This topic describes how to configure the metadata for user-based single sign-on (SSO) based on SAML 2.0, build trust between Alibaba Cloud and the enterprise, and implement identity provider (IdP)-initiated SSO to Alibaba Cloud.

Background information

You can specify the default domain name, a domain alias, or an auxiliary domain name to simplify the configuration of SAML-based SSO. For more information about how to specify the default domain name or domain alias for an Alibaba Cloud account, see View and modify the default domain name and Create and verify a domain alias.

Procedure

  1. Log on to the Resource Access Management (RAM) console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Integrations > SSO.
  3. On the page that appears, click the User-based SSO tab. On the tab that appears, view the configuration in the Setup SSO section.
  4. Click Edit. In the SSO Settings dialog box, modify the configuration.
    • SSO Status: Select Enabled or Disabled.
      Note The configuration of SSO Status applies only to RAM users of your Alibaba Cloud account and does not affect the logon of your Alibaba Cloud account.
      • The Disabled option is selected for SSO Status by default. If the default configuration is retained, SSO settings do not take effect and RAM users can use their passwords to log on to the system.
      • If you select the Enabled option for SSO Status, RAM users cannot use their passwords to log on to the system. Instead, the RAM users must log on to an IdP service for identity authentication. If you select the Disabled option again for SSO Status, password-based logon is automatically restored.
    • Metadata File: Click Upload to upload the metadata file that is provided by your IdP.
      Note In most cases, the metadata file is provided in the XML format. The file contains the logon URL and X.509 public key certificate that is used to verify the validity of the SAML assertions issued by the IdP.
    • Auxiliary Domain Name: Optional. If you select the Enabled option, you can enter an auxiliary domain name.
      • After you enter an auxiliary domain name, you can use the auxiliary domain name as the suffix of the NameID element in SAML assertions.
      • If you select the Disabled option, you can use only the default domain name or domain alias of your Alibaba Cloud account as the suffix of the NameID element in SAML assertions.

      For more information about the values of the NameID element, see SAML response for user-based SSO.

      Note If you configure both a domain alias and an auxiliary domain name, only the domain alias or the default domain name can be used as the suffix of the NameID element.
  5. Click OK.

What to do next

You can create RAM users that correspond to the users of your IdP by using one of the following methods:

  • Log on to the RAM console, and create RAM users in the console. For more information, see Create a RAM user.
  • Use a RAM SDK to write a program or use the Alibaba Cloud command line interface (CLI) to create RAM users. For more information, see CreateUser.