This topic describes the regions supported by the CloudSSO directory and the cross-region data transmission issues that may occur.
Region for the CloudSSO directory
To create the CloudSSO directory, you must select a region for the CloudSSO directory. Alibaba Cloud stores CloudSSO-related data in the directory in the region that you select. The data includes identities, permissions, and authorization data that you manage by using CloudSSO. You can deploy Alibaba Cloud resources including Elastic Compute Service (ECS) instances and ApsaraDB RDS instances in other regions. You can also use your cloud account for logons and access the Alibaba Cloud resources in other regions.
You can select a region to create the CloudSSO directory based on your business requirements and the geographic location of intended users. If you do not have specific requirements, we recommend that you select a region that is geographically closest to your intended users. This way, access to cloud resources is accelerated.
You can create the CloudSSO directory in the China (Shanghai), China (Hong Kong), US (Silicon Valley), or Germany (Frankfurt) region.
Relationship between data and the region in which the CloudSSO directory resides
Alibaba Cloud stores CloudSSO-related data in the region that you select when you create the CloudSSO directory. CloudSSO-related data includes all data that you create and modify in CloudSSO, such as user information, group information, multi-account authorization data, Resource Access Management (RAM) user synchronization tasks, and global configurations.
When you access CloudSSO, or create or update CloudSSO user information or other related configurations from a region other than the region in which the CloudSSO directory resides, a cross-region API call is initiated. The user information that you pass in is transmitted to the region in which the CloudSSO directory resides. When a CloudSSO user initiates a logon request, the username, password, and virtual multi-factor authentication (MFA) verification code that the user passes in are transmitted to the region in which the CloudSSO directory resides for authentication. Then, the authentication result is returned to the region from which the user initiated the logon request. The session information is also saved in the region to ensure the logon validity. When a CloudSSO user binds an MFA device and changes the logon password, the verification code that is generated on the MFA device, the verification code that is sent to the specified two-factor authentication method, and the new logon password are transmitted to the region in which the CloudSSO directory resides for authentication. If you configured and enabled Cross-domain Identity Management (SCIM) synchronization, the username, UID, and group name are transmitted from the location of your enterprise identity provider (IdP) to the region in which the CloudSSO directory resides. Data may be transmitted across regions in the preceding scenarios.
You can create the CloudSSO directory in only one region. If you want to change the region, you must disable the directory and then create another directory in the required region. The data that is stored in the previous directory cannot be migrated to the new region. If you change the region of the directory, the logon URL for CloudSSO users is changed.
Accelerated URL
The accelerated URL feature is in invitational preview. Contact your account manager to apply for a trial.
CloudSSO-related data is stored in the region that you select when you create the CloudSSO directory. If your directory resides in the China (Shanghai) region, CloudSSO provides the accelerated URL feature free of charge to ensure access stability for CloudSSO users outside the Chinese mainland. You can use the feature in the following scenarios:
CloudSSO users access CloudSSO outside the Chinese mainland. The information must be transmitted to the China (Shanghai) region in which the directory resides for authentication.
CloudSSO users manage MFA devices and logon passwords on the logon page. The information must be transmitted to the China (Shanghai) region in which the directory resides for update and storage.
You configured SCIM synchronization and your IdP resides outside the Chinese mainland. The user information must be transmitted to the China (Shanghai) region in which the directory resides.
You can enable the accelerated URL feature in the CloudSSO console to obtain an accelerated URL. Then, CloudSSO users can use the accelerated URL to log on to and access CloudSSO. After you enable the accelerated URL feature, CloudSSO-related data is first transmitted to the closest Alibaba Cloud acceleration endpoint to your intended users. Then, the data is transmitted to the China (Shanghai) region in which the directory resides. CloudSSO provides acceleration endpoints in the China (Hong Kong), US (Silicon Valley), and Germany (Frankfurt) regions. If CloudSSO users do not want to use the accelerated URL, they can still use the logon URL to access CloudSSO.