This topic describes how to configure user single sign-on (SSO) for Alibaba Cloud in IDaaS. User-based SSO allows your enterprise members to access Alibaba Cloud as Resource Access Management (RAM) users.
Procedure
1. Create an application in IDaaS
Log on to the IDaaS console.
Select an IDaaS instance and click Manage in the Operations column.
Go to , search for the Alibaba Cloud User - based SSO (International Site) application template, and click Add Application.
Confirm the Application Name and click Add.
2. Configure application SSO in IDaaS
After you add the application, you are automatically redirected to the application's SSO configuration page.
Enter your Alibaba Cloud account ID. You can find this ID by clicking your profile picture in the upper-right corner on the page. Select an application account name property. When a user initiates SSO, this field serves as the primary key to map the user to the corresponding RAM user in Alibaba Cloud for logon. For testing purposes, set the authorization scope to all members and skip the step of assigning permissions to the IDaaS account.
In the Application Settings section, download the IdP metadata and save it to your computer. This file is used to establish a trust relationship between Alibaba Cloud and IDaaS.
If your IDaaS account name is the same as the RAM user prefix, set Application Username to IDaaS Username.
If your IDaaS account name is different from the RAM user prefix, set Application Username to Application Username. On the Application User interface, map the accounts by selecting the IDaaS account for SSO and entering the corresponding RAM user prefix.
3. Configure user-based SSO in RAM
Log on to the RAM console.
In the navigation pane on the left, click SSO.
On the User-based SSO tab, view the current SSO logon settings.
Turn the SSO Status On. Upload the IdP metadata that you downloaded from IDaaS in Step 2. You do not need to enable the auxiliary domain name.
4. Configure RAM user permissions (Optional)
You may have existing RAM users or want to sync accounts from IDaaS to Alibaba Cloud. For more information about account synchronization, see Account synchronization - Event callback. If so, go to the Users section in the navigation pane on the left to assign the required permissions. This step ensures that users have the appropriate permissions to access Alibaba Cloud resources. If you only want to test the SSO feature, you can skip this step.
5. Try SSO
Initiate user-based SSO from either IDaaS or Alibaba Cloud.
From IDaaS (IdP-initiated): Log on to the IDaaS application portal using an account that has permissions for the Alibaba Cloud user SSO application. Click the application icon to initiate SSO to Alibaba Cloud.
From Alibaba Cloud (SP-initiated): In a private browser window, open the Alibaba Cloud logon page. Click Logon As RAM User, enter the RAM username, and click Next.
A prompt appears. Click Logon With Enterprise Account or copy the logon link. If you are already logged on to the IDaaS application portal, you are logged on to Alibaba Cloud directly. If not, you are redirected to the IDaaS logon page. After you log on to IDaaS, you are automatically logged on to Alibaba Cloud.
