All Products
Search

This Product

    Resource Access Management:Configure Alibaba Cloud as the SP in your IdP

    Document Center

    Resource Access Management:Configure Alibaba Cloud as the SP in your IdP

    Last Updated:Mar 23, 2026

    To enable user-based single sign-on (SSO), you must configure your external identity provider (IdP) to recognize and trust Alibaba Cloud as a service provider (SP). This process involves providing your IdP with Alibaba Cloud's SAML metadata.

    Procedure

    1. Get the Alibaba Cloud SP metadata URL

      This URL points to an XML document containing Alibaba Cloud's SAML configuration, which your IdP needs to establish trust.

      1. Log on to the RAM console as a RAM administrator.

      2. In the left-side navigation pane, choose Integrations > SSO.

      3. Select the User-based SSO tab.

      4. In the SAML Service Provider Metadata URL section, copy the URL.

    2. Add Alibaba Cloud as a trusted SP in your IdP

      In your IdP's administration console, create a new SAML integration for Alibaba Cloud. Most IdPs provide one of the following methods to configure a new SP:

      Method 1: Import from URL (Recommended)

      Provide the metadata URL you copied in Step 1. Your IdP will automatically parse the file and configure the necessary settings, such as the entity ID and Assertion Consumer Service (ACS) URL.

      Method 2: Upload metadata file

      If your IdP does not support importing from a URL, open the metadata URL in a browser, save the content as an XML file (such as metadata.xml), and then upload this file to your IdP.

      Method 3: Manual configuration

      If your IdP requires manual configuration, you must provide the following values, which you can find in the metadata XML file:

      • Entity ID: The unique identifier for Alibaba Cloud as the SP. Find this value in the entityID attribute of the md:EntityDescriptor element.

      • ACS URL: The endpoint where your IdP will send SAML assertions. Find this value in the Location attribute of the md:AssertionConsumerService element.

      • RelayState (Optional): Specifies the URL where users are redirected after a successful logon. If not set, users land on the Alibaba Cloud Management Console homepage.

        Important

        For security reasons, the URL for RelayState must belong to an Alibaba-owned domain name, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you specify a URL from an unauthorized domain name, the RelayState will be ignored.

    What to do next

    After establishing trust, you must configure the SAML assertion attributes in your IdP. These attributes, particularly the NameID, are used to map the federated identity to a specific RAM user in your Alibaba Cloud account. For more information, see SAML assertion attributes for user-based SSO.