The single sign-on (SSO) process requires interaction between IDaaS and applications, so you must configure it at both ends.
This topic uses the Security Assertion Markup Language 2.0 (SAML 2.0) protocol as an example.
For more information about the SSO protocol supported by IDaaS, see 2. Standard protocols.
Configuration in IDaaS
Upload application configuration file
You can download the configuration information metadata of some applications on the SSO configuration page, and upload it to IDaaS. Alternatively, a public API is provided to allow IDaaS to pull the configuration information.
IDaaS obtains all the information required to configure SSO and pre-populates the information into the table. You can confirm and save the information.
Parameters in IDaaS
Parameter | Description | Example | |
Basic Configuration (Required) | SSO URL ACS URL | The URL that directs IDaaS where to send its SAML Response after verifying the identity of a user. | https://signin.example.com/1021*****4813/saml/SSO |
Application ID SP Entity ID | A globally unique name for the application. It can be obtained in the application. It is usually a URI. If the application has no special requirements, you can set the value to the SSO URL. | https://signin.example.com/1021*****4813/saml/SSO | |
Application User | The NameID in the SAML protocol. For more information, see SAML application account configuration. | Select IDaaS Account Name (Username) | |
Authorization Scope | For more information, see SSO overview. | Select All Users | |
Advanced Configuration (Optional) | Default RelayState Default RelayState | The address to which the application is automatically redirected after an identity provider (IdP) initiates an SSO logon. In a SAML response, the address is passed in the RelayState parameter After the application reads it, you are redirected to this address. | The level-2 menu page in the application. http://www.example.com/menu/manage |
NameID Format | The NameID format defined in a SAML response. NameID Format is not specified for many applications. You do not need to modify this parameter. | Select 1.1 Unspecified | |
Binding Binding | The request method. Only Redirect - POST is supported. You do not need to modify this parameter. | Select Redirect - POST | |
Sign Assertion Sign Assertion | IDaaS signs all SAML requests. You cannot modify the value. | - | |
Signing Algorithm Signing Algorithm | The asymmetric algorithm used to sign SAML requests. Only RSA-SHA256 is supported. You do not need to modify this parameter. | Select RSA-SHA256 | |
Attribute Statements Attribute Statements | In a SAML response, a SAML attribute assertion returns information about a user in the form of a series of attributes, such as email and name. For more information, see How to enter the values of SAML Attribute Statements. | - | |
SSO Initiated By | Specifies whether user access requests can be initiated from the application only or from the portal and the application. | Application Only | |
IDaaS Sign-In URL | If "SSO Initiated By" is set to "Portal and Application", you can enter the sign-in URL. When you access the application from the portal, you will be redirected to this URL and a SAML logon request will automatically be sent to IDaaS. | - |
Configuration in applications
Upload the IDaaS configuration file
To facilitate application configuration, IDaaS allows you to download the configuration information.
When you configure SSO for some applications, metadata can be uploaded. You can upload the downloaded IDaaS configuration file or enter the metadata address in the application. You do not need to configure these parameters.
Parameters on applications
IDaaS information must be configured in the application.
On the SSO page, IDaaS displays the information that may be used by the applications to facilitate configuration. The following table describes the parameters.
Parameter | Description | Example |
IdP Entity ID IDP Entity ID | IDaaS ID in the application. You may need to enter the value on the SSO configuration page in the application. | https://xxxxx.aliyunidaas.com |
IdP Sign-In URL IDP-init SSO URL | The SAML protocol supports SP-initiated single sign-on. You may need to enter this address on the application configuration page. | https://xxxxx.aliyunidaas.com.cn/saml/idp/saml1 |
SLO URL SLO URL | The SAML protocol supports single logout (SLO). If you want to use this feature, you must enter the SLO URL on the application configuration page. | - |
Certificate Certificate | An electronic signature is automatically passed in the SSO result sent by IDaaS. The application can use the public key to verify the signature and confirm that the result is sent by IDaaS to ensure security. | -----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIHAYnNmX60izANBgkqhkiG9w0BAQsFADApMRowGAYDVQQD..... |