All Products
Search

This Product

    ActionTrail:Implement role-based SSO

    Document Center

    ActionTrail:Implement role-based SSO

    Last Updated:Sep 05, 2023

    You can call the AssumeRoleWithSAML operation to obtain a temporary identity to assume a RAM role during role-based single sign-on (SSO). This topic provides the log of a sample event in which a user of an enterprise assumed a RAM role during role-based SSO. This topic also describes the key fields involved in the event log.

    Example

    In the following example, a user named Alice@example.com assumed the testrole RAM role within the Alibaba Cloud account whose ID is 159498693826**** at 14:05:20 on August 2, 2021, UTC+8. 

    {
  "apiVersion": "2015-04-01",
  "requestId": "3462D6AF-4434-4690-8CAD-E54A",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "159498693826****",
    "type": "saml-user",
    "userName": "Alice@example.com"
  },
  "acsRegion": "cn-shanghai",
  "eventName": "AssumeRoleWithSAML",
  "requestParameters": {
    "AcsHost": "sts.aliyuncs.com",
    "SAMLAssertion": "****",
    "AcsProduct": "Sts",
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "DurationSeconds": 3600,
    "HostId": "sts.aliyuncs.com",
    "SAMLProviderArn": "acs:ram::159498693826****:saml-provider/test",
    "RoleArn": "acs:ram::159498693826****:role/testrole"
  },
  "eventSource": "sts.aliyuncs.com",
  "serviceName": "Sts",
  "eventTime": "2021-08-02T06:05:20Z",
  "referencedResources": {
    "ACS::RAM::AccessKey": [
      "STS.NUQNP4PiGyckMsNiGELCs****"
    ]
  },
  "userAgent": "Jakarta Commons-HttpClient/3.1",
  "eventId": "3462D6AF-4434-4690-8CAD-****",
  "additionalEventData": {
    "Scheme": "https"
  },
  "responseElements": {
    "RequestId": "3462D6AF-4434-4690-8CAD-E54A",
    "SAMLAssertionInfo": {
      "SubjectType": "persis****",
      "Issuer": "https://sts.windows.net/d1ee1acd9a83906adg****/",
      "Recipient": "https://signin.aliyun.com/saml-role/sso",
      "Subject": "Alice@example.com"
    },
    "AssumedRoleUser": {
      "Arn": "acs:ram::159498693826****:role/testrole/Alice",
      "AssumedRoleId": "179432153826****:Alice"
    },
    "Credentials": {
      "AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****",
      "AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****",
      "Expiration": "2021-08-02T07:05:20Z"
    }
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

    The sample event log contains the following key fields:

    • userIdentity.accountId: the ID of the Alibaba Cloud account to which the RAM role belongs. The value in this example is 159498693826****.

    • userIdentity.type: the identity type of the requester. The value in this example is saml-user, which indicates a user of an enterprise.

    • userIdentity.userName: the username of the requester. The value in this example is Alice@example.com, which indicates the username of the requester that assumed the RAM role.

    • eventName: the name of the event. The value in this example is AssumeRoleWithSAML, which indicates the operation to obtain a temporary identity to assume the RAM role.

    • SAMLProviderArn: the Alibaba Cloud Resource Name (ARN) of the identity provider (IdP)configured in the RAM console. The value is in the format of acs:ram::<account_ID>:saml-provider/<saml_provider_ID>. account_ID indicates the ID of the Alibaba Cloud account. saml_provider_ID indicates the name of the IdP. The value in this example is acs:ram::159498693826****:saml-provider/test. 159498693826**** indicates the ID of the Alibaba Cloud account. test indicates the name of the IdP.

    • RoleArn: the ARN of the RAM role assumed by the requester. The value is in the format of acs:ram::<accountID>:role/<roleName>. account_ID indicates the ID of the Alibaba Cloud account. roleName indicates the name of the RAM role assumed by the requester. The value in this example is acs:ram::159498693826****:role/testrole. 159498693826**** indicates the ID of the Alibaba Account. testrole indicates the name of the RAM role assumed by the requester.

    • AssumedRoleUser: the temporary identity used by the requester to assume the RAM role. The value in this example is {"Arn": "acs:ram::159498693826****:role/testrole/Alice","AssumedRoleId": "179432153826****:Alice"} . acs:ram::159498693826****:role/testrole/Alice indicates the ARN of the temporary identity. 179432153826****:Alice indicates the ID of the temporary identity.

    • Credentials: the access credential used by the requester to log on to the Alibaba Cloud Management Console. The value in this example is {"AccessKeyId": "STS.NUQNP4PiGyckMsNiGELCs****","AccessKeySecret": "Ss7sq2j0ZoJujZnmVgXcu6QT9e****","Expiration": "2021-08-02T07:05:20Z"} . STS.NUQNP4PiGyckMsNiGELCs**** indicates the AccessKey ID. Ss7sq2j0ZoJujZnmVgXcu6QT9e**** indicates the AccessKey secret. 2021-08-02T07:05:20Z indicates the point in time when the access credential expired.

    • referencedResources: the resource that is required to assume the RAM role. The value in this example is { "ACS::RAM::AccessKey": [ "STS.NUQNP4PiGyckMsNiGELCs****"]}, which indicates the temporary AccessKey secret obtained by the requester.

    • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-02T06:05:20Z, which indicates that the event occurred at 14:05:20 on August 2, 2021, UTC+8.