of ACS URL in the SSO Logon section.
      • Relay State: optional. This parameter specifies the URL of a page that is displayed after a user logs on to the Alibaba Cloud Management Console by using SSO logon. If you do not configure this parameter, the user is redirected to the CloudSSO user portal by default.
        Note To ensure security, you are allowed to enter only a URL that contains *.alibabacloudsso.com. If you enter a URL that does not contain this domain name, the configuration is invalid.
    3. In the User Attributes & Claims section, click Edit. In the Required claim section of the page that appears, set Unique User Identifier (Name ID) to user.userprincipalname or a value that uniquely identifies the user.
      Note
      • You can set the NameID attribute in SAML assertions to a value that uniquely identifies the user. In most cases, you can set the NameID attribute to user.userprincipalname or user.mail. CloudSSO requires that the value of the NameID attribute must be the same as the username of a user created in the CloudSSO console. Therefore, you must create a user based on the value of the NameID attribute to ensure successful SSO logon.
      • If SCIM synchronization is configured, you must configure the userName attribute based on the value of the NameID attribute. For example, set both userName and NameID to user.userprincipalname.
    4. In the SAML Signing Certificate section, click Download on the right of Federation Metadata XML to download the related XML file.

Step 4: (Optional) Assign users in AAD

Note If SCIM synchronization is configured, skip this step.
  1. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the application list of the page that appears, click CloudSSODemo in the Name column.
  4. In the left-side navigation pane, click Users and groups.
  5. In the upper-left corner of the page that appears, click Add user/group.
  6. Select users.
  7. Click Assign.

Step 5: Enable SSO logon in the CloudSSO console

  1. In the left-side navigation pane of the CloudSSO console, click Settings.
  2. In the SSO Logon section, click Upload to upload the IdP metadata file that is obtained in Step 3.
  3. Turn on the switch for SSO logon to enable SSO logon.
    Note After SSO logon is enabled, username-password logon is automatically disabled. SSO logon takes effect on all users. After you enable SSO logon, all users must use the SSO logon method.

Verify the configuration results

After you configure SSO, you can initiate SSO logon from both Alibaba Cloud and AAD.

  • Initiate SSO logon from Alibaba Cloud
    1. Log on to the CloudSSO console. Go to the Overview page and copy the URL used to log on to the user portal.
    2. Open a browser, paste the copied URL, and then press Enter.
    3. Click Redirect. You are redirected to the logon page of AAD. Redirect
    4. On the page that appears, enter the username and password of the required AAD user.

      After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If you did not configure the Relay State parameter or set the parameter to an invalid value, you are redirected to the user portal shown in the following figure.

      User portal
    5. Find the required account in your resource directory and click Show Details in the Permission column.
    6. In the panel that appears, find the required access configuration and click Log On in the Actions column.
    7. Access the Alibaba Cloud resources on which the account has permissions.
  • Initiate SSO logon from AAD
    1. Obtain the user access URL.
      1. Log on to the Azure portal as an administrator.
      2. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
      3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
      4. In the application list of the page that appears, click CloudSSODemo.
      5. In the left-side navigation pane, click Properties and copy the value of User access URL.

        You can paste the copied user access URL in the address bar of your browser to access the application.

    2. After you obtain the user access URL from the administrator, enter the URL in a browser and use the required username and password for logon.

      After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If you did not configure the Relay State parameter or set the parameter to an invalid value, you are redirected to the user portal.

      User portal
    3. Find the required account in your resource directory and click Show Details in the Permission column.
    4. In the panel that appears, find the required access configuration and click Log On in the Actions column.
    5. Access the Alibaba Cloud resources on which the account has permissions.