This topic explains how to configure Alibaba Cloud user SSO in IDaaS, allowing your users to access Alibaba Cloud as RAM users.
Procedure
Step 1: Create an application in IDaaS
-
Log on to the IDaaS console.
-
Select an IDaaS instance and click Manage in the Actions column.
-
In the left-side navigation pane, choose . Search for the Alibaba Cloud user SSO application template and click Add Application.
-
Confirm the application name and click Add.
In the Protocol section, select SAML 2.0.
Step 2: Configure SSO and account synchronization
After you add the application, IDaaS automatically redirects you to the Alibaba Cloud User-Based SSO configuration page. You can use either smart configuration or manual configuration to set up SSO and account synchronization.
Smart configuration
Click Smart Config for a guided setup. If you are familiar with the process, you can click Close Quick Guide to hide the guide. You can reopen it later by clicking Open Quick Start Guide.
-
Select Enable Feature
In the Enable Feature section, select a scenario. The default is Enable SSO Only. You can also select Enable SSO and Account Sync. Different scenarios require different dependency checks.
-
Enable SR Authorization
After you select a scenario, you need to Enable SR Authorization. If the status is Unauthorized, click Grant Authorization. After the authorization is complete, click Refresh on the right to Refresh the authorization status of the page.
-
Perform a Dependency Check
After you grant the authorization, the system automatically performs a dependency check based on the selected scenario and displays the check items and results. If a check has a status of Not Passed, you must Fix the issue based on the failure reason. The Start Configuration button is enabled only after all checks pass.
-
Smart configuration supports only the current Alibaba Cloud account.
-
Dependency checks are critical to ensure that SSO functions correctly. If any check fails, follow the prompts to fix the issue.
After you enable RAM SSO, RAM users immediately switch to IDaaS for authentication, and their previous logon method no longer works. Ensure that the necessary RAM user accounts exist in IDaaS and that you complete the authorization promptly after you configure SSO. Otherwise, users may be unable to access the Alibaba Cloud console.
Manual configuration
-
Select the Sign-In tab to go to the SSO configuration page.
In the SSO configuration section, enable the SSO toggle, enter the Alibaba Cloud account ID (the 16-digit ID of the target Alibaba Cloud account), set Application Username to IDaaS Username (This value identifies the user to the service provider (SP) during SSO), and set Authorization Scope to Manual Authorization (this requires you to assign permissions on the Application Authorization tab).
ImportantAfter you convert to the standard SSO template, you can no longer use the smart configuration feature.
-
Enter your Alibaba Cloud account ID. To find your ID, click your profile picture in the upper-right corner of the console and go to the . Select an application account name attribute. During SSO, this field is used as the primary key to map to a RAM user in Alibaba Cloud. For testing purposes, we recommend setting the authorization scope to allow access for all users and skipping the permission assignment step.
-
In the Application Settings section, download the IdP (identity provider) metadata and save the file to your computer. This file establishes the trust relationship between Alibaba Cloud and IDaaS.
-
If your IDaaS username matches the RAM username prefix, set Application User to IDaaS Username.
If your IDaaS username does not match the RAM username prefix, set Application User to Application User. On the Application User page, bind the accounts by selecting the IDaaS account for SSO and entering the corresponding RAM username prefix.
Click Add Application User. In the dialog box that appears, select the corresponding IDaaS account from the Search by Account Name dropdown list and then click Save to bind the account.
-
Log on to the RAM console. In the left navigation bar, click SSO. On the user-based SSO tab, click enable to turn on the SSO feature and upload the IdP metadata that you downloaded from IDaaS in Step 3. You do not need to enable the auxiliary domain.
After you enable RAM SSO, RAM users immediately switch to IDaaS for authentication, and their previous logon method no longer works. Ensure that the necessary RAM user accounts exist in IDaaS and that you complete the authorization promptly after you configure SSO. Otherwise, users may be unable to access the Alibaba Cloud console.
Step 3 (Optional): Configure RAM user permissions
If you have existing RAM users or want to synchronize accounts from IDaaS to Alibaba Cloud (for details, see Account synchronization - Event callback), you must assign permissions to these users. This gives them the required access to Alibaba Cloud resources. If you only want to test the SSO capability, you can skip this step.
In the Actions column for the target user, click Add Permissions.
Step 4: Test SSO
-
Initiate an SSO logon from either IDaaS (IdP-initiated) or Alibaba Cloud (SP-initiated):
-
IdP-initiated: Log on to the IDaaS portal with an authorized account and click the Alibaba Cloud user SSO application icon to initiate SSO.
-
SP-initiated: In a private browser window, open the Alibaba Cloud logon page and click Logon As RAM User. You may need to enter an account alias and click Next. On the logon page, on the RAM username/password logon tab, locate the Username field, enter the RAM username in the format
<username>@<default_domain>or<username>@<account_alias>(for example,username@company.onaliyun.comorusername@company-alias), and then click Next.
-
-
A prompt page appears. Click Logon With Enterprise Account or copy the logon link. If you are already logged on to the IDaaS portal, you are automatically logged on to Alibaba Cloud. Otherwise, you are redirected to the IDaaS logon page. After you log on to IDaaS, you are automatically logged on to Alibaba Cloud.