All Products
Search

This Product

    Identity as a Service:Create an IDaaS SSO application

    Document Center

    Identity as a Service:Create an IDaaS SSO application

    Last Updated:Mar 31, 2026

    This tutorial walks you through setting up single sign-on (SSO) with Identity as a Service (IDaaS). By the end, your team members can log on to the Alibaba Cloud Management Console through the IDaaS user portal with one click — no separate Alibaba Cloud credentials required.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account

    • A RAM user whose username matches the IDaaS account username you plan to create (or create the RAM user during this tutorial)

    Step 1: Create a free instance

    IDaaS 2.0 instances are free to create, and most features are free. For details on billable items, see Product Billing.

    1. Go to the Alibaba Cloud IDaaS console and open the EIAM 2.0 instance list page.Alibaba Cloud IDaaS console

    2. Click Create Instance. Select the checkbox to agree to the terms and create the instance.

    3. After the instance is created, click the instance ID or Access Console to open the IDaaS Management Console.

    4. In the lower-right corner, click Trial version to start a 15-day trial. Each instance supports one trial.

    Step 2: Create an account

    IDaaS manages your organization's accounts in one place — employees in product R&D, O&M, human resources, and sales, as well as temporary staff and contractors. All IDaaS accounts access authorized enterprise applications through a unified logon.

    Besides adding accounts manually, IDaaS supports bulk import methods. For details, see Account data synchronization.

    1. In the navigation pane, go to Accounts and Orgs and click Create Account.

    2. Fill out the form to add your first account.

    3. After the account is created, the instance logon page URL appears at the top of the Quick Start page. Share this URL with the account holder so they can log on to the user portal.

    Step 3: Add an SSO application

    Applications in IDaaS serve two purposes: they enable SSO to other platforms and keep accounts in sync between IDaaS and those platforms.

    This tutorial uses the Alibaba Cloud User SSO template, which lets IDaaS accounts log on to the Alibaba Cloud Management Console via SAML 2.0.

    1. Go to Application Management > Applications > Add Application.

    2. In the application marketplace, find the Alibaba Cloud User SSO template and click Add Application.

      The application marketplace includes pre-integrated templates for common enterprise software, optimized for one-click setup. For other commercial or in-house applications, use the Standard Protocols or Custom Applications templates.

    3. Enter an Application Name and click Add Immediately

    Step 4: Configure SSO

    SSO requires configuration in both IDaaS and the target application (Alibaba Cloud RAM). Complete both parts before testing.

    Configure the IDaaS SSO application

    1. On the SSO configuration panel, some parameters are pre-filled with default values. Keep the default values.

    2. At the bottom of the page, download the metadata file. This file contains all the SSO configuration details you will upload to RAM in the next step.

    3. On the Application authorization tab, click Authorize. Select the accounts to authorize for this application, then click Save Authorization.

    Configure RAM

    The Alibaba Cloud user-based SSO application uses the IDaaS username as the application account name by default. Confirm that the IDaaS username matches the corresponding RAM username. If no RAM user exists yet, create one first. For information about how to flexibly associate application accounts, see Configure application accounts.

    1. Go to the RAM SSO configuration page.

    2. Switch to the User-based SSO tab and click Edit

    3. Set the SSO status to Enabled

    4. Click OK to save the configuration. You can now use your IDaaS account to access the Alibaba Cloud User SSO application.

    Step 5: Verify SSO

    Confirm that the configuration works end-to-end.

    Log on to the user portal

    Get the user portal URL from the Quick Start page, the Accounts menu, or the User Portal column on the instance list page.

    1. Open the portal URL in a browser.IDaaS console

      IDaaS supports multiple logon methods. Administrators can manage these from the Logon menu.

    2. Log on with the account you created in Step 2. The IDaaS user portal opens and displays all applications you have been authorized to use.

    Test single sign-on

    1. Click the Alibaba Cloud User SSO application to initiate the single sign-on process.

    2. The Alibaba Cloud Management Console opens in a new browser tab — you are logged on automatically without entering separate credentials.

    What's next

    Now that SSO is up and running, consider these next steps:

    • Add more accounts — Use bulk import to sync your organization directory. See Account data synchronization.

    • Add more applications — Explore the application marketplace for other pre-integrated enterprise apps, or configure custom applications using Standard Protocols.

    • Review pricing — Most features are free. See Product Billing for details on billable items.