This topic describes how to configure single sign-on (SSO) from Microsoft Entra ID (formerly Azure AD) to CloudSSO.
Scenarios
Assume that an enterprise has many users in Microsoft Entra ID and has built a multi-account structure in an Alibaba Cloud resource directory (RD). The enterprise wants to configure SSO so that users in Microsoft Entra ID can directly access specific resources within specified member accounts of the resource directory.
Prerequisites
All configuration operations in Microsoft Entra ID must be performed by an administrator with global administrator permissions.
For more information about how to create a user and grant administrator permissions in Microsoft Entra ID, see the Microsoft Entra ID documentation.
Synchronize users from Microsoft Entra ID to CloudSSO, or create users in CloudSSO with the same usernames.
Synchronize users from Microsoft Entra ID to CloudSSO (Recommended): This method is suitable for scenarios with many users in Microsoft Entra ID. For more information, see Example of synchronizing users or groups from Microsoft Entra ID using SCIM.
Create users with the same names in CloudSSO: This method is suitable for scenarios with only a few users in Microsoft Entra ID. For more information, see Create a user.
NoteUsernames are used for logon. When you configure SSO, the CloudSSO username must match the value of the field used for SSO in Microsoft Entra ID. For more information, see Step 3: Configure SAML in Microsoft Entra ID.
Create an access configuration in CloudSSO and grant permissions on accounts in your resource directory to define the access permissions for CloudSSO users.
For more information, see Create an access configuration and Grant permissions on accounts in a resource directory.
Step 1: Obtain the SP metadata file in the CloudSSO console
Log on to the CloudSSO console.
In the navigation pane on the left, click Settings.
In the SSO Logon section, download the service provider (SP) metadata file.
Step 2: (Optional) Create an application in Microsoft Entra ID
If you have configured System for Cross-domain Identity Management (SCIM) synchronization, skip this step and use the application that is used for SCIM synchronization.
Log on to the Azure portal as a Microsoft Entra ID administrator.
In the upper-left corner of the homepage, click the
icon.In the navigation pane on the left, choose .
Click New Application.
On the Browse Microsoft Entra Gallery page, click Create Your Own Application.
On the Create Your Own Application page, enter an application name, such as CloudSSODemo, select the Integrate Any Other Application You Don't Find In The Gallery (Non-gallery) option, and click Create.
Step 3: Configure SAML in Microsoft Entra ID
In the navigation pane on the left of the CloudSSODemo page, choose .
In the Select a single sign-on method section, click SAML.
On the Set up Single Sign-On with SAML page, perform the following steps:
In the upper-left corner, click Upload metadata file. Then, select the SP metadata file that is obtained in Step 1 and click Add.
In the Basic SAML Configuration panel, configure the following parameters and click Save.
Identifier (Entity ID): required. After the SP metadata file is imported, the value of this parameter is automatically displayed.
NoteIf the value is not automatically displayed, go to the Settings page of the CloudSSO console and copy the value of Entity ID in the SSO Logon section.
Reply URL (Assertion Consumer Service URL): required. After the SP metadata file is imported, the value of this parameter is automatically displayed.
NoteIf the value is not automatically displayed, go to the Settings page of the CloudSSO console and copy the value of ACS URL in the SSO Logon section.
Relay State: optional. This parameter specifies the URL of a page that is displayed after a user logs on to the Alibaba Cloud Management Console using SSO. If you do not configure this parameter, the user is redirected to the CloudSSO user portal by default.
NoteTo ensure security, you are allowed to enter only a URL that contains *.alibabacloudsso.com. If you enter a URL that does not contain this domain name, the configuration is invalid.
In the Attributes & Claims section, click Edit. Set the value of Unique User Identifier (Name ID) to user.userprincipalname or another field that can uniquely identify a user.
NoteYou can set any field that uniquely identifies a user, such as user.userprincipalname or user.mail, as the value of
NameIDin the SAML assertion. Because CloudSSO requires the incomingNameIDvalue to match the CloudSSO username, create users in CloudSSO based on this field value to ensure a successful SSO logon.If you also configure SCIM synchronization, you must configure the userName property for SCIM with the same field (for example, user.userprincipalname).
In the SAML Certificates section, click Download for Federation Metadata XML.
Step 4: (Optional) Assign users in Microsoft Entra ID
If you have configured SCIM synchronization, skip this step.
In the navigation pane on the left of the CloudSSODemo page, choose .
In the upper-left corner, click Add User/group.
Select users.
Click Assign.
Step 5: Enable SSO in the CloudSSO console
In the navigation pane on the left of the CloudSSO console, click Settings.
In the SSO Logon section of the Settings page, click Configure IdP.
In the Configure IdP dialog box, select Upload Metadata File.
Click Upload to upload the IdP metadata file that is obtained in Step 3.
Turn on the switch for SSO to enable SSO.
NoteAfter SSO is enabled, username-password logon is automatically disabled. SSO takes effect on all users. After you enable SSO, all users must use the SSO logon method.
Verify the configuration results
After you configure SSO, you can initiate SSO from Alibaba Cloud or Microsoft Entra ID.
Initiate SSO from Alibaba Cloud
Log on to the CloudSSO console. Go to the Overview page and copy the URL used to log on to the user portal.
Open a browser, paste the copied URL, and then press Enter.
Click Redirect. You are automatically redirected to the Microsoft Entra ID logon page.
Log on with your Microsoft Entra ID username and password.
After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If you did not configure the Relay State parameter or you set the parameter to an invalid value, you are redirected to the user portal shown in the following figure.
On the Log on as RAM Role tab, click the required account in your resource directory and click Show Details in the Permissions column.
In the panel that appears, find the required access configuration and click Log On in the Actions column.
Access the Alibaba Cloud resources on which the account has permissions.
Initiate SSO from Microsoft Entra ID
Obtain the user access URL.
Log on to the Azure portal as the administrator.
Click the
icon on the homepage.In the navigation pane on the left, choose .
In the application list of the page that appears, click CloudSSODemo.
In the navigation pane on the left, click Properties and copy the value of User access URL.
The User Access URL is the direct link to access this application in a browser.
After you obtain the user access URL from the administrator, enter the URL in your browser and use the required username and password for logon.
After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If you did not configure the Relay State parameter or you set the parameter to an invalid value, you are redirected to the user portal.
On the Log on as RAM Role tab, click the required account in your resource directory and click Show Details in the Permissions column.
In the panel that appears, find the required access configuration and click Log On in the Actions column.
Access the Alibaba Cloud resources on which the account has permissions.