All Products
Search

This Product

    Resource Access Management:Configure federation with AD FS

    Document Center

    Resource Access Management:Configure federation with AD FS

    Last Updated:Mar 25, 2026

    This tutorial guides you through the process of configuring role-based single sign-on (SSO) from Microsoft Active Directory Federation Services (AD FS) to Alibaba Cloud. After completing this configuration, users in your Active Directory (AD) can log on to the Alibaba Cloud Management Console by assuming a Resource Access Management (RAM) role based on their AD group memberships.

    Prerequisites

    • You have an operational AD FS environment. This tutorial uses AD FS on an Elastic Compute Service (ECS) instance that runs Windows Server 2012 R2 as an example.

    • You have created the necessary AD user groups to map to specific RAM roles (such as an Admins group and a Readers group).

    • You have administrative permissions in both your AD FS environment and your Alibaba Cloud account.

    Note

    This tutorial provides a reference for integrating AD FS with Alibaba Cloud. Alibaba Cloud does not provide support for the configuration of third-party software like AD FS. For detailed information on deploying AD FS, see Build an AD domain on a Windows instance.

    Configuration overview

    The process involves establishing a two-way trust relationship by exchanging metadata and configuring claims.

    1. Configure Alibaba Cloud to trust AD FS. You will create a SAML identity provider (IdP) and the RAM roles that your federated users will assume.

    2. Configure AD FS to trust Alibaba Cloud. You will add Alibaba Cloud as a trusted service provider (relying party) in AD FS.

    3. Configure claim rules in AD FS. You will define rules that instruct AD FS to send the required identity and role information in the SAML assertion.

    4. Verify the SSO configuration. You will test the IdP-initiated SSO flow.

    Step 1: Configure Alibaba Cloud to trust AD FS

    1. Obtain the AD FS federation metadata.

      In a browser, navigate to your AD FS federation metadata URL. The URL is typically in the format: https://<your_adfs_server>/FederationMetadata/2007-06/FederationMetadata.xml. Save the resulting XML file to your computer.

    2. Create an SAML IdP in Alibaba Cloud.

      Log on to the RAM console, navigate to SSO > Role-based SSO. On the SAML sub-tab, click Create IdP to upload the metadata file you just downloaded. For detailed instructions, see Configure SAML on Alibaba Cloud (as SP).

      Note

      If the metadata file is too large, you can reduce its size by removing the content within the <fed:ClaimTypesRequested> and <fed:ClaimTypesOffered> tags before uploading.

    3. Create RAM roles for federation.

      Create the RAM roles that your federated users will assume (such as ADFS-Admin and ADFS-Reader). When creating each role, select IdP as the trusted principal type and choose the SAML IdP you created in the previous step. After creating the roles, attach the appropriate policies (such as AdministratorAccess and ReadOnlyAccess). For more information, see Create a RAM role for a trusted IdP.

      Repeat this process for each Alibaba Cloud account you want to integrate.

    Step 2: Configure AD FS to trust Alibaba Cloud

    1. On your AD FS server, open Server Manager.

    2. In Server Manager, click Tools, and then select AD FS Management.

      image

    3. Navigate to Relying Party Trusts, right-click, and select Add Relying Party Trust.

      添加信赖方信任

    4. In the wizard, on the Select Data Source page, select Import data about the relying party published online or on a local network.

      In the text box, enter the Alibaba Cloud SAML SP metadata URL: https://signin.alibabacloud.com/saml-role/sp-metadata.xml. Click Next.

      选择数据源

    5. Complete the wizard using the default settings.

    Step 3: Configure claim rules in AD FS

    Claim rules instruct AD FS on which attributes to send in the SAML assertion. For role-based SSO, Alibaba Cloud requires the NameID, RoleSessionName, and Role attributes.

    Right-click the display name of the relying party you created and select Edit Claim Rules. On the Issuance Transform Rules tab, add the following rules in order.

    Rule 1: Send Windows account name as NameID

    1. Click Add Rule and choose the Transform an Incoming Claim template.

      转换传入声明

    2. Configure the rule with the following settings:

      • Claim rule name: Enter a descriptive name, such as NameID.

      • Incoming claim type: Select Windows account name.

      • Outgoing claim type: Select Name ID.

      • Outgoing name ID format: Select Persistent Identifier.

      • Select the Pass through all claim values option.

      配置规则

    Rule 2: Send UPN as RoleSessionName

    1. Click Add Rule and choose the Send LDAP Attributes as Claims template.

      选择规则模板

    2. Configure the rule with the following settings:

      • Claim rule name: Enter a descriptive name, such as RoleSessionName

      • Attribute store: Select Active Directory.

      • Map the LDAP Attribute User-Principal-Name to the Outgoing Claim Type https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName.

      配置规则

    Rules 3 & 4: Send AD groups as RAM roles

    Mapping AD groups to RAM roles requires a two-step custom rule process. The first rule retrieves all of the user's group memberships, and the second rule filters and transforms them into the format that Alibaba Cloud requires for the Role attribute.

    1. Create Rule 3: Get AD groups

      • Click Add Rule and choose the Send Claims Using a Custom Rule template.

        使用自定义规则发送声明

        • Claim rule name: Enter a descriptive name, such as Get AD Groups.

        • Custom rule: Enter the following code. This rule queries for the user's group memberships and stores them in a temporary variable.

          c:[Type =="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory",types = ("http://temp/variable"), query = ";tokenGroups;{0}", param =c.Value);

          自定义规则

    2. Create Rule 4: Transform groups to RAM roles

      • Click Add Rule again and choose the Send Claims Using a Custom Rule template.

        • Claim rule name: Enter a descriptive name, such as Role.

        • Custom rule: Enter the following code. This rule uses a regular expression to match AD group names that follow the pattern Aliyun-<account_id>-<role_name> and transforms them into the required Role attribute format.

          c:[Type == "http://temp/variable", Value =~ "(?i)^Aliyun-([\d]+)"] => issue(Type = "https://www.aliyun.com/SAML-Role/Attributes/Role",Value = RegExReplace(c.Value, "Aliyun-([\d]+)-(.+)", "acs:ram::$1:role/$2,acs:ram::$1:saml-provider/<provider-name>"));
          Note

          Replace <provider-name> with the name of the SAML IdP you created in Step 1.

          选择规则类型

    Step 4: Verify the SSO Configuration

    1. Navigate to your AD FS IdP-initiated SSO page, typically at https://<ADFS-server>/adfs/ls/IdpInitiatedSignOn.aspx.

    2. Select the Alibaba Cloud application from the list and log on with your Active Directory credentials.

      配置验证

      Note

      If this page is disabled, you may need to enable it by running the Set-AdfsProperties -EnableIdpInitiatedSignonPage $True command in PowerShell on your AD FS server.

    3. You will be redirected to the Alibaba Cloud RAM role selection page. Choose one of the available roles and click Log On.

      阿里云角色SSO页面

    4. If you are successfully logged on to the Alibaba Cloud Management Console, your SSO configuration is working correctly.