This topic describes how to configure Alibaba Cloud as a trusted SAML service provider (SP) in your identity provider (IdP) during user-based single sign-on (SSO).

Procedure

  1. Find the SAML SP metadata URL from the Alibaba Cloud RAM console.
    1. Log on to the RAM console with an Alibaba Cloud account.
    2. In the left-side navigation pane, click SSO.
    3. Click the User-based SSO tab.
    4. In the SSO Settings section, find the value of the SAML Service Provider Metadata URL parameter.
  2. Create an SAML SP in your IdP and configure Alibaba Cloud as the relying party by using one of the following methods:
    • Copy and paste the SAML SP metadata URL of Alibaba Cloud into your IdP.
    • If your IdP does not support URL configuration, download the SAML metadata file from the URL. Then, upload the SAML metadata file when you create an SAML SP.
    • If the SAML metadata file cannot be uploaded to your IdP, configure the following parameters:
      • Entity ID: the value of the entityID attribute in the md:EntityDescriptor element of the metadata XML file.
      • ACS URL: the value of the Location attribute in the md:AssertionConsumerService element of the metadata XML file.
      • RelayState: Optional. If the RelayState parameter is available in your IdP, set this parameter to the URL that you want to visit. If this parameter is unspecified, you will be redirected to the homepage of the Alibaba Cloud console after SSO succeeds.
        Note You can only specify a URL in the *.console.aliyun.com or *.console.alibabacloud.com domain for the RelayState parameter.

What to do next

After you configure Alibaba Cloud as a trusted SAML SP, you must configure SAML assertions in your IdP. For more information, see SAML assertions for user-based SSO.