Checks whether the single sign-on (SSO) feature is enabled for each RAM user. If so, the evaluation result is Compliant.
Scenarios
User-based SSO applies to the following scenarios:
- You want to initiate logon from Alibaba Cloud, not from your IdP.
- Some of your Alibaba Cloud services cannot be accessed by roles (that is, through STS). For more information, see Services that work with STS.
- Your IdP does not support complex configuration of attributes.
- You want to simplify IdP configuration.
Risk level
Default risk level: medium.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the SSO feature is enabled for each RAM user, the evaluation result is Compliant.
- If the SSO feature is disabled for a RAM user, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-user-sso-enabled |
| Rule identifier | ram-user-sso-enabled |
| Tag | SSO, RAM, and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | All resources |
| Input parameter | None |
Incompliance remediation
Enable the SSO feature for a RAM user. For more information, see Overview of user-based SSO.