All Products
Search

This Product

    Resource Access Management:Configure SAML for user-based SSO

    Document Center

    Resource Access Management:Configure SAML for user-based SSO

    Last Updated:Nov 24, 2025

    This topic describes how to use Security Assertion Markup Language (SAML) 2.0 to configure user-based single sign-on (SSO). You will configure metadata to establish trust between Alibaba Cloud and your corporate identity provider (IdP), allowing users to log on to Alibaba Cloud with SSO.

    Background information

    You can set up a default domain name, domain alias, or auxiliary domain name to simplify the SAML SSO configuration process. For more information about how to specify the default domain name or domain alias for an Alibaba Cloud account, see View and modify the default domain name and Create and verify a domain alias.

    Procedure

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the page that appears, click the User-based SSO tab.

      • SSO Status: Select Enabled or Disabled.

        • Disabled (default): RAM users can log on by using passwords. All SSO settings are inactive.

        • Enabled: When enabled, all logon attempts are redirected to your corporate IdP for authentication. This disables password-based logon for RAM users.

        Note

        User-based SSO is a global setting. When enabled, all RAM users must log on by using SSO. This setting does not affect the logon of your Alibaba Cloud account or API calls made with an AccessKey pair.

      • Metadata File: Click Upload Metadata File to upload the metadata file from your corporate IdP.

        Note

        The metadata file is an XML file from your corporate IdP. It contains the IdP's logon URL and the X.509 public key certificate. This certificate verifies the validity of SAML assertions from the IdP.

      • Auxiliary Domain Name (optional): You can enable and set an auxiliary domain name.

        • If you set an auxiliary domain name, it can be used as the suffix for the NameID element in a SAML assertion.

        • If you do not set an auxiliary domain name, only the default domain name or a domain alias of your account can be used as the suffix for the NameID element in a SAML assertion.

        For more information about the values of the NameID element, see SAML response for user-based SSO.

        Note

        If you set both a domain alias and an auxiliary domain name, the domain alias takes precedence.

    What to do next

    After you configure SAML, create RAM users that correspond to the users in your corporate IdP. You can use one of the following methods:

    • Log on to the RAM console to manually create RAM users. For more information, see Create a RAM user.

    • Use the RAM SDK or Alibaba Cloud CLI to create RAM users. For more information, see CreateUser.