This topic describes the prerequisites and procedure to use CloudSSO and provides links to configuration examples.
Prerequisites
A resource directory is enabled, and the multi-account organizational structure is built.
For more information, see Resource Directory overview.
Only the management account of a resource directory or a RAM user that has administrative rights within the management account can be used to enable CloudSSO.
Management account
A management account is the account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has full permissions on the resource directory and the members in the resource directory. You must use an Alibaba Cloud account that has passed enterprise real-name verification to enable a resource directory. Each resource directory has only one management account.
RAM users
You must attach the AliyunCloudSSOFullAccess system policy to the RAM users of the management account. For more information, see Grant permissions to RAM users.
Procedure
Enable CloudSSO and create the CloudSSO directory.
For more information, see Enable CloudSSO and Create the CloudSSO directory.
Manage users and groups.
You can use one of the following methods:
Synchronize users or groups from an identity provider (IdP). We recommend that you use this method.
Enable System for Cross-domain Identity Management (SCIM) synchronization and create SCIM credentials in the CloudSSO console.
For more information, see Enable SCIM synchronization and Create SCIM credentials.
Configure user and group synchronization in the IdP.
For more information, see Configuration examples.
NoteYou can configure SCIM synchronization only when the IdP supports SCIM.
Create users or groups in the CloudSSO console.
For more information, see Create a user, Create a group, and Add a user to a group.
Specify a logon method.
You can enable one of the following logon methods. If you enable a logon method, the other logon method is automatically disabled.
SSO logon
For more information, see Enable SSO logon and Configuration examples.
Username-password logon
For more information, see Enable username-password logon.
Create an access configuration.
An access configuration is a configuration template for CloudSSO users to access the accounts in resource directories. The template includes information such as the access permissions, session duration, and relay state. For more information, see Overview and Create an access configuration.
Assign access permissions on the accounts in your resource directory to users or groups.
You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions or configurations to users or groups. You can assign access permissions on the enterprise management account and members in your resource directory. For more information, see Assign access permissions on the accounts in a resource directory.
Access Alibaba Cloud resources.
Log on to the CloudSSO user portal by using the logon method that you specified.
View all the accounts that you can access in your resource directory.
Select an account to access the Alibaba Cloud resources on which the account has permissions.
For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.
Configuration examples
Enterprise IdP | SCIM synchronization | SSO logon |
Azure AD | ||
Okta | ||
AD FS | None | |
Shibboleth | None |