All Products
Search
Document Center

Identity as a Service:Alibaba Cloud SSO

Last Updated:Jun 21, 2026

This topic shows how to configure single sign-on (SSO) for Alibaba Cloud SSO in Alibaba Cloud IDaaS.

Overview

With Cloud SSO, you can manage user access to Alibaba Cloud, configure single sign-on from your corporate identity system, and control permissions for accounts in your Resource Directory.

Procedure

Step 1: Create an application

  1. Log on to the Alibaba Cloud IDaaS console.

  2. Select an IDaaS instance and, in the Actions column, click Console.

  3. In the left navigation bar, select Applications > Applications. On the Applications page, click Add Application. In the application marketplace, search for the Alibaba Cloud - Cloud SSO application template and click Add Application.

  4. Confirm the application name and click Add.

    For Protocol, select SAML 2.0.

Step 2: Configure single sign-on

After you add the application, the system automatically redirects you to the Alibaba Cloud Cloud SSO configuration page. You can use either smart configuration or manual configuration to set up single sign-on and account synchronization.

Smart configuration

On the application's page, click Smart Config to quickly complete the following settings. If you are already familiar with the quick guide, you can click Close Quick Guide on the right to hide it. You can click Open Quick Start Guide to show it again.

  1. Select Enable Feature

    In the Enable Feature section, select a scenario. By default, Enable SSO Only is selected. You can also select Enable SSO and Account Sync. Different scenarios trigger different dependency checks.

  2. Enable SR Authorization

    After you select a scenario, you need to Enable SR Authorization. If the status is Unauthorized, you need to click Grant Authorization. After the authorization is complete, click Refresh on the right to Refresh the authorization status of the page.

  3. Perform Dependency Check

    After you enable authorization, the system automatically performs a dependency check based on the selected scenario and displays the check items and results. If the status is Not Passed, you must complete the corresponding Fix based on the failure reason. The Start Configuration button becomes clickable only when all check items pass.

Note
  1. Smart configuration supports only the current main account.

  2. The dependency check is a critical step to ensure that the SSO feature works correctly. If any check item fails, follow the prompts to fix it.

Warning

After you enable single sign-on (SSO) for Cloud SSO, users immediately switch to IDaaS for authentication, and their previous logon method no longer works. Ensure that the required user accounts already exist in IDaaS and that you grant permissions promptly after configuring SSO. Otherwise, users may be unable to access Cloud SSO.

Manual configuration

  1. After you add the application, you are taken to its SSO page. On the Sign-on > Single Sign-On tab, enable the Single Sign-On Configuration toggle and fill in the following fields:

    For testing purposes, temporarily set Authorization Scope to All Users.

    • CloudSSO ACS URL: Enter the ACS URL from the SSO logon settings on the Cloud SSO console.

    • CloudSSO EntityId: Enter the Entity ID from the SSO logon settings on the Cloud SSO console.

    Note
    • Application User: By default, the IDaaS account name is the application logon identifier. To ensure SSO works, the application username must match the IDaaS logon account name. For more flexible configurations, see SAML Application Account Configuration.

    • Authorize: To specify which IDaaS accounts can access the application, see Application Authorization.

    Important

    After you convert to the standard SSO template, you can no longer use the smart configuration feature.

  1. In the Application Settings section, click Download to save the SAML metadata file to your computer. You will upload this file to Alibaba Cloud Cloud SSO in a later step.

  1. Log on to the Cloud SSO console.

  2. In the left-side navigation pane, choose Settings > SSO Logon.

  3. Click Configure Identity Provider. In the Identity Provider (IdP) Information section, click Configure Identity Provider.

  4. Upload the SAML metadata file that you downloaded. After the file is uploaded, the identity provider information is automatically populated. Click Enable SSO Logon Configuration. On the SSO Logon page, enable the SSO logon toggle and click OK in the confirmation dialog box. This action disables password-based logon.

  5. Copy the Cloud SSO ACS URL and Cloud SSO Entity ID values and paste them into the single sign-on- configuration page in IDaaS.

    On the same page, set Application Account to IDaaS Account Name and Authorization Scope to All Users.

  1. Click Save. The SSO configuration is now complete.

Step 3: Test the SSO connection

  1. To test the connection, access the logon URL. You can find this URL in the Identity Provider (IdP) Information section on the Cloud SSO Logon Configuration page.

  2. Accessing the logon URL redirects you to the IDaaS logon page, where you can sign in using your configured authentication methods.

  3. After you successfully log on, you are taken to the Cloud SSO user portal. The portal displays a list of cloud accounts that you can access. You can access a target cloud account by clicking either Log on with a RAM role or Log on with a RAM user.