All Products
Search

This Product

    CloudSSO:Example: SSO from Microsoft Entra ID to CloudSSO

    Document Center

    CloudSSO:Example: SSO from Microsoft Entra ID to CloudSSO

    Last Updated:Jun 21, 2026

    This topic shows how to configure single sign-on (SSO logon) from Microsoft Entra ID (formerly Azure AD) to CloudSSO.

    Use cases

    Suppose your company uses a multi-account structure in Alibaba Cloud Resource Directory (RD). You want to configure single sign-on to allow Microsoft Entra ID users to access specific resources in designated member accounts within your resource directory.

    Note

    The Microsoft Entra ID configurations described in this topic are for reference only. They help you understand the end-to-end process of configuring single sign-on. Alibaba Cloud does not provide consulting services for Microsoft Entra ID configurations.

    Prerequisites

    • A Global Administrator in Microsoft Entra ID must perform all configuration operations.

      For information about how to create a user and grant administrative permissions in Microsoft Entra ID, see the Microsoft Entra ID documentation.

    • Synchronize users from Microsoft Entra ID to CloudSSO, or create users in CloudSSO with matching usernames.

      • (Recommended) Synchronize users from Microsoft Entra ID to CloudSSO: This method is suitable for managing many users in Microsoft Entra ID. For more information, see Example: Synchronizing users or user groups from Microsoft Entra ID by using SCIM.

      • Create users in CloudSSO with matching usernames: This method is suitable for managing a few users in Microsoft Entra ID. For more information, see Create a user.

        Note

        Usernames are used for user logon. When you use single sign-on, the CloudSSO username must match the value of the single sign-on field in Microsoft Entra ID. For more information, see Step 3: Configure SAML.

    • Create an access configuration in CloudSSO and grant permissions on member accounts to define what CloudSSO users can access.

      For more information, see Create an access configuration and Grant access to a member account.

    Step 1: Obtain service provider metadata

    1. Log on to the CloudSSO console.

    2. In the left-side navigation pane, click Settings.

    3. In the SSO Logon section, download the service provider (SP) metadata document.

    (Optional) Step 2: Create an application

    Note

    If you have already configured SCIM synchronization, skip this step and use the application that you configured for SCIM.

    1. Log on to the Azure portal as the global administrator of Microsoft Entra ID.

    2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.

    3. In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.

    4. Click New application.

    5. On the Browse Microsoft Entra App Gallery page, click Create your own application.

    6. In the Create your own application panel, enter a name for your application. In this example, enter CloudSSODemo. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

    Step 3: Configure SAML

    1. On the CloudSSODemo page, in the left-side navigation pane, select Manage > Single sign-on.

    2. On the Select a single sign-on method page, click SAML.

    3. On the Set up Single Sign-On with SAML page, configure the following settings.

      1. In the upper-left corner of the page, click Upload metadata file, select the SP metadata document from Step 1, and then click Add.

      2. In the Basic SAML Configuration section, configure the following parameters and click Save.

        • Identifier (Entity ID): Required. The value populates automatically when you import the SP metadata document.

          Note

          If the value is not automatically populated, copy the value of Entity ID from the SSO Logon section on the Settings page of the CloudSSO console.

        • Reply URL (Assertion Consumer Service URL): Required. The value populates automatically when you import the SP metadata document.

          Note

          If the value is not automatically populated, copy the value of ACS URL from the SSO Logon section on the Settings page of the CloudSSO console.

        • Relay State: Optional. It specifies the Alibaba Cloud page where users are redirected after a successful SSO logon. If you do not configure this parameter, users are redirected to the CloudSSO user portal by default.

          Note

          For security reasons, you can only enter a URL that belongs to the *.alibabacloudsso.com domain. Otherwise, the configuration is invalid.

      3. In the Attributes & Claims section, click Edit. Set Unique User Identifier (NameID) to user.userprincipalname or another unique user identifier.

        Note

        • You can set the NameID in the SAML assertion to any field that uniquely identifies the user, such as user.userprincipalname or user.mail. CloudSSO requires that the incoming NameID value matches the CloudSSO username. Therefore, you must create users in CloudSSO based on this field value to ensure a successful SSO logon.

        • If you also configured SCIM synchronization, you must use the same field, such as user.userprincipalname, for the userName attribute in the SCIM configuration.

      4. In the SAML Certificates section, click Download to obtain the Federation Metadata XML file.

    (Optional) Step 4: Assign users

    Note

    If you have already configured SCIM synchronization, skip this step.

    1. On the CloudSSODemo page, in the left-side navigation pane, select Manage > Users and groups.

    2. In the upper-left corner, click Add user/group.

    3. Select the users that you want to assign.

    4. Click Assign.

    Step 5: Enable SSO logon

    1. In the left-side navigation pane of the CloudSSO console, click Settings.

    2. In the SSO Logon section, click Configure Identity Provider.

    3. In the Configure Identity Provider dialog box, select Upload Metadata Document.

    4. Click Upload File to upload the identity provider metadata document from Step 3.

    5. Turn on the SSO logon switch to enable SSO logon.

      Note

      After you enable SSO logon, username and password logon is disabled. This means CloudSSO users can no longer sign in with their platform credentials. Once enabled, all users must sign in through your identity provider.

    Verify the results

    After completing the single sign-on configuration, you can initiate single sign-on from Alibaba Cloud or Microsoft Entra ID.

    Initiate SSO from Alibaba Cloud

    1. On the Overview page of the CloudSSO console, copy the user logon URL.

    2. Open the copied user logon URL in a new browser window.

    3. Click Go. The system automatically redirects you to the Microsoft Entra ID sign-in page. On the SSO Sign-in page, confirm the Corporate Account Sign-in URL, and then click Go.

    4. Log on with your Microsoft Entra ID username and password.

      The system logs you on and redirects you to the page specified by the Relay State parameter. If the Relay State is not specified or is out of the allowed scope, you are redirected to the CloudSSO user portal.

    5. On the Log on as RAM Role tab, find the target member account and click Show Details in the Permissions column.

    6. In the permissions panel, find the target permission and click Log On in the Action column.

    7. Access your permitted resources in the member account.

    Initiate SSO from Microsoft Entra ID

    1. Obtain the user access URL.

      1. Log on to the Azure portal as an administrator.

      2. On the home page, click the SSO_AAD_icon icon.

      3. In the left-side navigation pane, go to Microsoft Entra ID > Manage > Enterprise applications > All applications.

      4. Click the CloudSSODemo application.

      5. In the left-side navigation pane, click Properties and copy the User access URL.

        The User access URL is the link that users can use to directly access this application from their browsers.

    2. Obtain the User access URL from your administrator, enter the URL in a browser, and then sign in with your Microsoft Entra ID credentials.

      The system logs you on and redirects you to the page specified by the Relay State parameter. If the Relay State is not specified or is out of the allowed scope, you are redirected to the CloudSSO user portal.

    3. On the Log on as RAM Role tab, find the target member account and click Show Details in the Permissions column.

    4. In the permissions panel, find the target permission and click Log On in the Action column.

    5. Access your permitted resources in the member account.

    Related topics