SetApplicationSsoConfig - Identity as a Service - Alibaba Cloud Documentation Center

Sets the single sign-on (SSO) properties for an IDaaS application.

Operation description

In IDaaS, the Application Management feature lets you add applications that use various single sign-on (SSO) protocols, such as SAML 2.0 and OpenID Connect (OIDC). However, each application can support only one SSO protocol. The protocol is specified during application creation and cannot be changed afterward. You must configure the SSO parameters according to the protocol that your application uses.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

eiam:SetApplicationSsoConfig

create

*Application

acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx
ApplicationId	string	Yes	The application ID.	app_mkv7rgt4d7i4u7zqtzev2mxxxx
SamlSsoConfig	object	No	The SSO properties for an application that uses the SAML protocol.
SpSsoAcsUrl	string	No	The SAML assertion consumer service (ACS) URL of the application (service provider).	https://signin.aliyun.com/saml-role/sso
SpEntityId	string	No	The entity ID of the application (service provider) that uses SAML.	https://ram.aliyun.com/saml/role/sso
NameIdFormat	string	No	The format of the NameID in the SAML protocol. Valid values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: The format is not specified. The application determines how to parse the NameID. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: The email address format. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: The persistent NameID. urn:oasis:names:tc:SAML:2.0:nameid-format:transient: The transient NameID.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameIdValueExpression	string	No	The expression used to generate the value of the NameID in the SAML protocol.	user.email
DefaultRelayState	string	No	The default value of RelayState. When an SSO request is initiated by IDaaS, the SAML response provided by IDaaS contains this value for RelayState.	https://home.console.aliyun.com
SignatureAlgorithm	string	No	The signature algorithm for the SAML assertion.	RSA-SHA256
ResponseSigned	boolean	No	Specifies whether the response must be signed. ResponseSigned and AssertionSigned cannot both be false. true: The response must be signed. false: The response does not need to be signed.	true
AssertionSigned	boolean	No	Specifies whether the assertion must be signed. ResponseSigned and AssertionSigned cannot both be false. true: The assertion must be signed. false: The assertion does not need to be signed.	true
AttributeStatements	array	No	The configurations of additional user attributes in the SAML assertion.
	object	No
AttributeName	string	No	The name of the attribute in the SAML assertion.	https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
AttributeValueExpression	string	No	The expression used to generate the value of the attribute in the SAML assertion.	user.username
IdPEntityId	string	No	The entity ID of the identity provider (IdP) in the SAML protocol. The value can be in a URL or URN format.	https://example.com/
OptionalRelayStates	array	No	The optional RelayState configurations.
	object	No	The optional RelayState configuration.
RelayState	string	No	The value of RelayState.	https://ram.console.aliyun.com/
DisplayName	string	No	The display name of the RelayState.	Ram
OidcSsoConfig	object	No	The SSO properties for an application that uses the OIDC protocol.
RedirectUris	array	No	The list of redirect URIs that the application supports.
	string	No	The redirect URI that the application supports.	https://example.com/oidc/login/callback
PostLogoutRedirectUris	array	No	The list of post-logout redirect URIs that the application supports.
	string	No	The whitelisted post-logout redirect URI of the application. When the application initiates a logout request, you can specify the post_logout_redirect_uri parameter.	https://example.com/oidc/logout/callback
GrantTypes	array	No	The list of OIDC grant types that are supported.	authorization_code
	string	No	The OIDC grant type. Valid values: authorization_code: The authorization code grant type. implicit: The implicit grant type. refresh_token: The refresh token grant type. urn:ietf:params:oauth:grant-type:device_code: The device authorization grant type. password: The resource owner password credentials grant type.	authorization_code
ResponseTypes	array	No	The response type supported by the application when OidcSsoConfig.GrantTypes is set to implicit.	token id_token
	string	No	The ResponseType parameter in the OIDC protocol. This parameter is valid only when GrantTypes is set to implicit. Valid values: token: Returns only an access token. id_token: Returns only an ID token. token id_token: Returns both an access token and an ID token.	token id_token
GrantScopes	array	No	The scope parameter in the OIDC protocol. This parameter specifies the scope of user information that can be returned by the userinfo endpoint or included in the ID token.	profile，email
	string	No	The scope parameter in the OIDC protocol. This parameter specifies the scope of user information that can be returned by the userinfo endpoint or included in the ID token. Valid values: openid: An OIDC standard parameter that indicates the unique ID of the user. profile: The detailed information about the user. email: The email address of the user. phone: The phone number of the user.	openid
PasswordTotpMfaRequired	boolean	No	Specifies whether Time-based One-time Password (TOTP) multi-factor authentication (MFA) is required for the resource owner password credentials grant type. This parameter is valid only when the GrantTypes for the OIDC application is set to password.	true
PasswordAuthenticationSourceId	string	No	The ID of the identity source for the resource owner password credentials grant type. This parameter is valid only when the GrantTypes for the OIDC application is set to password.	ia_password
PkceRequired	boolean	No	Specifies whether Proof Key for Code Exchange (PKCE) (RFC 7636) is required for application SSO.	true
PkceChallengeMethods	array	No	The algorithm used to compute the code challenge in PKCE.	S256
	string	No	The algorithm used to compute the code challenge in PKCE. Valid values: plain: The code challenge is the same as the code verifier. S256: The SHA-256 algorithm.	S256
AccessTokenEffectiveTime	integer	No	The validity period of the access token. Unit: seconds. Default value: 1200 (20 minutes).	1200
CodeEffectiveTime	integer	No	The validity period of the authorization code. Unit: seconds. Default value: 60 (1 minute).	300
IdTokenEffectiveTime	integer	No	The validity period of the ID token. Unit: seconds. Default value: 300 (5 minutes).	1200
RefreshTokenEffective	integer	No	The validity period of the refresh token. Unit: seconds. Default value: 86400 (1 day).	1200
CustomClaims	array	No	The custom claims that are returned in the ID token.
	object	No
ClaimName	string	No	The name of the claim.	"Role"
ClaimValueExpression	string	No	The expression used to generate the value of the claim.	user.dict.applicationRole
SubjectIdExpression	string	No	The expression used to generate the value of the sub claim in the ID token.	user.userid
AllowedPublicClient	boolean	No	Specifies whether the application is allowed to act as a public client to request the IDaaS authorization server. This parameter can be enabled only for the authorization code grant type and the device authorization grant type. Default value: false.	true
InitLoginType	string	No	The SSO initiation method. Valid values: only_app_init_sso: SSO is initiated only by the application. This is the default value for OIDC applications. If you set this parameter to this value for a SAML application, you must specify InitLoginUrl. idaas_or_app_init_sso: SSO can be initiated by the IDaaS console or the application. This is the default value for SAML applications. If you set this parameter to this value for an OIDC application, you must specify InitLoginUrl.	only_app_init_sso
InitLoginUrl	string	No	The URL that is used to initiate SSO. You must specify this parameter if you set InitLoginType to idaas_or_app_init_sso for an OIDC application. You must specify this parameter if you set InitLoginType to only_app_init_sso for a SAML application.	http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF
ClientToken	string	No	A client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must ensure that the value is unique among different requests. The token can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.	client-examplexxx

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A

Examples

Success response

JSON format

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.