All Products
Search

This Product

    CloudSSO:Access resources through the CloudSSO user portal

    Document Center

    CloudSSO:Access resources through the CloudSSO user portal

    Last Updated:Jun 21, 2026

    After signing in to the user portal, a CloudSSO user can view the resource directory (RD) member accounts they are authorized to access. They can access these accounts' cloud resources as a RAM role or a RAM user. An administrator can also create a direct access link that lets users sign in to a specific account with a single click, without manually selecting an account in the portal.

    Get the user portal URL

    A CloudSSO administrator can get the user portal login URL from the console and share it with CloudSSO users.

    1. Sign in to the CloudSSO console.

    2. In the left-side navigation pane, click Overview.

    3. On the Overview tab, view or copy the Login URL.

    Note

    If you enabled the acceleration feature, CloudSSO users can use the acceleration URL to reduce latency when signing in from outside the Chinese mainland. For more information, see Accelerate access to CloudSSO from outside the Chinese mainland.

    Create a direct access link (Optional)

    If users frequently access a fixed set of accounts, or if the number of member accounts in your resource directory (RD) is small, an administrator can create direct access links. A direct access link includes information about a specific account and access configuration. Users can click the link to sign in directly to the console of the specified account without having to manually select an account and permissions in the user portal.

    RAM role link

    A direct access link for a RAM role uses the following format:

    https://<Login URL>/login?quickLogin=true&accountId=<accountId>&accessConfigurationName=<accessConfigurationName>&landingPage=<landingPage>

    Parameters:

    • Login URL (Required): The login URL from the Overview page. The format is signin-<region>.alibabacloudsso.com/<DirectoryName>, where DirectoryName is the name of your CloudSSO directory.

    • quickLogin (Required): A fixed value of true, which indicates that direct access is enabled.

    • accountId (Required): The ID of the target member account.

    • accessConfigurationName (Required): The name of the access configuration to use. The user signs in to the target account with the permissions that are associated with this access configuration.

    • landingPage (Optional): The destination URL after a successful sign-in. The URL must be on an Alibaba Cloud domain (aliyun.com or alibabacloud.com) and must be URL-encoded. For example, https%3A%2F%2Fram.console.alibabacloud.com. If you omit this parameter, the user is redirected to the initial landing page configured in the access configuration.

    Example:

    https://signin-cn-hangzhou.alibabacloudsso.com/cloudsso-test/login?quickLogin=true&accountId=199386846043****&accessConfigurationName=vpc-admin&landingPage=https%3A%2F%2Fram.console.alibabacloud.com

    RAM user link

    A direct access link for a RAM user uses the following format:

    https://<Login URL>/login?quickLogin=true&provisionUser=true&accountId=<accountId>&landingPage=<landingPage>

    Parameters:

    • Login URL (Required): The login URL from the Overview page. The format is the same as described above.

    • quickLogin (Required): A fixed value of true, which indicates that direct access is enabled.

    • provisionUser (Required): A fixed value of true, which indicates that the user signs in as a RAM user.

    • accountId (Required): The ID of the target member account.

    • landingPage (Optional): The destination URL after a successful sign-in. The URL must be on an Alibaba Cloud domain (aliyun.com or alibabacloud.com) and must be URL-encoded. If you omit this parameter, the user is redirected to the default landing page set in the RAM user provisioning configuration.

    Example:

    https://signin-cn-hangzhou.alibabacloudsso.com/cloudsso-test/login?quickLogin=true&provisionUser=true&accountId=199386846043****&landingPage=https%3A%2F%2Fram.console.alibabacloud.com
    Note

    The key difference is that a RAM role link uses the accessConfigurationName parameter to sign a user in as a RAM role, while a RAM user link uses provisionUser=true to allow the user to sign in as the RAM user provisioned in the target account.

    Access Alibaba Cloud from the user portal

    From the CloudSSO user portal, you can select an account and permission set to access Alibaba Cloud resources.

    1. In a web browser, open the user portal Login URL provided by your administrator.

    2. Authenticate using the configured sign-in method.

      • SSO login: Click Redirect. You are redirected to your enterprise identity provider's (IdP) sign-in page. Sign in with your enterprise IdP username and password.

      • Username and password login: Enter your CloudSSO username and password, and then click Log On.

    3. (Optional) If your administrator has enabled multi-factor authentication (MFA), complete MFA verification.

      • When you sign in to the user portal for the first time, you must add an MFA device. For more information, see Add your first MFA device.

      • If you have already bound an MFA device, enter the verification code from your mobile device and click Verify.

    4. After you sign in to the user portal, choose a sign-in method based on the type of resource you want to access.

      Sign in as RAM role

      This method applies to most cloud services, as they support RAM roles. Prerequisite: Your administrator must have granted you access permissions for the target account by using an access configuration. For more information about how to grant permissions, see Grant permissions on a member account.

      1. On the Sign in as RAM role tab, find the target member account, and then click Show Details in the Access Assignments column.

        If you have access permissions for multiple member accounts, you can select the account that you want to access on this page.

        The page displays a table of accessible Alibaba Cloud accounts with the Account Name, Account ID, and Permissions columns. In the Permissions column, click Show Details to view the permission information for the account.

        Note

        If the list is empty, you do not have access permissions for any member accounts. Contact your administrator to assign an access configuration to you.

      2. Find the target permission and click Log On in the Actions column.

        The expanded permission list shows the names of the access configurations for the account. The Actions column contains the Sign In and Direct Access Link buttons.

        If you have multiple access configurations (permissions) for the same account, you can select the one you want to use.

        The dialog box displays the Alibaba Cloud Account ID and Access Configuration Name (read-only). You can optionally specify a Callback URL. If you do not specify this URL, you are redirected to the initial landing page configured in the access configuration.

        Note

        If the permission list is empty, you do not have permissions to access any resources in the current account.

      3. You are now signed in to the target account's console as a RAM role.

        You can hover over the profile icon in the upper-right corner of the console to view your current identity.

        The information includes your Current Identity (the RAM role name), Enterprise Alias, management account, and Management Account ID. The RAM role tag confirms that you are signed in as a RAM role.

      Sign in as RAM user

      This method is for cloud services that do not support RAM roles. Prerequisite: Your administrator has configured RAM user provisioning in CloudSSO. For more information, see Configure RAM user provisioning.

      1. On the Sign in as RAM user tab, find the target member account, and then click Log On in the Actions column.

        If you have access permissions for multiple member accounts, you can select the account that you want to access on this page.

        Note

        If the list is empty, you do not have access permissions for any member accounts.

        You can also click Direct Access Link in the Actions column. In the dialog box that appears, click Generate Link and copy the link for later use. For more information, see Access Alibaba Cloud by using a direct access link.

        The dialog box includes the Alibaba Cloud Account ID (read-only) and an optional Callback URL. It does not include an Access Configuration Name field.

      2. You are now signed in to the target account's console as a RAM user.

        You can hover over the profile icon in the upper-right corner of the console to view your current identity.

        The information includes your Current Identity (the RAM user name), Enterprise Alias, management account, and Management Account ID. The RAM user tag next to the username confirms that you are signed in as a RAM user.

    Note

    • The default session duration after signing in to a member account is 6 hours. You can change this duration. For more information, see Set the session duration.

    • The default initial landing page after sign-in is the Alibaba Cloud console homepage. You can change this page. For more information, see Set the initial landing page.

    Access Alibaba Cloud using a direct link

    You can use a direct access link from an administrator to sign in to a specific member account with a single click.

    1. In a web browser, open the direct access link provided by your administrator.

    2. Authenticate using the configured sign-in method.

      For more information about how to set the sign-in method, see Set the sign-in method.

      • SSO login: Click Redirect. You are redirected to your enterprise IdP sign-in page. Sign in with your enterprise IdP username and password.

      • Username and password login: Enter your CloudSSO username and password, and then click Log On.

    3. (Optional) If your administrator has enabled multi-factor authentication (MFA), complete MFA verification.

      • When you sign in to the user portal for the first time, you must add an MFA device. For more information, see Add your first MFA device.

      • If you have already bound an MFA device, enter the verification code from your mobile device and click Verify.

    4. The system automatically signs you in to the member account specified in the link and redirects you to the specified console page.

    Note

    • The default session duration after signing in to a member account is 6 hours. You can change this duration. For more information, see Set the session duration.

    • The default initial landing page after sign-in is the Alibaba Cloud console homepage. You can change this page. For more information, see Set the initial landing page.

    FAQ

    Insufficient access error with direct links

    This error occurs if the accessConfigurationName in the direct access link does not exist in the specified account, or if you do not have permission for that access configuration. The system displays an Insufficient Access message and a list of access configurations that are available to you for that account. You can select the correct access configuration from the list to continue signing in, and then update the link with the correct access configuration name.

    No accounts in user portal

    If the account list is empty after you sign in to the user portal, it usually means your administrator has not granted you access to any member accounts. Contact your CloudSSO administrator to request permissions.

    Switching member accounts

    To switch to another account, return to the user portal and select a different account and permission set.