Platform For AI:Use PAI through Okta and CloudSSO

Concepts

Alibaba Cloud Resource Directory

Resource Directory is a service that can be used to manage the relationships among a number of accounts and resources.

Members of an Alibaba Cloud resource directory

Each member in a resource directory is an Alibaba Cloud account, usually representing a department of an enterprise. Each member can create multiple CloudSSO users and RAM users to represent employees in the department.

Alibaba Cloud CloudSSO

CloudSSO is integrated with Alibaba Cloud Resource Directory to provide unified multi-account identity management and access control. You can use CloudSSO to manage enterprise users who need to access Alibaba Cloud resources and assign access permissions on the accounts in a resource directory to the users in a centralized manner. You can also configure settings only once to implement single sign-on (SSO) access to Alibaba Cloud resources from an identity provider (IdP).

PAI O&M account and regular developer account

• PAI O&M account: Responsible for O&M work, such as activating PAI, authorizing PAI service accounts, purchasing quotas, creating workspaces, and adding members to workspaces.

• Regular developer account: Responsible for algorithm development work, such as submitting training jobs in Deep Learning Containers (DLC) and creating inference services in Elastic Algorithm Service (EAS).

Solution

The following figure shows the solution for implementing single sign-on for multiple accounts through Okta and Alibaba Cloud CloudSSO. This solution simplifies identity management and access control and supports multiple accounts and role-based permission assignment, effectively improving security and management efficiency.

Prerequisites

• You have created an Alibaba Cloud account and enabled a resource directory.

• You have registered an Okta account that is an Okta administrator account.

1. Configure Okta

1. Log on to Okta with your Okta administrator account. All subsequent operations are performed with the Okta administrator account.

2. In the left-side navigation pane, choose Applications > Applications. Then, click Create App Integration to create Alibaba Cloud CloudSSO.

   

3. On the Assignments tab of the Alibaba Cloud CloudSSO page, import your enterprise account as an Okta user.

   

4. On the Sign On tab, configure SSO to allow Okta users to log on to Alibaba Cloud through SSO. For more information, see Implement user-based SSO by using Okta.

   

2. Configure Alibaba Cloud

2.1 Configure Resource Directory

1. Log on to Alibaba Cloud CloudSSO with your Okta administrator account. Select the resource directory management account and click Log On in the Actions column as the administrator that you can use to manage the Alibaba Cloud resource directory. All subsequent operations are performed with the resource directory management account.

   

2. Go to the Resource Directory page and create members for the resource directory.

   

2.2 Configure CloudSSO

1. Go to CloudSSO. In the left-side navigation pane, click Access Configuration.

2. On the Access Configuration page, create a PAI O&M access configuration and a PAI developer access configuration.

   

   The following tables describe the key parameters.

   PAI O&M access configuration

   Step	Description
   Basic Information	Access Configuration Name: the name of the PAI O&M access configuration. Example: PAIOps. Relay State: Set this parameter to the PAI console that you can visit at https://pai.console.alibabacloud.com/. If you configure this parameter, the members of the resource directory authorized with the RAM role and RAM user can access the PAI console after logon.
   System Policy	Use a system policy. Attach the AliyunPAIFullAccess policy.
   Inline Policy	Add a built-in policy. Enter a policy name and modify the policy as follows: { "Version": "1", "Statement": [ { "Action": [ "ram:CreateRole", "ram:AttachPolicy", "ram:GetRole" ], "Resource": [ "acs:ram:*:*:role/AliyunODPSPAIDefaultRole", "acs:ram:*:*:policy/AliyunODPSPAIRolePolicy", "acs:ram:*:*:role/AliyunPAIAccessingOSSRole", "acs:ram:*:*:policy/AliyunPAIAccessingOSSRolePolicy", "acs:ram:*:*:role/AliyunPAIDLCAccessingOSSRole", "acs:ram:*:*:policy/AliyunPAIDLCAccessingOSSRolePolicy", "acs:ram:*:*:role/AliyunPAIDLCDefaultRole", "acs:ram:*:*:policy/AliyunOSSFullAccess", "acs:ram:*:*:policy/AliyunPAIDLCDefaultRolePolicy", "acs:ram:*:*:policy/PaiDlcOAuthPolicy", "acs:ram:*:*:role/AliyunPAIDSWDefaultRole", "acs:ram:*:*:policy/AliyunPAIDSWDefaultRolePolicy" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "eas.pai.aliyuncs.com", "label.pai.aliyuncs.com", "plugin.pai.aliyuncs.com", "aiworkspace.pai.aliyuncs.com", "automl.pai.aliyuncs.com", "pairec.pai.aliyuncs.com", "featurestore.pai.aliyuncs.com", "aigc.pai.aliyuncs.com", "eas-customer-clusters.pai.aliyuncs.com", "langstudio.pai.aliyuncs.com", "abtest.pai.aliyuncs.com", "llmtrace.pai.aliyuncs.com" ] } } } ] }

   This configuration will be authorized to a PAI O&M account in Step 3.

   PAI developer access configuration

   Step	Description
   ①Basic Information	Access Configuration Name: the name of the PAI developer access configuration. Example: PAIDev. Relay State: Set this parameter to the PAI console that you can visit at https://pai.console.alibabacloud.com/. If you configure this parameter, the members of the resource directory authorized with the RAM role and RAM user can access the PAI console after logon.
   ②System Policy	A system policy is not required. PAI-related permissions are granted by using a PAI workspace role in 4.1 Use a PAI O&M account. Therefore, you do not need to configure RAM permissions.
   ③Inline Policy	A built-in policy is not required. Click Close.

   This configuration will be authorized to the regular PAI developer account in Step 3. Regular PAI developer accounts cannot use Alibaba Cloud services because they do not have permissions.

3. Select the member created in Step 2.1.2 to grant permissions on specific users or groups.

   

   

   Step	Description
   ①Specify Users/Groups	Select the CloudSSO users and RAM users to add. Note Because automatic synchronization is enabled (Synchronize users or groups in Okta by using SCIM), the available user list here consists of users imported in Step 1.3. The users that you see in Step 4 after logon are the users added in this step.
   ②Specify Access Configurations	Select an access configuration. We recommended that you select the PAIOps access configuration created in Step 2 for a PAI O&M account. We recommended that you select the PAIDev access configuration created in Step 2 for a PAI developer account. Note An access configuration is used to configure the Alibaba Cloud page that a CloudSSO user and a RAM user can access after logging on to CloudSSO and the corresponding permissions.

3. Automatically redirect to PAI after you logs on to Alibaba Cloud

1. After you log on to Okta, click the Alibaba Cloud CloudSSO icon to go to the Alibaba Cloud CloudSSO logon page.

   

2. On the Log on as RAM Role tab, select the resource directory member (Alibaba Cloud role user) created in Step 2.1.2 to log on to Alibaba Cloud CloudSSO.

   Note: Alibaba Cloud is a service provider, and Okta is an IdP.

   

3. After logon, the system goes to the homepage of the PAI console.

   

   Note

   The first RAM role of the member in the current resource directory may see a blank page when accessing PAI. In this case, you need to visit this domain. Then, other RAM roles and users of the member can access PAI successfully.

4. Use PAI

4.1 Use a PAI O&M account

1. Activate PAI and create a default workspace.

2. Activate and authorize dependent Alibaba Cloud services.

3. Add a regular PAI developer account (RAM role) to the workspace.

   Assign a workspace role to the PAI developer account. For more information, see Configure Member and Role.

   

   Note

   • If you cannot find the created role, click the Refresh icon to update the account list.

   • If the official roles do not meet your requirements, create custom roles.

4.2 Use a regular developer account

Perform algorithm development, training, and inference. For more information, see AI development.

References

• Create an access configuration

• Okta Docs-App integrations

• Overview

• Synchronize users or groups in Okta by using SCIM

• Configure SSO logon from Okta to CloudSSO