Configure Alibaba Cloud as a trusted SAML service provider (SP) in your enterprise identity provider (IdP) to enable user-based SSO.
Procedure
-
Obtain the SAML service provider metadata URL from Alibaba Cloud.
-
Log on to the RAM console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
Click the User-based SSO tab. In the SAML Service Provider Metadata URL section, copy your account's metadata URL.
-
-
In your enterprise IdP, create a SAML SP and configure Alibaba Cloud as a trusted SP using one of the following methods.
-
Use the metadata URL from Step 1.
-
If your IdP does not support URL import, download the metadata document from Step 1 and upload it.
-
If your IdP does not support metadata document upload, manually configure the following parameters:
-
Entity ID: TheentityIDattribute value in themd:EntityDescriptorelement of the metadata XML. -
ACS URL: TheLocationattribute value of themd:AssertionConsumerServiceelement in the metadata XML. -
RelayState(Optional): If your IdP supportsRelayState, set it to the URL to redirect to after SSO login. If unset, you are redirected to the Alibaba Cloud Management Console homepage.NoteFor security reasons,
RelayStateonly accepts URLs from Alibaba-owned domains, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com.
-
-
Next steps
After you configure Alibaba Cloud as a trusted SAML SP in your IdP, you must configure the SAML assertion attributes as described in SAML response for user-based SSO.