All Products
Search

This Product

    Identity as a Service:Alibaba Cloud CloudSSO

    Document Center

    Identity as a Service:Alibaba Cloud CloudSSO

    Last Updated:Dec 02, 2025

    This topic describes how to configure single sign-on (SSO) for Alibaba Cloud CloudSSO in Alibaba Cloud IDaaS.

    To simplify the configuration, IDaaS provides a pre-integrated application template for Alibaba Cloud CloudSSO. You can create an Alibaba Cloud CloudSSO application in IDaaS and upload the metadata configuration file from IDaaS to Alibaba Cloud CloudSSO to complete the setup.

    Application overview

    CloudSSO provides unified identity management and access control for multiple accounts based on Alibaba Cloud Resource Directory (RD). With CloudSSO, you can centrally manage your enterprise's Alibaba Cloud users, configure SSO between your corporate identity system and Alibaba Cloud, and set user access permissions for accounts in your RD.

    Procedure

    1. Create an application

    1. Log on to the Alibaba Cloud IDaaS console.

    2. Select an IDaaS instance and click Manage in the Actions section.image

    3. In the navigation pane on the left, choose Application Management > Applications. On the Applications page, click Add Application. In the application marketplace, search for the Alibaba Cloud - CloudSSO application template. Click Add Application.

      image

    4. Confirm the application name and click Add Now.

      image

    2. Configure application SSO

    1. After you add the application, you are automatically redirected to the SSO page.

      image

    For ease of testing, temporarily set the Authorize to All Users.

    • CloudSSO ACS URL: Obtain the ACS URL from the SSO logon configuration in CloudSSO. For more information, see Configure user-based SSO in CloudSSO.

    • CloudSSO Entity ID: Obtain the EntityId from the SSO logon configuration in CloudSSO. For more information, see Configure user-based SSO in CloudSSO.

    Note

    • Application Username: By default, the IDaaS account name is used as the logon identity for the application. For SSO to work, the username in the application must match the IDaaS account name. To configure a flexible account mapping, see Configure Application User for SAML.

    • Authorize: To specify which IDaaS accounts can access the application, see Authorization.

    1. In the Application Settings section, click Download to save the Security Assertion Markup Language (SAML) metadata configuration file to your computer. You will upload this file to Alibaba Cloud CloudSSO in the next step.

      image

    3. Configure user-based SSO in CloudSSO

    1. Log on to the CloudSSO console.

    2. In the navigation pane on the left, choose Settings > SSO Logon.

    3. Click Configure IdP.image

    4. After you upload the configuration file, the identity provider information is automatically populated. Click Enable SSO Logon.image

    5. Copy the values of ACS URL and EntityId, and paste them into the SSO Configuration page from Step 2.image

    1. Click Save. The SSO configuration is now complete.

    4. Test the SSO logon

    1. Access the Logon URL from your CloudSSO configuration.image

    1. Because the IDaaS identity source is enabled, you are redirected to the IDaaS logon page. On this page, you can complete the logon process using the authentication methods and identity security capabilities that IDaaS provides.image

    1. After the logon is successful, you can use the service.image