Single sign-on (SSO) lets users in your organization log on to Data Management (DMS) through your existing identity provider (IdP), without separate Alibaba Cloud credentials. Alibaba Cloud implements SSO using Security Assertion Markup Language 2.0 (SAML 2.0), also known as identity federation.
How it works
SSO establishes a trust relationship between Alibaba Cloud (the service provider, or SP) and your IdP. When a user logs on, the IdP authenticates the user and sends a SAML assertion to Alibaba Cloud. Alibaba Cloud verifies the assertion using the IdP's public key and grants access based on the user's RAM user or RAM role.
Supported identity providers
Alibaba Cloud supports most SAML 2.0-compliant IdPs. Common examples:
| Architecture | Examples |
|---|---|
| On-premises | Microsoft Active Directory Federation Service (AD FS), Shibboleth |
| Cloud-based | Azure AD, Google Workspace, Okta, OneLogin |
Choose an SSO method
Alibaba Cloud provides two SAML 2.0-based SSO methods. Choose the one that fits your access control model.
| User-based SSO | Role-based SSO | |
|---|---|---|
| How access is determined | The SAML assertion identifies a specific RAM user | The SAML assertion identifies a RAM role |
| Post-logon identity | User acts as a RAM user | User assumes the RAM role specified in the assertion |
| Best for | Organizations that map IdP accounts to individual RAM users | Organizations that assign access by group or job function |
For a detailed comparison, see Scenarios of SSO.
Prerequisites
Before you begin, ensure that you have:
Administrator access to your IdP (AD FS, Okta, Azure AD, or another SAML 2.0-compliant provider)
Alibaba Cloud RAM administrator permissions to configure SSO settings
A DMS administrator account to provision users after SSO is configured
Implement SSO
User-based SSO
See Overview of user-based SSO for configuration steps.
Step-by-step guides for common IdPs:
Role-based SSO
See Overview of role-based SSO for configuration steps.
Step-by-step guides for common IdPs:
Add users to DMS
After SSO is configured, a DMS administrator must add RAM users to the DMS console before they can log on.
Log on to the DMS console.
In the top navigation bar, choose O&M > Users.
On the Users tab, click Synchronize RAM User.
For details, see Add a user.
RAM users with the AdministratorAccess permission are automatically initialized as DMS administrators. All other RAM users are initialized as regular users. For more information about DMS system roles, see System roles.
Example
The following example shows how to log on to DMS using AD FS-based SSO.
Open the Alibaba Cloud logon page and click Sign in as RAM User.
Enter the username of a RAM user and click Next.
Log on to Alibaba Cloud as prompted.
On the Overview tab of the Alibaba Cloud Management Console, click Data Management.
You are navigated to the DMS console.
Key concepts
| Term | Description |
|---|---|
| Identity provider (IdP) | A RAM entity that provides identity management services. |
| Service provider (SP) | An application that uses an IdP's identity management feature to provide users with specific services. In identity systems such as OIDC that are not based on the SAML protocol, SP is known as the relying party of an IdP. |
| SAML 2.0 | A protocol for enterprise-level user identity authentication, used for communication between an SP and an IdP. |
| SAML assertion | The core element of the SAML protocol that describes the authentication request and response — for example, carrying user attributes in an authentication response. |
| Trust | A mutual trust relationship between an SP and an IdP, established using public and private keys. The SP obtains the SAML metadata of a trusted IdP, which includes a public key. The SP uses this public key to verify the integrity of SAML assertions. |
| OIDC | An authentication protocol built on OAuth 2.0. For more information, see OIDC and OAuth 2.0. OIDC adds an identity layer to extend OAuth, enabling identity verification and retrieval of basic user information via an HTTP RESTful API. |
| OIDC token | An identity token issued by OIDC to an application. An OIDC token indicates a logged-on user and can be used to obtain the user's basic information. |
| Client ID | An ID generated for an application when you register it in an external IdP. When requesting an OIDC token, you must use the client ID. It is specified in the aud field of the issued OIDC token. When creating an OIDC IdP, you must configure the client ID. To use the OIDC token to obtain an STS token, Alibaba Cloud verifies that the aud field matches the configured client ID. You can assume a RAM role only when the client IDs match. |
| Fingerprint | The fingerprint generated from the HTTPS certificate of an external IdP. It prevents the issuer URL from being hijacked or tampered with. You can use OpenSSL (see openssl.org) to calculate and verify the fingerprint. If the result differs from Alibaba Cloud's calculation, the issuer URL may have been compromised. |
| URL of an issuer | The URL provided by an external IdP, indicated by the iss field in an OIDC token. The URL must start with https and be in a valid URL format. It cannot contain query parameters after ?, logon information identified by @, or fragment identifiers with #. |
| STS token | A temporary identity credential provided by Alibaba Cloud Security Token Service (STS). You can configure a validity period and access permissions for an STS token. For more information, see What is STS?. |
What's next
Scenarios of SSO — detailed comparison of user-based and role-based SSO
System roles — understand DMS role types and their permissions
Add a user — manage DMS users after SSO is set up