Configure user-based SSO from Microsoft Entra ID - Resource Access Management

This topic provides a step-by-step guide for configuring user-based single sign-on (SSO) from Microsoft Entra ID (formerly Azure AD) to Alibaba Cloud. After you complete the configuration, users in your Microsoft Entra ID tenant can log on to the Alibaba Cloud Management Console by using their Microsoft Entra ID credentials.

Background information

In this example, an enterprise has one Alibaba Cloud account and one Microsoft Entra ID tenant. The Microsoft Entra ID tenant contains an administrator with global administrator permissions and an employee user (u2). You want to configure user-based SSO to allow the employee user (u2) to access Alibaba Cloud after logging on to Microsoft Entra ID.

Prerequisites

A Resource Access Management (RAM) administrator with the AliyunRAMFullAccess policy attached. For information about how to create a RAM user and grant permissions, see Create a RAM user and Grant permissions to a RAM user.
A Microsoft Entra ID user the Global Administrator role. For information about how to create a user and assign it the administrator role, see the official Microsoft Entra ID documentation.

Step 1: Download the SAML SP metadata file from Alibaba Cloud

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Integrations > SSO.
On the SSO page, click the User-based SSO tab.
In the SAML Service Provider Metadata URL section, copy the URL.
Open the metadata URL in a new browser tab. Right-click the page and save it as an XML file. This file contains the SAML service provider (SP) metadata for Alibaba Cloud.
Note
The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the values of the entityID and Location attributes for later use.

Step 2: Create an application in Microsoft Entra ID

Log on to the Azure portal as the global administrator of Microsoft Entra ID.
In the upper-left corner of the homepage, click the icon.
In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.
Click New application.
On the Browse Microsoft Entra App Gallery page, click Create your own application.
In the Create your own application panel, enter an application name such as AliyunSSODemo, and select Integrate any other application you don't find in the gallery (Non-gallery). Then, click Create.

Step 3: Configure SAML in Microsoft Entra ID

On the AliyunSSODemo details page, in the left-side navigation pane, choose Manage > Single sign-on.
In the Select a single sign-on method section, click SAML.
On the SAML-based Sign-on page, perform the following steps:
1. In the upper-left corner of the page, click Upload metadata file, select your metadata file, then click Add.
  Note
  In this example, upload the XML file that you downloaded in Step 1.
2. On the Basic SAML Configuration page, configure the following parameters, then click Save.
  - Identifier (Entity ID): The system automatically reads this value from the entityID attribute in the metadata file.
  - Reply URL (Assertion Consumer Service URL): The system automatically reads this value from the Location attribute in the metadata file.
  - Relay State: Enter the URL of the Alibaba Cloud service page to which an Azure AD user is redirected after a successful SSO logon.
    Note
    For security reasons, the URL for Relay State must belong to an Alibaba-owned domain name, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you specify a URL from an unauthorized domain name, the Relay State will be ignored.
3. In the SAML Certificates section, click Download on the right of Federation Metadata XML to download the IdP metadata file.

Step 4: Assign users in Microsoft Entra ID

On the AliyunSSODemo details page, in the left-side navigation pane, choose Manage > Users and Groups.
On the page that appears, click Add user/group.
On the Add Assignment page, select user u2 and click Select.

Step 5: Create a RAM user in Alibaba Cloud

In the left-side navigation pane of the RAM console, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
The prefix of the RAM user's logon name (the part before the @ symbol) must exactly match the Microsoft Entra ID username. In this example, because the Microsoft Entra ID username is u2@example.com, the RAM user's logon name must start with u2.
In the Access Mode section, select an access mode.
Click OK.

Step 6: Enable user-based SSO in Alibaba Cloud

In the left-side navigation pane of the RAM console, choose Integrations > SSO.
On the SSO page, click the User-based SSO tab.
Select Enabled on the right of SSO Status.
Note
This is a global setting that affects all RAM users. After you enable it, RAM users can no longer log on with a username and password. If you are logged on as a RAM user, do not enable SSO until you have verified the configuration is correct. To avoid being locked out, we recommend performing this configuration while logged on with your Alibaba Cloud account.
In the Metadata File section, click Upload Metadata File to upload the IdP metadata file obtained in Step 3.
Click Edit on the right of Auxiliary Domain Name. Enable the feature and enter the suffix of your Microsoft Entra ID username.
In this example, the domain name is example.onmicrosoft.com because the Microsoft Entra ID username is u2@example.onmicrosoft.com.

Verify the SSO configuration

You can verify the configuration by initiating SSO from both Alibaba Cloud (SP-initiated) and Microsoft Entra ID (IdP-initiated).

SP-initiated logon

Log on to the RAM console. On the Overview page, copy the logon URL for RAM users.
Hover over the profile picture in the upper-right corner and click Log Out. Then, navigate to the RAM user logon URL.
Click Login with Cloud Account. You are redirected to the logon page of Microsoft Entra ID.
Log on with the username and password of the Microsoft Entra ID user u2.
After successful authentication, you are automatically logged on to the Alibaba Cloud Management Console. You are redirected to the page specified by the Relay State parameter. If Relay State is not set or is invalid, you are redirected to the Alibaba Cloud Management Console homepage.

IdP-initiated logon

Obtain the user access URL.
1. Log on to the Azure portal as an administrator.
2. In the upper-left corner of the homepage, click the icon.
3. In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.
4. Click AliyunSSODemo.
5. In the left-side navigation pane, click Properties and copy the value of User access URL.
  The User access URL is the link that users can navigate to in their browser to initiate SSO to this application.
The user u2 gets the User access URL from the administrator. In a browser, the user enters the URL and logs on with their account.
After successful authentication, you are automatically logged on to the Alibaba Cloud Management Console. You are redirected to the page specified by the Relay State parameter. If Relay State is not set or is invalid, you are redirected to the Alibaba Cloud Management Console homepage.