CloudSSO supports single sign-on (SSO) logon based on Security Assertion Markup Language (SAML) 2.0. Alibaba Cloud is a service provider (SP). The identity management system of an enterprise is an identity provider (IdP). SSO logon allows enterprise employees to access CloudSSO by using the user identities in the IdP. If you use CloudSSO, you need only to configure settings only once to implement SSO logon from an IdP to Alibaba Cloud in an easy manner.
- Specify Alibaba Cloud as a trusted SAML SP in an IdP and configure SAML assertions.
For example, configure the
NameIDattribute in the assertions.
The operations vary based on IdPs. For more information, see the documentations of IdPs.
- Specify the IdP as a trusted SAML IdP in the CloudSSO console.
To configure an IdP, you can select Manual Configuration or Upload Metadata File. If you select Manual Configuration, you can configure only the following parameters that are required for SSO logon to take effect: Entity ID, Logon URL, and Certificate. If you need to configure more parameters, first generate the IdP metadata file by using the IdP client and select Upload Metadata File. After you configure the IdP, enable SSO logon. For more information, see Configure SSO logon.
- Use System for Cross-domain Identity Management (SCIM) to synchronize users, or create
users that have the same usernames as the IdP users in the CloudSSO console.
If the IdP supports SCIM and contains a large number of users, you can directly synchronize the users in the IdP to CloudSSO. For more information about how to use SCIM synchronization, see Synchronize users or groups in Azure AD by using SCIM and Synchronize users or groups in Okta by using SCIM.
If the IdP contains a small number of users, you can create users that have the same usernames as the IdP users in the CloudSSO console. When you create a user, set the name of the user to the value of the
NameIDattribute in the SAM assertions. For more information, see Create a user.
- Log on to the Alibaba Cloud Management Console as an IdP user by using the SSO logon method.