Use the System for Cross-domain Identity Management (SCIM) protocol to automatically sync user accounts from Alibaba Cloud Identity as a Service (IDaaS) to Resource Access Management (RAM). When employees join, change roles, or leave your organization, SCIM keeps their RAM accounts in sync without manual updates—reducing errors and ensuring access is revoked promptly.
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account or RAM user with permission to create OAuth applications
An Alibaba Cloud account or RAM user with permission to grant authorization to server applications (you can only grant authorization to server applications that belong to your account)
Step 1: Create and authorize an OAuth application in the RAM console
Log on to the RAM console.
In the left-side navigation pane, choose OAuth Preview > Enterprise Applications > Create Application.
Enter the Application Name and Display Name. For Application Type, select Server Application.
In the OAuth Scope section, select
/acs/scim. Click Create Application.Grant authorization to the OAuth application. On the OAuth Scope tab, click Authorize. On the authorization page, select Accesses Cross-Domain Identity Management, and then click Authorize.
On the Application Secret tab, click Create Secret. The system generates a key pair containing an AppSecretId
Click Download Secret to save the key file to a secure location. After saving the file, click Close
The AppSecretValue is displayed only when it is created and cannot be retrieved after you close the window.
Step 2: Configure SCIM synchronization in IDaaS
In the IDaaS instance console, go to Application Management > Applications. Click Add Application to open the Marketplace. Search for and add the Alibaba Cloud User - based SSO (International Site) application template.
On the Provisioning tab, set the Provisioning Scope and click Save.
Enable Provision IDaaS Accounts to Application.
Configure the Basic Configurations:
Enter the Client ID
Client ID: Log on to the RAM console. In the left-side navigation pane, choose Integrations > OAuth Preview. Click the name of the application you created in Step 1, and copy the Application ID from the Basic Information section.
Client Secret: Use the AppSecretValue from the key file you downloaded in Step 1.
Operation: Subscribe to the change events you want to sync in real time—user creation, updates, and deletions. When a subscribed event occurs in IDaaS, the system automatically pushes the change to RAM.
Full Push Scope: Select this option to push all data within the provisioning scope to RAM in a single one-click push operation.
Configure Field Mapping to customize SCIM attribute mapping and matching rules. Note the following limitation:
Limitation Details Unsupported attributes Mapping of user mobile and email attributes is not supported After adjusting the field mapping, click Save.
Click Save to apply all configurations. Click Test Connectivity to verify the connection.
Step 3: Sync accounts to RAM
Click Push Now. The accounts within the synchronization scope are synced to RAM.
What's next
After your accounts are synced, you can:
Adjust the Provisioning Scope in IDaaS to control which users are included in future syncs
Use the one-click push feature to re-sync all accounts whenever you update the provisioning scope
Troubleshooting: If a RAM account cannot be deleted during synchronization, see What do I do if deleting a RAM account fails during IDaaS synchronization?