To enable role-based single sign-on (SSO), configure Alibaba Cloud as a trusted Security Assertion Markup Language (SAML) service provider (SP) in your identity provider (IdP).
Procedure
-
Copy the Alibaba Cloud SAML SP metadata URL.
The SAML SP metadata URL is
https://signin.alibabacloud.com/saml-role/sp-metadata.xml. -
Create a SAML SP in your IdP and set Alibaba Cloud as the trusted party by using one of the following methods:
-
Use the SAML SP metadata URL that you copied in Step 1.
-
If your IdP does not support URL-based configuration, download the metadata file from the URL in Step 1 and upload it.
-
If your IdP does not support metadata file upload, manually configure the following parameters:
-
Entity ID:urn:alibaba:cloudcomputing:international -
ACS URL:https://signin.alibabacloud.com/saml-role/sso -
RelayState: Optional. If your IdP requiresRelayState, set it to a URL that users are redirected to after SSO succeeds. If not set, users are redirected to the Alibaba Cloud console homepage.NoteThe
RelayStateURL must point to an Alibaba website. Valid domains: *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, and *.alipay.com.
-
-
What to do next
After you configure Alibaba Cloud as a trusted SAML SP, configure SAML assertions for your IdP. For more information, see SAML response for role-based SSO.