This topic describes the prerequisites and procedure to use CloudSSO and provides links to configuration examples.

Prerequisites

  • A resource directory is enabled, and the multi-account organizational structure is built.

    For more information, see Resource Directory overview.

  • Only the management account that is used to enable a resource directory can be used to enable CloudSSO.
    • Management account

      A management account is the account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has full permissions on the resource directory and the members in the resource directory. You must use an enterprise account to enable a resource directory. Each resource directory has only one management account. For more information, see Enterprise account.

    • RAM users

      You must attach the AliyunCloudSSOFullAccess system policy to the Resource Access Management (RAM) users of the management account. For more information, see Grant permissions to a RAM user.

Procedure

  1. Enable CloudSSO and create the CloudSSO directory.

    For more information, see Enable CloudSSO and Create the CloudSSO directory.

  2. Manage users and groups.

    You can use one of the following methods:

    • Synchronize users or groups from an identity provider (IdP). We recommend that you use this method.
      1. Enable System for Cross-domain Identity Management (SCIM) synchronization and create SCIM credentials in the CloudSSO console.

        For more information, see Enable SCIM synchronization and Create SCIM credentials.

      2. Configure user and group synchronization in the IdP.

        For more information, see Configuration examples.

        Note You can configure SCIM synchronization only when the IdP supports SCIM.
    • Create users or groups in the CloudSSO console.

      For more information, see Create a user, Create a group, and Add a user to a group.

  3. Specify a logon method.

    You can enable one of the following logon methods. If you enable a logon method, the other logon method is automatically disabled.

  4. Create an access configuration.

    An access configuration is a configuration template for CloudSSO users to access the accounts in resource directories. The template includes information such as the access permissions, session duration, and relay state. For more information, see Overview and Create an access configuration.

  5. Assign access permissions on the accounts in your resource directory to users or groups.

    You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions or configurations to users or groups. You can assign access permissions on the enterprise management account and member accounts in your resource directory. For more information, see Assign access permissions on the accounts in a resource directory.

  6. Access Alibaba Cloud resources.
    1. Log on to the CloudSSO user portal by using the logon method that you specified.
    2. View all the accounts that you can access in your resource directory.
    3. Select the required account to access the Alibaba Cloud resources on which the account has permissions.

    For more information, see Log on to the CloudSSO user portal.

Configuration examples

Enterprise IdP SCIM synchronization SSO logon
Azure AD Synchronize users or groups in Azure AD by using SCIM Configure SSO logon from Azure AD
Okta Synchronize users or groups in Okta by using SCIM Configure SSO logon from Okta
AD FS None Configure SSO logon from AD FS