Configuring single sign-on (SSO) with Security Assertion Markup Language 2.0 (SAML 2.0) requires settings at two ends: in IDaaS and in your application. Both sides must exchange the correct parameters before SAML assertions can flow between them.
For the full list of SSO protocols that IDaaS supports, see Standard protocols.
Before you configure
SAML 2.0 supports two SSO flows. Which one your users follow depends on where they start:
Service provider (SP)-initiated SSO — The user opens the application directly. The application sends a SAML request to IDaaS, which authenticates the user and returns a SAML assertion. Use this flow for most external-facing applications where users bookmark the app URL.
Identity provider (IdP)-initiated SSO — The user opens the IDaaS portal first. IDaaS authenticates the user and redirects them to the application with a SAML assertion. Use this flow for enterprise intranets where users access all apps from a central portal.
This distinction affects the SSO Implemented By and IDaaS Sign-In URL parameters in IDaaS. Decide which flow (or both) you need before you start.
Configuration in IDaaS
Import application metadata
Many applications let you export a SAML metadata file from their SSO configuration page. If yours does, upload that file to IDaaS instead of filling in each field manually — IDaaS reads the metadata and pre-populates the form. Review the pre-populated values and save.
IDaaS parameters
Basic settings
These parameters are required for all SAML 2.0 integrations.
| Parameter | Description | Example |
|---|---|---|
| ACS URL | The Assertion Consumer Service (ACS) URL. IDaaS sends its SAML response to this URL after authenticating a user. Get this value from your application's SSO configuration page. | https://signin.example.com/1021*****4813/saml/SSO |
| SP Entity ID | The globally unique identifier of your application in IDaaS, typically a URI. If your application has no specific requirement, set this to the same value as the ACS URL. | https://signin.example.com/1021*****4813/saml/SSO |
| App User | The NameID value sent in the SAML assertion — this maps an IDaaS user to an account in your application. For configuration details, see SAML application account configuration. | IDaaS User Username |
| Authorize | Controls which users can access the application via SSO. For configuration details, see Configure SSO. | All Users |
Advanced settings
These parameters are optional. The defaults work for most applications — change them only when your application requires it.
| Parameter | Description | When to change |
|---|---|---|
| Default RelayState | The URL your application redirects to after a successful IdP-initiated SSO. IDaaS passes this value in the RelayState field of the SAML response. | Set this only if you use IdP-initiated SSO and want to land users on a specific page, such as a dashboard or a second-level menu. Leave blank for SP-initiated SSO. |
| NameIDFormat | The format of the NameID value in the SAML response. | Leave as the default (1.1 Unspecified) unless your application's documentation explicitly requires a different format. |
| Binding | The request method for sending SAML messages. Only Redirect-POST is supported. | Do not change. |
| Sign Assertion | IDaaS signs all SAML assertions. | Cannot be changed. |
| Signing Algorithm | The algorithm IDaaS uses to sign SAML assertions. Only RSA-SHA256 is supported. | Do not change. |
| Attribute Statements | Additional user attributes (such as email or name) included in the SAML response. | Add attribute statements when your application needs extra user attributes beyond the NameID. For details, see SAML Attribute Statements rules. |
| SSO Implemented By | Controls whether SSO can be initiated from the application only, or from both the IDaaS portal and the application. | Set to IDaaS & Application if you want users to sign in from the IDaaS portal (IdP-initiated SSO). Otherwise, keep the default (Application Only). |
| IDaaS Sign-In URL | The URL that IDaaS redirects to when a user opens the application from the portal. A SAML sign-in request is sent to IDaaS automatically. | Configurable only when SSO Implemented By is set to IDaaS & Application. |
Configuration in the application
Import IDaaS metadata
IDaaS provides a downloadable SAML metadata file. If your application accepts metadata import, upload the file or enter the metadata URL — no manual parameter entry needed.
Application parameters
Enter IDaaS information in your application's SSO configuration.
| Parameter | Description | Example |
|---|---|---|
| IdP Entity ID | The identifier of IDaaS in your application. Enter this in your application's SSO configuration to identify IDaaS as the identity provider (IdP). | https://xxxxx.aliyunidaas.com |
| IdP Sign-in URL | The endpoint IDaaS uses for SP-initiated SSO. You may need to enter this URL on the SSO configuration page of your application. | https://xxxxx.aliyunidaas.com.cn/saml/idp/saml1 |
SLO URL (Not supported) | The single logout (SLO) endpoint. If your application requires SLO, enter this URL in the application's SSO configuration. | — |
| Certificate | The signing certificate IDaaS uses for SAML assertions. Your application uses this certificate to verify that responses were sent by IDaaS. Download the certificate from IDaaS and upload it to your application. | -----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIHAYnNmX60izANBgkqhkiG9w0BAQsFADApMRowGAYDVQQD..... |