All Products
Search

This Product

    CloudSSO:SAML response for SSO

    Document Center

    CloudSSO:SAML response for SSO

    Last Updated:Dec 17, 2024

    This topic describes the syntax of a Security Assertion Markup Language (SAML) response for single sign-on (SSO). This topic also describes the elements of a SAML assertion in a SAML response.

    Background information

    During SAML 2.0-based SSO, after the identity of a user is verified, the identity provider (IdP) generates an authentication response and sends this response to Alibaba Cloud by using a browser or a program. This response contains a SAML assertion that complies with the specifications of the HTTP POST binding in SAML 2.0. Alibaba Cloud uses the SAML assertion to determine the logon status and identity of the user. Therefore, the SAML assertion must contain the elements that are required by Alibaba Cloud. If the SAML assertion does not contain the required elements, SSO fails.

    Make sure that SAML response messages are encoded in XML. For more information, see Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.

    SAML response

    Make sure that each SAML response that is sent by your IdP to Alibaba Cloud contains the following elements. Otherwise, SSO fails. 

    <saml2p:Response>
    <saml2:Issuer>...</saml2:Issuer>
    <saml2p:Status>
        ...
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>...</saml2:Issuer>
        <ds:Signature>
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID>${NameID}</saml2:NameID>
            <saml2:SubjectConfirmation>
                ...
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
            <saml2:AudienceRestriction>
                <saml2:Audience>${Audience}</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
            ...
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

    Elements in a SAML assertion

    • Common elements in SAML 2.0

      For more information about SAML 2.0, see Security Assertion Markup Language (SAML) V2.0 Technical Overview.

      Element

      Description

      Issuer

      The value of the Issuer element must match the value of EntityID in the metadata file that you upload for the SSO settings of CloudSSO.

      Signature

      The SAML assertion must be signed. The Signature element must contain information such as the signature value and signature algorithm. The signature is used to confirm that the signed SAML assertion is not modified after the signature is generated.

      Subject

      The Subject element must contain the following sub-elements:

      • Only one NameID sub-element, which is used to identify a CloudSSO user within your Alibaba Cloud account. For more information, see the description of NameID in this topic.

      • Only one SubjectConfirmation sub-element that contains a SubjectConfirmationData sub-element. The SubjectConfirmationData sub-element must contain the following attributes:

        • NotOnOrAfter: the validity period of a SAML assertion.

        • Recipient: the recipient of the SAML assertion. Alibaba Cloud checks the recipient of the SAML assertion based on the value of this attribute. Therefore, you must set this attribute to the value of ACS URL that is specified in the SSO settings of CloudSSO.

        The following script provides an example of the Subject element:

        <Subject>
  <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@abc.com</NameID>        
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">   
    <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin-cn-shanghai.alibabacloudsso.com/saml/acs/51d298a9-2a3f-4e23-97c7-7ad1cfa9****"/>    
  </SubjectConfirmation>
</Subject>

      Conditions

      The Conditions element must contain an AudienceRestriction sub-element that can contain one or more Audience sub-elements. The value of an Audience sub-element must be https://signin-<region>.alibabacloudsso.com/saml/sp/<directoryID>, which is the value of EntityID in the SSO settings of CloudSSO.

      The following script provides an example of the Conditions element:

      <Conditions>
  <AudienceRestriction>
    <Audience>https://signin-cn-shanghai.alibabacloudsso.com/saml/sp/d-00fc2p61****</Audience>
  </AudienceRestriction>
</Conditions>

    • NameID element

      CloudSSO uses a username to identify a CloudSSO user. Therefore, the SAML assertion that is generated by your IdP must contain the username of the CloudSSO user. Alibaba Cloud resolves a specific element in the SAML assertion and maps this element to the username of the corresponding CloudSSO user.

      When you configure the SAML assertion that is issued by your IdP, you must map the username of the CloudSSO user to the NameID element in the SAML assertion.

    References

    How do I view a SAML response in Google Chrome?