Get started with CloudSSO - CloudSSO - Alibaba Cloud Documentation Center

Learn the prerequisites and procedure to use CloudSSO, including IdP configuration examples.

Prerequisites

A resource directory is enabled and a multi-account organization is set up.

Resource Directory overview
Only the management account or a RAM user with administrative rights in the management account can enable CloudSSO.
- Management account
  
  The management account enables and fully administers the resource directory, including all members. It must be an Alibaba Cloud account that has passed enterprise identity verification. Each resource directory has one management account.
- RAM users
  
  Attach the AliyunCloudSSOFullAccess system policy to RAM users of the management account. Grant permissions to RAM users

Procedure

Enable CloudSSO and create the CloudSSO directory.

Enable CloudSSO and create the CloudSSO directory.
Manage users and groups.

Use one of the following methods:
- Synchronize users or groups from your identity provider (IdP). Recommended.
  1. Enable System for Cross-domain Identity Management (SCIM) synchronization and create SCIM credentials in the CloudSSO console.
    
    Enable SCIM synchronization and create SCIM credentials.
  2. Configure user and group synchronization in the IdP.
    
    See the Configuration examples below.
    
    Note
    SCIM synchronization requires IdP support for SCIM.
- Create users or groups in the CloudSSO console.
  
  Create a user, create a group, and add a user to a group.
Specify a logon method.

Enable one of the following logon methods. Enabling one automatically disables the other.
- SSO logon
  
  Enable SSO logon and the Configuration examples below.
- Username-password logon
  
  Enable username-password logon.
Create an access configuration.

An access configuration is a template that defines the access permissions, session duration, and relay state for CloudSSO users to access accounts in resource directories. Overview and Create an access configuration.
Assign access permissions on accounts in your resource directory to users or groups.

Specify which users or groups can access accounts in your resource directory, and assign access permissions or configurations to them. Permissions can be assigned on the enterprise management account and members in your resource directory. Assign access permissions on the accounts in a resource directory.
Access Alibaba Cloud resources.
1. Log on to the CloudSSO user portal with your configured logon method.
2. View the accounts you can access in your resource directory.
3. Select an account to access its Alibaba Cloud resources.
Log on to the CloudSSO user portal and access Alibaba Cloud resources.

Configuration examples

Enterprise IdP	SCIM synchronization	SSO logon
Azure AD	Synchronize users or groups in Azure AD by using SCIM	Configure SSO from Azure AD to CloudSSO
Okta	Synchronize users or groups in Okta by using SCIM	Configure SSO from Okta to CloudSSO
AD FS	None	Configure SSO from AD FS to CloudSSO
Shibboleth	None	Configure SSO from Shibboleth to CloudSSO