All Products
Search

This Product

    Identity as a Service:Troubleshoot: Role-based SSO errors

    Document Center

    Identity as a Service:Troubleshoot: Role-based SSO errors

    Last Updated:Mar 31, 2026

    When you log on through Alibaba Cloud IDaaS (Identity as a Service) using role-based SSO (Single Sign-On), you may see the following error:

    "Cannot find the SAML identity provider with ARN: acs:ram::171\*\*\*\*\*\*\*\*82866:saml-provider/aliyun\_idaas\_test. Please verify that the SAML provider information in the IDP role configuration is correct."

    This error means the SAML (Security Assertion Markup Language) identity provider ARN (Alibaba Cloud Resource Name) in the SAML assertion does not match any identity provider registered in RAM (Resource Access Management). The three most common causes — and how to fix each — are described below.

    Identity provider name mismatch

    The IdP name in IDaaS must exactly match the identity provider name in the RAM console.

    Check the IdP name in IDaaS:

    1. Log on to the Alibaba Cloud IDaaS console, select your IDaaS instance, and go to Applications > Add Application.Alibaba Cloud IDaaS console

    2. Find the Alibaba Cloud Role-based SSO application template and open its SSO configuration page.

    3. Note the value in the IdP Name field (for example, aliyun_idaas_test).

    Check the identity provider name in RAM:

    1. Log on to the Alibaba Cloud RAM console.

    2. In the left-side navigation pane, go to SSO Management > Role-based SSO.

    3. Note the name of the configured identity provider.

    Confirm that both names are exactly the same.

    IdP metadata file not uploaded correctly

    The IdP metadata file in the RAM console must come from the current IDaaS SSO configuration. An incorrectly uploaded file causes the configuration to fail.

    1. On the SSO configuration page in IDaaS, download the latest IdP metadata file.

    2. Log on to the RAM console and go to SSO > Role-based SSO.

    3. Check the uploaded IdP metadata file. If it is inconsistent or not uploaded, upload the correct IdP metadata file again.

    Application user name and RAM role name mismatch

    The application user name configured in IDaaS determines which RAM role the user assumes. The two must match exactly.

    1. In the IDaaS console, go to Sign-In > Application User and note the application user name assigned to the user.

    2. Log on to the RAM console and go to Identities > Roles. Check the role name.

    3. Confirm the application user name and the RAM role name are exactly the same.

    If a single IDaaS account needs to assume multiple RAM roles, create a separate application user for each role.

    Verify SSO after fixing the configuration

    After correcting the configuration, test single sign-on:

    1. Log on to the IDaaS application portal using an IDaaS account that has access to the Alibaba Cloud role-based SSO application.

    2. Click the application icon to start single sign-on.

    3. If the account has multiple application users (multiple RAM roles), select the appropriate application user to log on.