All Products
Search

This Product

    Identity as a Service:Third-party app via AD/OpenLDAP

    Document Center

    Identity as a Service:Third-party app via AD/OpenLDAP

    Last Updated:Mar 31, 2026

    Identity as a Service (IDaaS) lets your employees log on to hundreds of applications using their existing Active Directory (AD) or OpenLDAP credentials. This guide walks you through the full setup: synchronizing your directory accounts to IDaaS, adding a single sign-on (SSO) application, and verifying that both SP-initiated and IdP-initiated SSO work.

    Note

    This guide uses Alibaba Cloud user-based SSO as the example application. All IDaaS features used here are free of charge. For other applications, pricing depends on the application template. See Features of each edition.

    How it works

    IDaaS acts as the identity provider (IdP) between your on-premises directory and your cloud applications.

    Active Directory / OpenLDAP
        │
        │  inbound synchronization
        ▼
      IDaaS (Identity Provider)
        │
        │  SAML / SSO
        ▼
  Third-party application (Service Provider)

    Two things must be in place before SSO works:

    1. Directory sync: IDaaS pulls accounts from AD or OpenLDAP and maintains a local copy.

    2. Delegated authentication: When a user logs on, IDaaS forwards the credential check to your AD or OpenLDAP server rather than validating the password itself. This is what makes AD credentials work at the point of login — without it, synchronization alone is not enough.

    Prerequisites

    Before you begin, make sure you have:

    • An Alibaba Cloud account

    • An AD domain or OpenLDAP server reachable from IDaaS

    • Network connectivity between IDaaS and your directory server

    Step 1: Activate an IDaaS instance

    Create an IDaaS instance before configuring anything else. See Activate a free instance.

    Step 2: Synchronize directory accounts to IDaaS

    Sync your directory accounts to IDaaS so they become available for SSO.

    Important

    Enable Delegated Authentication during the sync configuration. Without it, IDaaS cannot verify AD or OpenLDAP passwords at log-on time.

    After the sync completes, go to the Accounts page in the IDaaS console to confirm that the accounts appear.

    Step 3: Add an application in IDaaS

    Add the application you want to protect with SSO and configure it in IDaaS.

    This guide uses Alibaba Cloud user-based SSO. For full configuration details, see Alibaba Cloud user SSO.

    Note

    When associating a Resource Access Management (RAM) user, set the IDaaS account username to match the synchronized AD account username, and set the application account username to the RAM user's username.

    Step 4: Grant application access

    Grant the synchronized accounts permission to access the application.

    On the SSO tab of the application, set the Authorize parameter:

    OptionBehavior
    All UsersAll synchronized accounts can access the application immediately.
    ManuallyGrant permissions by account or organization on the Authorize tab. Only accounts you explicitly grant access to can log on.

    For Security Assertion Markup Language (SAML) applications such as Alibaba Cloud RAM, IDaaS passes either the IDaaS account username or a specified application account username to the application. The application matches that username to a local account to complete log-on. If the application accounts do not already exist, create them in the application before granting access.

    For more information, see General description of SSO.

    Step 5: Configure the log-on method

    1. In the IDaaS console, click Sign-In

    2. Enable Delegated Authentication for AD.

    3. (Optional) Set Primary Authentication Method to AD account if you want AD credentials to be the default log-on method for all users.

    Step 6: Initiate SSO

    Test both SSO flows to confirm the configuration is working.

    SP-initiated SSO

    Service provider (SP)-initiated SSO starts from the application's own log-on page.

    1. Go to the RAM user log-on page and enter your RAM username, then click Next

    2. Click Login with Organization Account

    3. Log on with your AD credentials:

      • If AD is the default method, enter your AD username and password directly.

      • Otherwise, click the AD icon first.

    IdP-initiated SSO

    Identity provider (IdP)-initiated SSO starts from the IDaaS user portal.

    1. Go to the IDaaS user portal.

    2. Log on with your AD credentials:

      • If AD is the default method, enter your AD username and password directly.

      • Otherwise, click the AD icon first.

    3. In the IDaaS application portal, click the application icon to log on to the application.

    What's next

    • Explore other SSO-enabled application templates in the IDaaS console.

    • Review Features of each edition to understand which templates are included in your plan.