This topic provides an example of how to implement user-based single sign-on (SSO) to Alibaba Cloud from Active Directory Federation Services (AD FS). It describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Prerequisites

Microsoft AD is properly configured and the following server roles are configured on Windows Server 2012 R2:

  • DNS server: resolves and sends identity authentication requests to the correct Federation Service.
  • Active Directory Domain Service (AD DS): creates, queries, and modifies objects such as domain users and domain devices.
  • Active Directory Federation Service (AD FS): configures the identity federation relying party and performs SSO authentication for the configured relying party.

Notes

This topic uses Windows Server 2012 R2 as an example to describe how to implement user-based SSO from AD FS to Alibaba Cloud.

Notice The configurations of Microsoft AD described in this document are for reference only. Alibaba cloud does not provide consultation services for configurations of Microsoft AD.

Example configuration

The configurations used in the example are as follows:

  • The default domain name of the Alibaba Cloud account: secloud.onaliyun.com.
  • The RAM user under the Alibaba Cloud account: alice. The User Principal Name (UPN) of the RAM user: alice@secloud.onaliyun.com.
  • The AD FS service name that has been registered in Microsoft AD: adfs.secloud.club.
  • The domain name of the on-premises Microsoft AD: secloud.club. The NetBIOS name: secloud.
  • The UPN of the RAM user alice in Microsoft AD: alice@secloud.club. The RAM user can also use secloud\alice for intra-domain logon.

Configure AD FS as a trusted SAML IdP in RAM

  1. Enter the following URL in the address bar of your browser: https://adfs.secloud.club/FederationMetadata/2007-06/FederationMetadata.xml.
  2. Download the metadata file in the XML format.
  3. In the RAM console, use the metadata file for SSO configuration.

Configure Alibaba Cloud as a trusted SAML SP in AD FS

In AD FS, SAML SP is called the relying party. To configure Alibaba Cloud as a trusted SP, follow these steps:

  1. On the Server Manager page, choose Tools > AD FS Management.
    Server Manager
  2. Right-click Relying Parties and select Add Relying Party Trust.
    Add Relying Party Trust
  3. Set the SAML metadata of Alibaba Cloud for the relying party.

    To view the SAML metadata URL, log on to the RAM console, click SSO in the left-side navigation pane, and click User-based SSO. You can view the URL in the SSO Settings section. You can enter the metadata URL when configuring the AD FS relying party.

    Add Relying Party Trust Wizard

After the relying party is configured, Alibaba Cloud sends a request to AD FS adfs.secloud.club. The request aims to authenticate RAM users under the Alibaba Cloud account whose default domain name is secloud.onaliyun.com. AD FS receives the request from Alibaba Cloud, authenticates the user, and sends a response to Alibaba Cloud.

Configure the SAML assertion attributes for the Alibaba Cloud SP

We recommend that you set the value of the NameID field in the SAML assertion to the UPN of the RAM user, so that Alibaba Cloud can locate the correct RAM user based on the SAML response.

You must set the UPN in the AD to the NameID in the SAML assertion. The procedure is as follows:

  1. Right-click the display name of the relying party and select Edit Claim Rules.
    Edit Claim Rules
  2. Click Issuance Transform Rules to add a rule.
    Note Issuance transform rules indicate how to transform a known user attribute and issue it as an attribute in the SAML assertion. You must issue the UPN of a user in Microsoft AD as a NameID. This means that a new rule is required.
    Issuance Transform Rules
  3. From the Claim rule template drop-down list, select Transform an Incoming Claim.
    Transform an Incoming Claim
  4. Select Edit Rule.
    Note In this example, the domain name of the UPN in the Alibaba Cloud account is secloud.onaliyun.com, and the domain name of the UPN in Microsoft AD is secloud.club. If you map the UPN in Microsoft AD to the NameID, the user cannot be identified by Alibaba Cloud.

    To solve this problem, use one of the following methods:

    1. Method 1: Set the domain name of Microsoft AD to the domain alias of your Alibaba Cloud account.

      If the domain name secloud.club of Microsoft AD is registered in a DNS on the Internet, you can set secloud.club to the domain alias of RAM. For information about how to set a domain alias, see Create a domain alias.

      After the settings are complete, map the UPN to the NameID on the Edit Rule page.

      Method 1
    2. Method 2: Transform the domain name in AD FS.

      If the domain name secloud.club is an intranet domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. RAM can only use the default domain name secloud.onaliyun.com.

      In this case, you must replace the domain name suffix secloud.club of the UPN with secloud.onaliyun.com in the SAML assertion issued by AD FS to Alibaba Cloud.Method 2
    3. Method 3: Set the domain name of AD as the auxiliary domain name for user-based SSO.

      If the domain name secloud.club is an intranet domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. In this case, you can configure secloud.onaliyun.com as the auxiliary domain name without the need to transform the domain name. For information about how to specify an auxiliary domain name, see Configure the SAML settings of Alibaba Cloud for user-based SSO.

      After the settings are complete, map the UPN to the NameID on the Edit Rule page.

      Method 3