All Products
Search

This Product

    CloudSSO:Configure alert notifications of SCIM credential expiration and SAML signing certificate expiration

    Document Center

    CloudSSO:Configure alert notifications of SCIM credential expiration and SAML signing certificate expiration

    Last Updated:Nov 20, 2023

    This topic describes how to configure alert notifications of System for Cross-domain Identity Management (SCIM) credential expiration and Security Assertion Markup Language (SAML) signing certificate expiration of CloudSSO by using Cloud Config and CloudMonitor.

    Scenarios

    Expiration of a SCIM credential

    You must create a SCIM credential when you configure SCIM user synchronization between CloudSSO and an enterprise identity provider (IdP). For more information, see Manage SCIM credentials.

    The validity period of the SCIM credential is one year. After the SCIM credential expires, SCIM synchronization is disabled. You must create another SCIM credential in advance for rotation. To ensure that SCIM synchronization settings remain valid, you can configure a SCIM credential expiration rule in Cloud Config and use CloudMonitor to send notifications when SAML signing certificates expire. This way, you can rotate the SCIM credential in advance.

    Expiration of a SAML signing certificate

    When you configure single sign-on (SSO) between CloudSSO and an enterprise IdP, you must upload the metadata file of the enterprise IdP. The metadata file contains the SAML signing certificate of the enterprise IdP. CloudSSO obtains the validity period of the certificate from the metadata file. For more information, see Configure SSO.

    If the SAML signing certificate expires, SSO fails and users cannot log on to Alibaba Cloud by using CloudSSO. You must create another SAML signing certificate in advance for rotation. You can configure a SAML signing certificate expiration rule in Cloud Config and use CloudMonitor to send notifications when SAML signing certificates expire. This way, you can rotate the SAML signing certificate in advance.

    Procedure

    Perform the following operations as a CloudSSO administrator:

    Step 1: Create a rule in Cloud Config

    1. Log on to the Cloud Config console.

    2. Click Activate Now to activate Cloud Config.

      Note

      If you have activated Cloud Config, skip this step.

    3. Create a rule.

      1. In the left-side navigation pane, choose Compliance & Audit > Rules.

      2. On the Rules page, click Create Rule.

      3. In the Select Create Method step, select Based on managed rule, select a rule, and then click Next.

        Select cloudsso-scim-credential-expired-check or cloudsso-directory-saml-expired-check.

      4. In the Set Basic Properties step, configure the parameters and click Next.

        In the Parameter Settings section, specify a value in the Expect Value column. The value specifies the number of days before the expiration date during which expiration notifications are sent. The default value is 90 days. You can change the value based on your business requirements.

        Retain the default values for other parameters.

      5. In the Set Effective Scope step, view the selected resource types and click Next.

      6. In the Set Remediation step, click Submit.

        You can turn on Set Remediation and configure template remediation or custom remediation for the rule as prompted. For more information about how to configure remediation, see Overview of remediation settings.

    Step 2: Configure a system event-triggered alert rule in the CloudMonitor console

    1. Log on to the CloudMonitor console.

    2. Create an alert contact.

      For more information, see Create an alert contact.

    3. Create an alert contact group.

      For more information, see Create an alert contact group.

    4. Create a system event-triggered alert rule.

      After Cloud Config delivers all non-compliance events to CloudMonitor, you can create alert rules based on your business requirements to receive alert notifications.

      1. In the left-side navigation pane, choose Event Center > System Event.

      2. On the page that appears, click the Event-triggered Alert Rules tab.

      3. On the Event-triggered Alert Rules tab, click Create Alert Rule.

      4. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters of the system event-triggered alert rule.

        • In the Basic Info section, enter a name for the system event-triggered alert rule in the Alert Rule Name field.

        • In the Event-triggered Alert Rules section, perform the following operations: Select CloudConfig from the Product Type drop-down list. Select Notifications from the Event Type drop-down list. Select INFO from the Event Level drop-down list. Select ConfigurationNonCompliantNotification from the Event Name drop-down list. Enter Critical in the Keyword Filtering field and select Contains any of the keywords from the Condition drop-down list.

          Note

          You can click the + icon next to the Condition drop-down list to add a keyword that you want to match and select Contains any of the keywords from the Condition drop-down list.

        • In the Notification Method section, select Alert Notification, specify the Contact Group parameter, and then set the Notification Method parameter to Info (Email + Webhook).

      5. Click OK.

    References