Use the System for Cross-domain Identity Management (SCIM) protocol to automatically synchronize user accounts and groups from Alibaba Cloud IDaaS (Identity as a Service) to CloudSSO. Once configured, any change to a user within the IDaaS synchronization scope is pushed to CloudSSO in real time without manual intervention.
Supported sync operations
IDaaS supports the following provisioning operations when connected to CloudSSO through SCIM:
| Operation | What happens in CloudSSO |
|---|---|
| Create users | When a user falls within the IDaaS synchronization scope, the account is created in CloudSSO. |
| Update user attributes | When a user's attributes change in IDaaS, the changes are pushed to the corresponding CloudSSO account. |
| Push groups | Groups and their members within the IDaaS synchronization scope are synchronized to CloudSSO. |
| Full sync | All accounts within the synchronization scope are pushed to CloudSSO on demand using Push Now. |
Prerequisites
Before you begin, make sure you have:
An Alibaba Cloud account with access to the CloudSSO console
An IDaaS instance in the IDaaS console
Step 1: Enable SCIM synchronization in CloudSSO
Log on to the CloudSSO console using your Alibaba Cloud account.
In the left navigation pane, click Settings.
On the User Settings tab, turn on the switch under SCIM-based User Synchronization Configuration.
Copy and save the SCIM Endpoint. You will enter this value in IDaaS in the next step.
Click Generate New SCIM Credential.
The SCIM credential is displayed only once. Copy and save it before leaving this page. You will need it to authenticate IDaaS when connecting to the SCIM endpoint.
Step 2: Configure SCIM provisioning in IDaaS
Add the CloudSSO application
Log on to the IDaaS console. In the left navigation pane, click EIAM. In the instance list, find the target instance and click Console in the Actions column.
In the left navigation pane of the instance console, choose Application Management > Applications. Click Add Application to open the Marketplace.
Select Alibaba Cloud - CloudSSO and click Add Application.
In the Add Application panel, enter an Application Name and click Add. You are redirected to the application details page.
Configure the provisioning scope
On the application details page, click the Provisioning tab. Go to Configure Provisioning Scope > Configuration. Select the Organization and Group to synchronize, then click Save.
Turn on the Provision IDaaS Accounts to Application switch. In the confirmation dialog box, click Enable.
Connect to the SCIM endpoint
In the Basic Configurations section, enter the values you saved from Step 1:
SCIM Server URL: The SCIM Endpoint copied from the CloudSSO console.
Bearer Token Key Mode: The SCIM credential generated in the CloudSSO console.
Configure the remaining provisioning settings:
Operation: Subscribe to specific change events. When a user within the synchronization scope changes, IDaaS automatically pushes the change to CloudSSO in real time.
Full Scope: Defines the data scope for a Push Now operation. Specify at least one item before using Push Now.
Field Mapping: Displays the field mapping relationships for SCIM-based synchronization. Edit the mappings as needed.
Click Save at the bottom of the page, then click Test Connectivity to verify the connection. If the test succeeds, the configuration is complete.
Step 3: Sync accounts to CloudSSO
Click Push Now to synchronize all accounts within the scope to CloudSSO. A success message is displayed after the push completes.
To review sync results, go to Log > Provisioning > Tasks.
Troubleshooting
The connectivity test fails
Check that the SCIM Server URL and Bearer Token Key Mode values match exactly what was generated in the CloudSSO console. The SCIM credential is displayed only once — if it was not saved, return to the CloudSSO console, generate a new credential, and update the Bearer Token Key Mode field in IDaaS.
Accounts are not appearing in CloudSSO after Push Now
Verify that the Organization and Group selected in the provisioning scope contain the expected users. Go to Log > Provisioning > Tasks to check for errors in the sync log.
Push Now is not available
At least one item must be configured under Full Scope before Push Now can be used.
What's next
After user accounts are synchronized to CloudSSO, assign them to accounts and permission sets in the CloudSSO console to grant access to Alibaba Cloud resources.