All Products
Search

This Product

    Resource Access Management:Configure SAML on Alibaba Cloud (as SP)

    Document Center

    Resource Access Management:Configure SAML on Alibaba Cloud (as SP)

    Last Updated:Mar 23, 2026

    This topic explains how to configure user-based single sign-on (SSO) in Alibaba Cloud. This enables users from your corporate identity provider (IdP) to log on to the Alibaba Cloud Management Console as specific Resource Access Management (RAM) users.

    Prerequisites

    Before you begin, you must obtain the SAML 2.0 metadata document from your IdP. This XML file contains the IdP's configuration information, such as its entity ID, logon endpoints, and the public signing certificate required to verify SAML assertions.

    Procedure

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. Select the User-based SSO tab and configure the following settings:

      1. SSO Status: Select Enabled. This redirects all RAM user logon attempts to your IdP for authentication.

        Important

        Enabling user-based SSO is a global setting for your account. It disables password-based logon for all RAM users. This setting does not affect your Alibaba Cloud account logon or API calls made with an AccessKey pair.

      2. Metadata File: Click Upload Metadata File and select the SAML metadata document you obtained from your IdP.

      3. Auxiliary Domain Name (Optional):

        You can use an auxiliary domain name to provide more flexibility for mapping federated users to RAM users. By default, the NameID in the SAML assertion must be in the format <user_name>@<default_logon_suffix_or_custom_logon_suffix>.

        If you enable and configure an Auxiliary Domain Name, you can also use it as the suffix for the NameID (such as <user_name>@<auxiliary_domain>). This is useful if your corporate user principal names (UPNs) do not match your RAM users' default or custom logon suffix.

        Note

        If both a custom logon suffix and an auxiliary domain name are configured, the custom logon suffix takes precedence. For instructions on how to configure a custom logon suffix, see RAM user logon suffixes and Create and verify a domain alias.

    What to do next

    After configuring SAML in Alibaba Cloud, you must complete two more critical steps:

    1. Configure your IdP: You must configure Alibaba Cloud as a trusted service provider (SP) in your IdP and set the SAML assertion attributes correctly. For more information, see Configure Alibaba Cloud as the SP in your IdP.

    2. Create RAM users: For each federated user, you must create a corresponding RAM user in your Alibaba Cloud account. The username of the RAM user must exactly match the value that will be sent in the NameID of the SAML assertion from your IdP. For more information, see Create a RAM user.