This topic describes how to use Identity as a Service (IDaaS) to log on to a third-party application by using an Active Directory (AD) account.
Scenario
IDaaS supports data synchronization with AD domains and delegated authentication. This allows you to log on to hundreds of applications by using an AD or OpenLDAP account.
To achieve the preceding goals, you must synchronize an AD account to IDaaS and add an application that supports single sign-on (SSO) to IDaaS. This configuration allows your enterprise account to log on to a third-party application by using an AD account.
This topic describes a scenario in which Alibaba Cloud user-based SSO is the third-party application. All IDaaS features that are used are provided free of charge.
In actual scenarios, whether a feature is free of charge depends on whether the third-party application template is free of charge. For more information, see Features of each edition.
Procedure
Step 1: Activate an IDaaS instance
Before you configure applications, you must create an IDaaS instance. For more information, see Activate a free instance.
Step 2: Synchronize an AD account to IDaaS
To implement logon by using an AD account or an OpenLDAP account, you must first synchronize the account to IDaaS. In this topic, an AD account is used. You can synchronize other accounts based on your business requirements:
Synchronize AD accounts to IDaaS: Connect IDaaS to AD.
Synchronize OpenLDAP accounts to IDaaS: Connect IDaaS to OpenLDAP.
Make sure that Delegated Authentication is enabled.
After the synchronization is complete, you can view the synchronized accounts on the Accounts page.
Step 3: Add an application in IDaaS
Add an application in IDaaS and configure SSO for the application. In this topic, Alibaba Cloud user-based SSO is used.
For more information about Alibaba Cloud user-based SSO configuration and usage, see Alibaba Cloud user-based SSO.
When you associate a Resource Access Management (RAM) user, specify the username of the AD account that is synchronized to IDaaS as the username of the IDaaS account, and use the username of the RAM user as the username of the application account.
Step 4: Grant application permissions
Grant accounts the permissions to access the application. You can select All Users or Manually for the Authorize parameter on the SSO tab. If you select Manually for the Authorize parameter, you must grant permissions by account or organization on the Authorize tab. An account can access the application only after the account is granted access permissions.
When you connect a Security Assertion Markup Language (SAML) application such as Alibaba Cloud RAM, you can set application accounts in Single Sign-on. IDaaS passes the username of the IDaaS account or the specified application account to the application. The application finds the corresponding account based on the username to implement logon. If there are accounts available, make sure that they correspond to IDaaS accounts. If they do not correspond to IDaaS accounts, you must create accounts in the application in advance. For more information, see General description of SSO.
Step 5: Configure the logon method
In the IDaaS console, click Sign-In.
Enable AD delegated authentication.
Set the preferred logon method (optional).
If you want to use AD accounts for logon by default, you can set the Primary Authentication Method to AD account.
Step 6: Initiate SSO
Service provider-initiated (SP-initiated) SSO
Go to the RAM user logon page, enter the username of your RAM user, and then click Next.
Click Login with Organization Account. You are redirected to the logon page of IDaaS.
If you designate an AD account as the default logon method, enter the corresponding username and password. Otherwise, click the AD icon.
Identity provider-initiated (IdP-initiated) SSO
Visit the IDaaS user portal.
If you designate an AD account as the default logon method, enter the corresponding username and password. Otherwise, click the AD icon.
In the IDaaS application portal, click the application icon to log on to the application.