This topic describes the prerequisites and procedure to use CloudSSO and provides links to configuration examples.
Prerequisites
- A resource directory is enabled, and the multi-account organizational structure is
built.
For more information, see Resource Directory overview.
- Only the management account that is used to enable a resource directory can be used
to enable CloudSSO.
- Management account
A management account is the account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has full permissions on the resource directory and the members in the resource directory. You must use an enterprise account to enable a resource directory. Each resource directory has only one management account.
- RAM users
You must attach the AliyunCloudSSOFullAccess system policy to the RAM users of the management account. For more information, see Grant permissions to a RAM user.
- Management account
Procedure
- Enable CloudSSO and create the CloudSSO directory.
For more information, see Enable CloudSSO and Create the CloudSSO directory.
- Manage users and user groups.
You can use one of the following methods:
- Synchronize users or groups from an identity provider (IdP). We recommend that you
use this method.
- Enable System for Cross-domain Identity Management (SCIM) synchronization and create
SCIM credentials in the CloudSSO console.
For more information, see Enable SCIM synchronization and Create SCIM credentials.
- Configure user and group synchronization in the IdP.
For more information, see Configuration examples.
Note You can configure SCIM synchronization only when the IdP supports SCIM.
- Enable System for Cross-domain Identity Management (SCIM) synchronization and create
SCIM credentials in the CloudSSO console.
- Create users or groups in the CloudSSO console.
For more information, see Create a user, Create a group, and Add a user to a group.
- Synchronize users or groups from an identity provider (IdP). We recommend that you
use this method.
- Specify a logon method.
You can enable one of the following logon methods. If you enable a logon method, the other logon method is automatically disabled.
- SSO logon
For more information, see Enable SSO logon and Configuration examples.
- Username-password logon
For more information, see Enable username-password logon.
- SSO logon
- Create an access configuration.
An access configuration is a configuration template for CloudSSO users to access the accounts in resource directories. The template includes information such as the access permissions, session duration, and relay state. For more information, see Overview and Create an access configuration.
- Assign access permissions on the accounts in your resource directory to users or groups.
You can specify the users or groups that are allowed to access the accounts in your resource directory based on the structure of the resource directory. You can also assign access permissions or configurations to users or groups. You can assign access permissions on the enterprise management account and members in your resource directory. For more information, see Assign access permissions on the accounts in a resource directory.
- Access Alibaba Cloud resources.
- Log on to the CloudSSO user portal by using the logon method that you specified.
- View all the accounts that you can access in your resource directory.
- Select an account to access the Alibaba Cloud resources on which the account has permissions.
For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.
Configuration examples
| Enterprise IdP | SCIM synchronization | SSO logon |
|---|---|---|
| Azure AD | Synchronize users or groups in Azure AD by using SCIM | Configure SSO logon from Azure AD |
| Okta | Synchronize users or groups in Okta by using SCIM | Configure SSO logon from Okta |
| AD FS | None | Configure SSO logon from AD FS |