GetApplicationSsoConfig - Identity as a Service - Alibaba Cloud Documentation Center

Retrieves the single sign-on (SSO) configuration for an application in EIAM.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

eiam:GetApplicationSsoConfig

get

*Application

acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx
ApplicationId	string	Yes	The application ID.	app_mkv7rgt4d7i4u7zqtzev2mxxxx

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A
ApplicationSsoConfig	object	The SSO configuration of the application.
SamlSsoConfig	object	The SSO configuration parameters for the application that uses Security Assertion Markup Language (SAML) 2.0. This parameter is returned only when the application uses SAML 2.0 for SSO.
SpSsoAcsUrl	string	The SAML assertion consumer service (ACS) URL of the application (service provider).	https://signin.aliyun.com/saml-role/sso
SpEntityId	string	The SAML EntityID of the application (service provider).	https://ram.aliyun.com/saml/role/sso
NameIdFormat	string	The format of the NameID in the SAML protocol. Valid values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified. The application determines how to parse the NameID. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email address format. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent NameID. urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient NameID.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameIdValueExpression	string	The expression used to generate the value of the NameID in the SAML assertion.	user.username
DefaultRelayState	string	The default value of RelayState. If the SSO is initiated by EIAM, the RelayState in the SAML response is set to this value.	https://home.console.alibabacloud.com
SignatureAlgorithm	string	The signature algorithm for the SAML assertion.	RSA-SHA256
ResponseSigned	boolean	Indicates whether the response needs to be signed. ResponseSigned and AssertionSigned cannot both be false. true: The response must be signed. false: The response does not need to be signed.	true
AssertionSigned	boolean	Indicates whether the assertion needs to be signed. ResponseSigned and AssertionSigned cannot both be false. true: The assertion must be signed. false: The assertion does not need to be signed.	true
AttributeStatements	array<object>	The configuration of additional user attributes in the SAML assertion.
	object
AttributeName	string	The name of the attribute in the SAML assertion.	https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
AttributeValueExpression	string	The expression used to generate the value of the attribute in the SAML assertion.	user.username
IdPEntityId	string	The EntityID of the identity provider (IdP) in the SAML protocol.	https://example.com/
OptionalRelayStates	array<object>	The optional RelayState values. The display names of multiple redirect URLs are shown on the application card in the application portal. After a user clicks a URL and completes the SSO, the user is redirected to the URL. You must specify a default redirect URL before you can specify optional RelayState values.
	object
RelayState	string	The optional RelayState value. The display names of multiple redirect URLs are shown on the application card in the application portal. After a user clicks a URL and completes the SSO, the user is redirected to the URL.	https://home.console.alibabacloud.com
DisplayName	string	The display name of the RelayState.	Ram Account SSO
OidcSsoConfig	object	The SSO configuration parameters for the application that uses OpenID Connect (OIDC). This parameter is returned only when the application uses OIDC for SSO.
RedirectUris	array	The list of redirect URIs that the application supports.
	string	The redirect URI that the application supports.	https://example.com/oidc/login/callback
PostLogoutRedirectUris	array	The list of post-logout redirect URIs.
	string	The post-logout redirect URI that is added to the whitelist. When the application initiates a logout request, you can specify the post_logout_redirect_uri parameter.	https://example.com/oidc/login/logout
GrantTypes	array	The list of OIDC grant types that are supported.	authorization_code
	string	The OIDC grant type. Valid values: authorization_code: Authorization code. implicit: Implicit. refresh_token: Refresh token. urn:ietf:params:oauth:grant-type:device_code: Device code. password: Password.	refresh_token
ResponseTypes	array	The response type that the application supports. This parameter is returned only if OidcSsoConfig.GrantTypes is set to implicit.	token id_token
	string	The OIDC-compliant response_type parameter. This parameter is valid only if GrantTypes is set to implicit. Valid values: token: Returns only an access token. id_token: Returns only an ID token. token id_token: Returns both an access token and an ID token.	token id_token
GrantScopes	array	The OIDC-compliant scope parameter. This parameter specifies the scope of user attributes that can be returned by the userinfo endpoint or included in the ID token.	profile，email
	string	The OIDC-compliant scope parameter. This parameter specifies the scope of user attributes that can be returned by the userinfo endpoint or included in the ID token. Valid values: openid: An OIDC-compliant parameter that specifies the unique ID of the user. profile: The user profile. email: The user's email address. phone: The user's mobile number.	openid
PasswordTotpMfaRequired	boolean	Indicates whether Time-based One-Time Password (TOTP) multi-factor authentication (MFA) is required for password-based logon. This parameter is valid only if GrantTypes for the OIDC application is set to password.	true
PasswordAuthenticationSourceId	string	The ID of the authentication source for password-based logon. This parameter is valid only if GrantTypes for the OIDC application is set to password.	ia_password
PkceRequired	boolean	Indicates whether Proof Key for Code Exchange (PKCE) is required for the application SSO. For more information, see RFC 7636.	true
PkceChallengeMethods	array	The algorithm used to calculate the code challenge in PKCE.	S256
	string	The algorithm used to calculate the code challenge in PKCE. Valid values: plain: Plaintext. S256: SHA-256.	S256
AccessTokenEffectiveTime	integer	The validity period of the access token. Unit: seconds. Default value: 1200 (20 minutes).	1200
CodeEffectiveTime	integer	The validity period of the authorization code. Unit: seconds. Default value: 60 (1 minute).	300
IdTokenEffectiveTime	integer	The validity period of the ID token. Unit: seconds. Default value: 300 (5 minutes).	1200
RefreshTokenEffective	integer	The validity period of the refresh token. Unit: seconds. Default value: 86400 (1 day).	1200
CustomClaims	array<object>	The custom claims that are returned in the ID token.
	object
ClaimName	string	The name of the claim.	userOuIds
ClaimValueExpression	string	The expression used to generate the value of the claim.	ObjectToJsonString(user.organizationalUnits)
SubjectIdExpression	string	The expression used to generate the value of the sub claim in the ID token.	user.userid
AllowedPublicClient	string	Indicates whether the application is allowed to make requests to the IDaaS EIAM authorization server as a public client. This feature is supported only for the authorization code and device code grant types. Default value: false.	true
ProtocolEndpointDomain	object	The configuration of the metadata endpoint provided by the application.
SamlSsoEndpoint	string	The endpoint that receives AuthnRequest requests for the SAML protocol. This parameter is returned only when the application uses SAML 2.0 for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso
SamlMetaEndpoint	string	The metadata endpoint for the SAML protocol. This parameter is returned only when the application uses SAML 2.0 for SSO.	https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta
OidcIssuer	string	The OIDC issuer. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc
OidcJwksEndpoint	string	The JSON Web Key Set (JWKS) endpoint for OIDC. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks
Oauth2AuthorizationEndpoint	string	The OAuth 2.0 authorization endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize
Oauth2RevokeEndpoint	string	The OAuth 2.0 token revocation endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke
Oauth2TokenEndpoint	string	The OAuth 2.0 token endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token
Oauth2DeviceAuthorizationEndpoint	string	The OAuth 2.0 device authorization endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code
Oauth2UserinfoEndpoint	string	The OIDC userinfo endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo
OidcLogoutEndpoint	string	The OIDC Relying Party (RP)-initiated logout endpoint. This parameter is returned only when the application uses OIDC for SSO.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout
SsoStatus	string	The status of the SSO feature for the application. Valid values: enabled: Enabled. disabled: Disabled.	enabled
InitLoginType	string	The SSO initiation method. Valid values: only_app_init_sso: SSO is initiated only by the application. This is the default value for OIDC applications. If this method is used for a SAML application, you must specify InitLoginUrl. idaas_or_app_init_sso: SSO can be initiated by the IDaaS console or the application. This is the default value for SAML applications. If this method is used for an OIDC application, you must specify InitLoginUrl.	only_app_init_sso
InitLoginUrl	string	The URL that triggers SSO. This parameter is required when InitLoginType for an OIDC application is set to idaas_or_app_init_sso. This parameter is also required when InitLoginType for a SAML application is set to only_app_init_sso.	http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF

Examples

Success response

JSON format

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A",
  "ApplicationSsoConfig": {
    "SamlSsoConfig": {
      "SpSsoAcsUrl": "https://signin.aliyun.com/saml-role/sso",
      "SpEntityId": "https://ram.aliyun.com/saml/role/sso",
      "NameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
      "NameIdValueExpression": "user.username",
      "DefaultRelayState": "https://home.console.alibabacloud.com",
      "SignatureAlgorithm": "RSA-SHA256",
      "ResponseSigned": true,
      "AssertionSigned": true,
      "AttributeStatements": [
        {
          "AttributeName": "https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName",
          "AttributeValueExpression": "user.username"
        }
      ],
      "IdPEntityId": "https://example.com/",
      "OptionalRelayStates": [
        {
          "RelayState": "https://home.console.alibabacloud.com",
          "DisplayName": "Ram Account SSO"
        }
      ]
    },
    "OidcSsoConfig": {
      "RedirectUris": [
        "https://example.com/oidc/login/callback\n"
      ],
      "PostLogoutRedirectUris": [
        "https://example.com/oidc/login/logout\n"
      ],
      "GrantTypes": [
        "refresh_token"
      ],
      "ResponseTypes": [
        "token id_token"
      ],
      "GrantScopes": [
        "openid"
      ],
      "PasswordTotpMfaRequired": true,
      "PasswordAuthenticationSourceId": "ia_password",
      "PkceRequired": true,
      "PkceChallengeMethods": [
        "S256"
      ],
      "AccessTokenEffectiveTime": 1200,
      "CodeEffectiveTime": 300,
      "IdTokenEffectiveTime": 1200,
      "RefreshTokenEffective": 1200,
      "CustomClaims": [
        {
          "ClaimName": "userOuIds",
          "ClaimValueExpression": "ObjectToJsonString(user.organizationalUnits)"
        }
      ],
      "SubjectIdExpression": "user.userid",
      "AllowedPublicClient": "true"
    },
    "ProtocolEndpointDomain": {
      "SamlSsoEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso",
      "SamlMetaEndpoint": "https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta",
      "OidcIssuer": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc",
      "OidcJwksEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks",
      "Oauth2AuthorizationEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize",
      "Oauth2RevokeEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke",
      "Oauth2TokenEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token",
      "Oauth2DeviceAuthorizationEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code",
      "Oauth2UserinfoEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo",
      "OidcLogoutEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout"
    },
    "SsoStatus": "enabled",
    "InitLoginType": "only_app_init_sso",
    "InitLoginUrl": "http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF"
  }
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.