This topic describes how to configure metadata for user-based single sign-on (SSO) based on SAML 2.0, and establish trust between an identity provider (IdP) and Alibaba Cloud (service provider).

Background information

You can specify the default domain name, a domain alias, or an auxiliary domain name to simplify the configuration of SAML-based SSO. For more information about how to specify the default domain name or domain alias for an Alibaba Cloud account, see Manage the default domain name and Create a domain alias.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click SSO.
  3. On the SSO page, click the User-based SSO tab. In the SSO Settings section, you can view the basic information of user-based SSO.
  4. Click Modify. In the SSO Settings pane, set the following parameters:
    • SSO Status: Select Enabled to enable SSO or Disabled to disable SSO.
      Note This setting applies only to RAM users of your Alibaba Cloud account and does not affect the Alibaba Cloud account.
      • The Disabled option is selected by default. If SSO is disabled, SSO settings do not take effect and RAM users can use their passwords to log on to the console.
      • If you select the Enabled option, RAM users cannot use passwords to log on to the console. Instead, the RAM users must log on to an IdP service for identity authentication. If SSO is disabled at a later time, password-based logon is automatically re-enabled.
    • Metadata File: Click Upload to upload the metadata file that is provided by your IdP.
      Note In most cases, the metadata file is provided in the XML format. The file contains the logon URL and X.509 public key certificate that is used to verify the validity of the SAML assertions issued by the IdP.
    • Auxiliary Domain: Optional. Turn on or off this switch based on your business requirements.
      • If you turn on this switch, you can specify an auxiliary domain name and use it as the suffix of the NameID element in SAML assertions.
      • If you turn off this switch, you can use only the default domain name or domain alias of your Alibaba Cloud account as the suffix of the NameID element in SAML assertions.

      For more information about the values of the NameID element, see SAML assertions for user-based SSO.

      Note If you specify both a domain alias and an auxiliary domain name, only the domain alias or the default domain name can be used as the suffix of the NameID element.
  5. Click OK.

What to do next

You can create RAM users that correspond to the users of your IdP by using one of the following methods:

  • Log on to the RAM console, and create RAM users in the console. For more information, see Create a RAM user.
  • Use a RAM SDK to write a program or use the Alibaba Cloud command line interface (CLI) to create RAM users. For more information, see CreateUser.