All Products
Search

This Product

    Alibaba Cloud Service Mesh:Integrate Alibaba Cloud IDaaS with ASM for single sign-on

    Document Center

    Alibaba Cloud Service Mesh:Integrate Alibaba Cloud IDaaS with ASM for single sign-on

    Last Updated:Mar 11, 2026

    Set up single sign-on (SSO) for applications in Service Mesh (ASM) using Alibaba Cloud Identity as a Service (IDaaS) as the identity provider (IdP). After this setup, users authenticate once through IDaaS and access all applications behind the ASM ingress gateway -- with zero code changes to your applications.

    Although this guide uses IDaaS as the IdP, the same approach works with any OpenID Connect (OIDC)-compatible provider.

    How it works

    ASM delegates authentication to an external IdP through a custom authorization service based on oauth2-proxy. The following describes the request flow:

    1. A user visits an application URL exposed through the ASM ingress gateway.

    2. The ingress gateway forwards the request to oauth2-proxy, which checks for a valid session cookie.

    3. If no valid session exists, oauth2-proxy redirects the user to the IDaaS login page.

    4. After the user authenticates, IDaaS redirects back to oauth2-proxy with an authorization code.

    5. oauth2-proxy exchanges the code for tokens, sets a session cookie, and forwards the original request -- along with user identity in a JSON Web Token (JWT) -- to the backend application.

    Your applications never handle authentication logic. ASM and oauth2-proxy manage the entire OIDC flow at the infrastructure layer.

    ConceptDescription
    IdP (identity provider)A service that stores and verifies user identities. In this guide, Alibaba Cloud IDaaS serves as the IdP.
    OIDC (OpenID Connect)A standard authentication protocol built on OAuth 2.0. For details, see the OpenID Connect specification.
    ScopeAn OIDC parameter that controls which types of user information (such as email or profile) an application can request from the IdP.

    Prerequisites

    Step 1: Create an IDaaS instance and a test account

    Create an IDaaS instance to serve as the identity store, and add a test user account for SSO verification.

    1. Log on to the IDaaS console and create an IDaaS instance. Each IDaaS instance acts as an independent account system.

    2. On the IDaaS tab of the EIAM page, click the ID of the IDaaS instance.

    3. In the left-side navigation pane, choose Accounts > Accounts and Organizations.

    4. On the Accounts tab, click Create User.

    5. In the Create User panel, configure the required fields and click Confirm.

    Step 2: Register an OIDC application in IDaaS

    Register an OIDC application in IDaaS to expose the IdP interface that oauth2-proxy uses to authenticate users.

    1. In the left-side navigation pane on the IDaaS instance details page, click Applications.

    2. On the Applications page, click Add Application.

    3. Click the Standard Protocols tab, then click Add Application in the OIDC card.

    4. In the Add Application - OIDC dialog box, enter an application name and click Add.

    5. On the OIDC application details page, click Sign-in, then click the SSO tab.

    6. On the SSO tab, set Redirect URIs to: Replace <ingress-gateway-clb-ip> with the IP address of the Classic Load Balancer (CLB) instance bound to the ingress gateway. Click Show Advanced Settings to select additional scopes, then click Save.

         http://<ingress-gateway-clb-ip>/oauth2/callback

    7. Click Sign-in, then click the Grant Application Permissions tab. Click Authorize.

    8. In the Authorize dialog box, select the test account created in Step 1 and click Confirm.

    Record the OIDC application credentials

    After you configure the OIDC application, record the following values. You need them to configure SSO in the ASM console.

    ValueWhere to find it
    IssuerSSO tab > Application Settings section
    client_idGeneral tab on the OIDC application details page
    client_secretGeneral tab on the OIDC application details page

    Step 3: Deploy a test application and expose it through the ingress gateway

    Deploy the httpbin sample application to verify that SSO correctly injects authenticated user identity into request headers.

    Deploy httpbin

    Create a YAML file with the following content and apply it to the default namespace of the ACK cluster:

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

    Create an Istio gateway

    Create a YAML file with the following content and apply it to the ASM instance. For details, see Manage Istio gateways.

    apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway      # Selects the default ingress gateway pod
  servers:
    - hosts:
        - '*'                      # Accepts traffic for all hostnames
      port:
        name: http
        number: 80
        protocol: HTTP

    Create a virtual service

    Create a YAML file with the following content and apply it to the ASM instance. This virtual service routes all inbound traffic to the httpbin application. For details, see Manage virtual services.

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ingressgateway-vs
  namespace: istio-system
spec:
  gateways:
    - ingressgateway
  hosts:
    - '*'
  http:
    - name: default
      route:
        - destination:
            host: httpbin.default.svc.cluster.local   # Fully qualified service name
            port:
              number: 8000

    Verify the deployment

    Run the following command to confirm that httpbin is accessible through the ingress gateway:

    curl -I http://<ingress-gateway-ip>:80

    A successful response returns HTTP status 200.

    Step 4: Register the OIDC authorization service in ASM

    Register an OIDC-based custom authorization service in ASM to handle authentication for all ingress traffic.

    Create the authorization service

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > Custom Authorization Service.

    3. Click Define Custom Authorization Service.

    4. Click the OIDC Authz and Authn Service tab and configure the following fields with the values from Step 2:

      FieldValue
      IssuerThe Issuer URL from the OIDC application
      Client IDThe client_id from the OIDC application
      Client SecretThe client_secret from the OIDC application
      Redirect URLhttp://<ingress-gateway-clb-ip>/oauth2/callback
      Cookie SecretA randomly generated secret. See Generating a Cookie Secret.

    5. Click Create.

    Get the authorization service domain name

    Connect to the ACK cluster using its kubeconfig file and run:

    kubectl get svc -n istio-system | grep oauth2proxy | awk '{print $1}'

    Record the output. You need it for the next step.

    Route authentication requests to the authorization service

    Create a virtual service that routes OAuth 2.0 callback traffic from the ingress gateway to the oauth2-proxy service:

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: oauth2-vs
  namespace: istio-system
spec:
  gateways:
    - ingressgateway
  hosts:
    - '*'
  http:
    - match:
        - uri:
            prefix: /oauth2              # Matches all OAuth 2.0 callback paths
      name: oauth2
      route:
        - destination:
            host: <oauth2proxy-svc-name>  # Replace with the domain name from the previous step
            port:
              number: 4180               # Default oauth2-proxy listening port
    Important

    Do not use the /oauth2 prefix in routing rules defined by other virtual services. Duplicate prefixes cause routing conflicts.

    Step 5: Create an authorization policy

    Create an AuthorizationPolicy that applies the custom OIDC authorization service to all requests entering the ingress gateway.

    1. On the ASM instance details page, choose Mesh Security Center > AuthorizationPolicy in the left-side navigation pane. Click Create from YAML.

    2. Select the istio-system namespace and paste the following YAML:

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: oidc
  namespace: istio-system
spec:
  action: CUSTOM                              # Delegates authorization to an external service
  provider:
    name: httpextauth-oidc                    # Must match the authorization service name from Step 4
  rules:
    - {}                                      # Matches all requests (no conditions)
  selector:
    matchLabels:
      istio: ingressgateway                   # Targets the ingress gateway pods
    Note

    This policy intercepts all requests to the ingress gateway. Every request must pass OIDC authentication before reaching backend applications.

    Step 6: Verify SSO

    1. Open http://<ingress-gateway-ip>:80 in a browser. The oauth2-proxy sign-in page appears, which confirms the authorization policy is active.

    2. Click Sign in with OpenID Connect. The browser redirects to the Alibaba Cloud IDaaS login page.

    3. Enter the test account credentials created in Step 1 and click Log On. After successful authentication, the browser redirects back to the httpbin application.

    4. In the httpbin UI, click Request inspection, then choose /headers > Try it out > Execute. The response headers include an Authorization header containing a Bearer token (JWT).

    5. Copy the JWT value (the string after Bearer) and decode it at JWT Debugger. The decoded payload contains user information stored in IDaaS, such as email and username. This confirms that ASM verified the token and forwarded the authenticated identity to the backend application.

    What's next

    • Add more applications to SSO: Deploy applications in the mesh and expose them through the same ingress gateway. The AuthorizationPolicy applies to all ingress traffic automatically.

    • Restrict SSO to specific paths or services: Modify the rules field in the AuthorizationPolicy to target specific paths or services instead of all ingress traffic.

    • Switch to a different OIDC provider: Register a new custom authorization service in the ASM console with the provider's Issuer URL, client ID, and client secret.