Applications are important in IDaaS. You can implement single sign-on (SSO) for applications and synchronize accounts between IDaaS applications.
The example in this topic shows you how to configure an Alibaba Cloud User SSO application to log on to the Alibaba Cloud Management Console with an IDaaS account.
Add an application
In the left-side navigation pane, click Applications. On the page that appears, click Add Application to go to the Marketplace tab.
IDaaS provides multiple built-in templates for common enterprise applications. The templates are configured and optimized. You can use these templates to add applications with ease.
You can connect other applications and self-developed applications by using the templates on the Standard Protocols tab and Custom Applications tab.
Alibaba Cloud User SSO is the first application in the marketplace. Click Add Application, specify the application name, and then click Add. The configuration page appears.
Configure SSO
IDaaS interacts with an application during an SSO process. You must configure SSO in IDaaS and the application.
The Alibaba Cloud User SSO application uses the Security Assertion Markup Language (SAML) 2.0 protocol. SAML 2.0 has more than 10 common parameters and is complicated to configure. However, IDaaS provides a simple configuration method.
Configure SSO in IDaaS
After you add the application, the SSO configuration page appears and some parameters will be pre-filled.
The following table describes the parameters.
Parameter | Description |
Alibaba Cloud Account ID | The Alibaba Cloud account for which you want to implement SSO. |
Application User | The account that is used for SSO. Default value: IDaaS Username. For more information, see Configure an account for an SAML application. |
Authorize | Specifies the accounts that can access the application. Default value: Manually. For more information, see SSO overview. |
RAM Default Domain Name | This parameter is required only if an auxiliary domain name is configured in Resource Access Management (RAM). |
In this example, we recommend that you click Save without modifying the parameters.
In the lower part of the page, click Download in the Application Settings section. The file contains all the SSO configuration information. In the next step, you need to upload the file in RAM.
Configure SSO in RAM
Prerequisites: IDaaS Account is selected for the Account parameter in the previous step. Make sure that the username of the IDaaS account created in Step 2 is the same as the RAM username. If no RAM username is the same as the IDaaS username, create a RAM user first. For more information about how to flexibly associate application accounts, see Configure application accounts.
Click RAM SSO configuration page. On the page that appears, click the User-based SSO tab and click Edit.
Select Enabled for the SSO Status parameter. Click Upload and upload the file downloaded in the previous step.
Click OK. The configuration is complete. You can use the IDaaS account to log on to the Alibaba Cloud User SSO application.
The next step in this guide describes how to log on by using SSO. Go to the last step: 4. Log on by using SSO.