This topic provides an example on how to implement user-based single sign-on (SSO) from Active Directory Federation Services (AD FS) to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud. This topic uses AD FS deployed on an Elastic Compute Service (ECS) instance that runs Windows Server 2012 R2 as an example.

Preparations

Before you configure SSO, perform the following operations:

  1. Deploy the following servers on the ECS instance that runs Windows Server 2012 R2:
    • DNS server: resolves and sends identity authentication requests to the correct Federation Service.
    • Active Directory Domain Service (AD DS): creates, queries, and modifies objects such as domain users and domain devices.
    • AD FS: configures the relying party for SSO and performs SSO authentication for the configured relying party.
      Notice The configuration of Microsoft Active Directory (AD) described in this topic is for reference only and helps you understand the configuration procedure of SSO logon to Alibaba Cloud. Alibaba Cloud does not provide consultation services for the configuration of Microsoft AD.
  2. Prepare the following data:
    • The default domain name of the Alibaba Cloud account: secloud.onaliyun.com.
    • The username of the RAM user that belongs to the Alibaba Cloud account: alice. The User Principal Name (UPN) of the RAM user is alice@secloud.onaliyun.com.
    • The name of the AD FS service that has been registered in Microsoft AD: adfs.secloud.club.
    • The domain name of Microsoft AD: secloud.club. The NetBIOS name is secloud.
    • The UPN of the RAM user alice in Microsoft AD: alice@secloud.club. The RAM user can also use secloud\alice to log on from the Microsoft AD domain.

Step 1: Configure AD FS as a trusted SAML IdP in RAM

  1. Enter the following URL in the address bar of your browser: https://adfs.secloud.club/FederationMetadata/2007-06/FederationMetadata.xml.
  2. Download the metadata file in the XML format to your computer.
  3. Log on to the RAM console and use the metadata file for SSO configuration.

Step 2: Configure Alibaba Cloud as a trusted SAML SP in AD FS

In AD FS, the SAML service provider (SP) is called the relying party. To configure Alibaba Cloud as a trusted SP, perform the following steps:

  1. In the top navigation bar of Server Manager, choose Tools > AD FS Management.
    Server Manager
  2. Right-click Relying Parties and select Add Relying Party Trust.
    Add Relying Party Trust
  3. Configure the SAML metadata of Alibaba Cloud for the relying party.

    To view the URL of the SAML metadata, log on to the RAM console. In the left-side navigation pane, click SSO. On the page that appears, click User-based SSO. You can view the URL in the SSO Settings section. You can directly enter the metadata URL when you configure the relying party in AD FS.

    Add Relying Party Trust Wizard

After the relying party is configured, Alibaba Cloud sends a request to the AD FS service whose name is adfs.secloud.club. The request is sent to authenticate RAM users that belong to the Alibaba Cloud account whose default domain name is secloud.onaliyun.com. After AD FS receives the request, it authenticates the RAM users and sends a response to Alibaba Cloud.

Step 3: Configure SAML assertion attributes for the Alibaba Cloud SP

We recommend that you set the value of the NameID field in the SAML assertion to the UPN of the RAM user. This way, Alibaba Cloud can locate the correct RAM user based on the SAML response.

You must set the UPN in Microsoft AD to the value of NameID in the SAML assertion.

  1. Right-click the display name of the relying party and select Edit Claim Rules.
    Edit Claim Rules
  2. Click Issuance Transform Rules to add a rule.
    Note Issuance transform rules indicate how to transform a known user attribute and issue it as an attribute in the SAML assertion. You must issue the UPN of a user in Microsoft AD as a NameID. In this case, a new rule is required.
    Issuance Transform Rules
  3. From the Claim rule template drop-down list, select Transform an Incoming Claim.
    Transform an Incoming Claim
  4. Select Edit Rule.
    Note In this example, the default domain name of the Alibaba Cloud account is secloud.onaliyun.com and the domain name of Microsoft AD is secloud.club. If you map the UPN of the RAM user in Microsoft AD to the NameID, the user cannot be identified by Alibaba Cloud.

    To resolve this issue, use one of the following methods:

    1. Method 1: Set the domain name of Microsoft AD to the domain alias that is configured in RAM.

      If the domain name secloud.club of Microsoft AD is registered in a DNS on the Internet, you can change secloud.club to the domain alias that is configured in RAM. For information about how to configure a domain alias, see Create and verify a domain alias.

      After the settings are complete, map the UPN to the NameID in the Edit Rule dialog box.

      Method 1
    2. Method 2: Transform the domain name in AD FS.

      If the domain name secloud.club is an internal domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. RAM can use only the default domain name secloud.onaliyun.com.

      In this case, you must change the domain name suffix secloud.club of the UPN to secloud.onaliyun.com in the SAML assertion that is issued by AD FS to Alibaba Cloud. Method 2
    3. Method 3: Specify the domain name of Microsoft AD as the auxiliary domain name for user-based SSO.

      If the domain name secloud.club is an internal domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. In this case, you can specify secloud.club as the auxiliary domain name without the need to transform the domain name. For information about how to specify an auxiliary domain name, see Configure the SAML settings of Alibaba Cloud for user-based SSO.

      After the settings are complete, map the UPN to the NameID in the Edit Rule dialog box.

      Method 3