This getting started guide shows you how to create an Identity as a Service (IDaaS) instance, configure the Alibaba Cloud User-based SSO application, and use IDaaS to implement SSO to the Alibaba Cloud Management Console.
Create an IDaaS instance for free
You can create IDaaS V2.0 instances for free and use a large number of free features. For more information about paid features, see Billing.
Log on to the IDaaS console. In the left-side navigation pane, click EIAM. On the EIAM page, click the IDaaS tab.
On the IDaaS tab, click Create Instance. In the Create Instance dialog box, specify the instance name, select Alibaba Cloud Product Service Agreement, and then click Create.
After the instance is created, click the instance ID or Manage in the Actions column to go to the Quick Start page. In the lower-right corner of the Instance Edition section, click Trial to obtain a 15-day trial. The free trial is available only once for each instance.
Create an account
IDaaS allows you to manage organizational structures and enterprise accounts in the cloud, including employees in product R&D, O&M, human resources, sales, temporary staff, and contractors.
IDaaS users can access all enterprise applications on which the users have permissions by using the centralized authentication system.
You can also import organizations and accounts. For more information, see Synchronize accounts.
Add an account
In the left-side navigation pane, choose Accounts > Accounts and Orgs. On the page that appears, click Create Account.
Enter information in the Create Account panel to add an account.
The account is added. You can log on to the account portal from the logon page of an instance. You can view the logon address of the instance in the upper part of the Accounts page.
Create an application
In IDaaS, applications provide the systems and services that support your business processes. You can implement SSO for applications and synchronize accounts between IDaaS applications.
The example in this section shows you how to configure the User-based SSO for Alibaba Cloud application to log on to the Alibaba Cloud Management Console by using an IDaaS account.
Add an application
Log on to the IDaaS console. On the EIAM page, click the required instance. In the left-side navigation pane, click Applications. On the Applications page, click Add Application to go to the Marketplace tab.
NoteIDaaS provides multiple templates for common enterprise applications. The templates are configured and optimized. You can use these templates to add applications with ease.
You can connect other applications and self-developed applications by using the templates on the Standard Protocols tab and Custom Applications tab.
On the Marketplace tab, find the Alibaba Cloud User-based SSO application. Click Add Application, specify the application name, and then click Add. The configuration page appears.
Configure SSO
The SSO process requires interaction between IDaaS and applications. You must configure SSO settings at both sides. The Alibaba Cloud User-based SSO application provides a simple configuration method based on Security Assertion Markup Language (SAML) 2.0. This helps you quickly complete settings.
Configure the Alibaba Cloud User-based SSO application in IDaaS
After you create an application, you are redirected to the SSO tab. On the SSO tab, configure the Alibaba Cloud Account ID parameter and retain the default values for the parameters that are automatically configured by the system. Then, click Save.
In the lower part of the page, click Download next to IdP Metadata in the Application Settings section. The file includes all SSO configurations. In the next step, you need to upload this file to Resource Access Management (RAM).
Click Authorize tab. On the Authorize tab, click Authorize. In the Authorize dialog box, select the account that you want to manage by using the Alibaba Cloud User-based SSO application and click Confirm.
Configure SSO in RAM
IDaaS Username is selected for the Application Username parameter in the previous step. Make sure that the username of the IDaaS account is the same as the RAM username. If no RAM username is the same as the username of the IDaaS account, create a RAM user first. For more information about how to flexibly associate application accounts, see Configure application accounts.
Click RAM SSO configuration page. On the page that appears, click the User-based SSO tab and click Edit.
Select Enabled for the SSO Status parameter. Click Upload File and upload the downloaded file.
Click OK. You can use the IDaaS account to log on to the Alibaba Cloud User-based SSO application.
Verify the SSO result
After you complete the previous configurations, you can log on to the user portal by using the IDaaS account and check whether SSO to the Alibaba Cloud Management Console is complete.
Log on to the user portal
To obtain the URL of the user portal, perform the following operations: In the left-side navigation pane of the IDaaS console, click EIAM. On the EIAM page, click the IDaaS tab, find the instance that you create, and view the URL of the user portal in the User Portal column. You can also click the instance ID and go to the Quick Start or Accounts and Orgs page to obtain the URL of the user portal.
Open the user portal in a browser to go to the IDaaS console.
NoteIDaaS supports multiple logon methods. Administrators can manage logon methods on the Sign-In page of the IDaaS console.
Use the account that is created in the Create an account section to log on to the IDaaS user portal.
Log on by using SSO
In the IDaaS portal, you can view all the configured applications on which you are granted permissions.
Click your application to initiate an SSO redirect request.
Click the Alibaba Cloud User-based SSO application to log on to the Alibaba Cloud Management Console on a new tab.