This topic describes how to configure single sign-on (SSO) logon from Okta to CloudSSO.

Background information

Assume that an enterprise uses Okta as a local identity provider (IdP) that contains a large number of users and the enterprise has built a multi-account structure in a resource directory. The enterprise wants to configure settings to implement SSO logon. This way, the users in Okta can directly access specific resources within the specified members in the resource directory.

Step 1: Obtain the SP metadata file in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the SSO Logon section, copy the values of ACS URL and Entity ID for the service provider (SP).

Step 2: Create an application in Okta

  1. Log on to the Okta portal.
  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down list.
  3. In the left-side navigation pane, choose Applications > Applications.
  4. On the Applications page, click Create App Integration.
  5. In the Create a new app integration dialog box, select SAML 2.0 and click Next.
  6. Configure the application.
    1. In the General Settings step, set App name to CloudSSODemo and click Next.
    2. In the Configure SAML step, configure Security Assertion Markup Language (SAML) settings and click Next.
      • Single sign on URL: Set this parameter to the value of ACS URL obtained in Step 1: Obtain the SP metadata file in the CloudSSO console.
      • Audience URI (SP Entity ID): Set this parameter to the value of Entity ID obtained in Step 1: Obtain the SP metadata file in the CloudSSO console.
      • Default RelayState: Set this parameter to the URL of the page that is displayed after a user logs on to the Alibaba Cloud Management Console by using the SSO logon method. If you do not configure this parameter, the user is redirected to the CloudSSO user portal by default.
        Note To ensure security, you are allowed to enter only a URL that contains *.alibabacloudsso.com. If you enter a URL that does not contain this domain name, the configuration is invalid.
      • Name ID format: Select EmailAddress.
      • Application username: Select Okta username.
        Note You can set the NameID attribute in SAML assertions to a value that uniquely identifies the user. For example, you can set the NameID attribute to a username or an email address. CloudSSO requires that the value of the NameID attribute must be the same as the username of a user created in the CloudSSO console. Therefore, you must use the same value of the NameID attribute when you configure SSO logon, configure synchronization by using System for Cross-domain Identity Management (SCIM), or create a user. If different values are used, SSO logon fails.
    3. On the Feedback page, select a type for the application and click Finish.

Step 3: Obtain the IdP metadata file in Okta

  1. On the CloudSSODemo details page, click the Sign On tab.
  2. In the Settings section, click Identity Provider metadata to download the IdP metadata file to your computer.

Step 4: Assign users to the application in Okta

Note If no users are created in Okta, you must first create users. For more information, see Create an Okta user.
  1. On the CloudSSODemo details page, click the Assignments tab.
  2. Click Assign and select an assignment method.
    • Assign to People: Assign a user. In this example, select this method.
    • Assign to Groups: Assign a group.
  3. In the Assign CloudSSODemo to People dialog box, click Assign on the right of the required user.
  4. Check or modify the value of User Name. Then, click Save and Go Back.
  5. Repeat Step 3 and Step 4 to assign other users to the application in sequence.
  6. Click Done.

Step 5: Enable SSO logon in the CloudSSO console

  1. In the left-side navigation pane of the CloudSSO console, click Settings.
  2. In the SSO Logon section, click Upload to upload the IdP metadata file that is obtained in Step 3: Obtain the IdP metadata file in Okta.
  3. Turn on the switch for SSO logon to enable SSO logon.
    Note After SSO logon is enabled, username-password logon is automatically disabled. SSO logon takes effect on all users. After you enable SSO logon, all users must use the SSO logon method.

Step 6: Synchronize or create users

You can synchronize users from Okta to CloudSSO or create the users that have the same usernames as the users in Okta in the CloudSSO console.

  • Synchronize users from Okta to CloudSSO: This method is suitable for scenarios in which a large number of users exist in Okta. We recommend that you use this method. For more information, see Synchronize users or groups in Okta by using SCIM.
  • Create users that have the same usernames as the users in Okta in the CloudSSO console: This method is suitable for scenarios in which a small number of users exist in Okta. For more information, see Create a user.
    Note Usernames are used for user logons. When you configure SSO logon, the username of a CloudSSO user must be the same as the value of the field that is used for SSO logon in Okta. For more information, see Step 2: Create an application in Okta.

Step 7: (Optional) Assign access permissions to users

If you want a CloudSSO user to access specific resources within the specified members in a resource directory after the user logs on to the user portal by using the SSO logon method, you must create access configurations that define access permissions. Then, you must assign the access permissions on the members to the user.

  1. Create access configurations and specify policies in the CloudSSO console.
    For more information, see Create an access configuration.
  2. Assign access permissions on the accounts in your resource directory to users.

Verify the configuration results

After you complete the preceding configurations, you can initiate SSO logon from Alibaba Cloud or Okta.

  • Initiate SSO logon from Alibaba Cloud
    1. Log on to the CloudSSO console. Go to the Overview page and copy the URL used to log on to the user portal.
    2. Open a browser, paste the copied URL, and then press Enter.
    3. Click Redirect. You are redirected to the logon page of Okta. Redirect
    4. On the page that appears, enter the username and password of the required Okta user.

      After the logon succeeds, you are redirected to the page that is specified by Default RelayState. In this example, Default RelayState is not configured, and you are redirected to the user portal shown in the following figure.

      User portal
    5. Find the required account in your resource directory and click Show Details in the Permission column.
    6. In the panel that appears, find the required access configuration and click Log On in the Actions column.
    7. Access the Alibaba Cloud resources on which the account has permissions.
  • Initiate SSO logon from Okta
    1. Log on to the Okta portal as an Okta user.
    2. Click the CloudSSODemo application.

      After the logon succeeds, you are redirected to the page that is specified by Default RelayState. In this example, Default RelayState is not configured, and you are redirected to the user portal shown in the following figure.

      User portal
    3. Find the required account in your resource directory and click Show Details in the Permission column.
    4. In the panel that appears, find the required access configuration and click Log On in the Actions column.
    5. Access the Alibaba Cloud resources on which the account has permissions.