All Products
Search
Document Center

Resource Access Management:SAML configuration for user-based SSO

Last Updated:Jun 02, 2026

Configure Alibaba Cloud as a trusted SAML service provider (SP) in your enterprise identity provider (IdP) to enable user-based SSO.

Procedure

  1. Obtain the SAML service provider metadata URL from Alibaba Cloud.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. Click the User-based SSO tab. In the SAML Service Provider Metadata URL section, copy your account's metadata URL.

  2. In your enterprise IdP, create a SAML SP and configure Alibaba Cloud as a trusted SP using one of the following methods.

    • Use the metadata URL from Step 1.

    • If your IdP does not support URL import, download the metadata document from Step 1 and upload it.

    • If your IdP does not support metadata document upload, manually configure the following parameters:

      • Entity ID: The entityID attribute value in the md:EntityDescriptor element of the metadata XML.

      • ACS URL: The Location attribute value of the md:AssertionConsumerService element in the metadata XML.

      • RelayState (Optional): If your IdP supports RelayState, set it to the URL to redirect to after SSO login. If unset, you are redirected to the Alibaba Cloud Management Console homepage.

        Note

        For security reasons, RelayState only accepts URLs from Alibaba-owned domains, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com.

Next steps

After you configure Alibaba Cloud as a trusted SAML SP in your IdP, you must configure the SAML assertion attributes as described in SAML response for user-based SSO.