Implement user-based SSO from Microsoft Entra ID to Alibaba Cloud - Resource Access Management

This quick start walks you through configuring user-based single sign-on (SSO) from Microsoft Entra ID (formerly Azure AD) to Alibaba Cloud. Once configured, users in your Microsoft Entra ID tenant can log on to Alibaba Cloud via SSO.

Background information

In this example, an enterprise has one Alibaba Cloud account and one Microsoft Entra ID tenant. The Microsoft Entra ID tenant contains an administrator with global administrator permissions and an employee user (u2). You want to configure user-based SSO to allow the employee user (u2) to access Alibaba Cloud after logging on to Microsoft Entra ID.

Prerequisites

A RAM administrator with the AliyunRAMFullAccess policy attached. For information about how to create a RAM user and grant permissions, see Create a RAM user and Grant permissions to a RAM user.
A Microsoft Entra ID user the Global Administrator role. For information about how to create a user and assign it the administrator role, see the official Microsoft Entra ID documentation.

Step 1: Download the SAML SP metadata file from Alibaba Cloud

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Integrations > SSO.
On the SSO page, click the User-based SSO tab.
In the SAML Service Provider Metadata URL section, copy the URL.
Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and select Save As to download the SAML service provider (SP) metadata file in the XML format to your computer.
Note
The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the values of the entityID and Location attributes for later use.

Step 2: Create an enterprise application in Microsoft Entra ID

Log on to the Azure portal as the global administrator of Microsoft Entra ID.
In the upper-left corner of the homepage, click the icon.
In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.
Click New application.
On the Browse Microsoft Entra App Gallery page, click Create your own application.
In the Create your own application panel, enter an application name such as AliyunSSODemo, and select Integrate any other application you don't find in the gallery (Non-gallery). Then, click Create.

Step 3: Configure SAML in Microsoft Entra ID

On the AliyunSSODemo details page, in the left-side navigation pane, choose Manage > Single sign-on.
In the Select a single sign-on method section, click SAML.
On the SAML-based Sign-on page, perform the following steps:
1. In the upper-left corner of the page, click Upload metadata file, select your metadata file, then click Add.
  Note
  In this example, upload the XML file that you downloaded in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
2. On the Basic SAML Configuration page, configure the following parameters, then click Save.
  - Identifier (Entity ID): The system automatically reads this value from the entityID attribute in the metadata file.
  - Reply URL (Assertion Consumer Service URL): The system automatically reads this value from the Location attribute in the metadata file.
  - Relay State: Enter the URL of the Alibaba Cloud service page to which an Azure AD user is redirected after the user logs on to Azure AD by using SSO.
    Note
    For security reasons, you can only enter a URL for an Alibaba-owned domain name as the value of Relay State, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. Otherwise, the configuration is invalid. If you do not set this parameter, the system redirects the user to the Alibaba Cloud Management Console homepage by default.
3. In the SAML Certificates section, click Download on the right of Federation Metadata XML to download the IdP metadata file.

Step 4: Assign users in Microsoft Entra ID

On the AliyunSSODemo details page, in the left-side navigation pane, choose Manage > Users and Groups.
On the page that appears, click Add user/group.
On the Add Assignment page, select user u2 and click Select.

Step 5: Create a RAM user in Alibaba Cloud

In the left-side navigation pane of the RAM console, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
The logon name and Microsoft Entra ID username must have the same prefix. In this example, the prefix of the logon name must be u2.
In the Access Mode section, select an access mode.
Click OK.

Step 6: Enable user-based SSO in Alibaba Cloud

In the left-side navigation pane of the RAM console, choose Integrations > SSO.
On the SSO page, click the User-based SSO tab.
SelectEnabled on the right of SSO Status.
Note
This is a global setting. Once enabled, all RAM users must log on to the console via SSO. If you are configuring SSO while logged on as a RAM user, do not enable this setting until all other steps are complete. Enabling it prematurely may lock you out of your account. To avoid this risk, we recommend you perform this SSO configuration while logged on with your Alibaba Cloud account.
In the Metadata File section, click Upload Metadata File to upload the IdP metadata file obtained in Step 3: Configure SAML in Microsoft Entra ID.
Click Edit on the right of Auxiliary Domain Name. Enable the auxiliary domain name feature, then enter the domain suffix of your Microsoft Entra ID username.
In this example, the domain name is example.onmicrosoft.com because the username of the Microsoft Entra ID user u2 is u2@example.onmicrosoft.com.

Verify the SSO configurations

After you configure SSO, you can initiate a logon from both Alibaba Cloud and Microsoft Entra ID.

Initiate a logon from Alibaba Cloud

Log on to the RAM console. On the Overview page, copy the logon URL for RAM users.
Move the pointer over the profile picture in the upper-right corner of the page and click Log Out. Then, access the logon URL in your browser.
Click Login with Cloud Account. You are redirected to the logon page of Microsoft Entra ID.
Log on with the username and password of the Microsoft Entra ID user u2.
The system automatically performs SSO and redirects you to the page specified for Relay State. If Relay State is not specified or its value is not a URL for an Alibaba-owned domain name, the system redirects you to the Alibaba Cloud Management Console homepage.

Initiate a logon from Microsoft Entra ID

Obtain the user access URL.
1. Log on to the Azure portal as an administrator.
2. In the upper-left corner of the homepage, click the icon.
3. In the left-side navigation pane, choose Microsoft Entra ID > Manage > Enterprise applications > All applications.
4. Click AliyunSSODemo.
5. In the left-side navigation pane, click Properties and copy the value of User access URL.
  The User access URL is the link that users can navigate to in their browser to initiate SSO to this application.
The user u2 gets the User access URL from the administrator. In a browser, the user enters the URL and logs on with their account.
After a successful logon, the user is redirected to the page specified for Relay State. If Relay State is not specified or its value is not a URL for an Alibaba-owned domain, the system redirects the user to the Alibaba Cloud Management Console homepage.