Walk through the end-to-end process of configuring user-based single sign-on (SSO) between Okta and Alibaba Cloud.
Step 1: Obtain SAML SP metadata from Alibaba Cloud
-
Log on to the Resource Access Management (RAM) console as a RAM administrator.
-
In the left-side navigation pane, choose .
-
Click the User-based SSO tab. In the SAML Service Provider Metadata URL section, copy the metadata URL for your Alibaba Cloud account.
-
Open the URL in a browser, then save the XML file locally.
In the XML file, find and record the values of
entityIDandLocation:-
entityID: TheentityIDattribute of the<md:EntityDescriptor>element. Example:https://signin-intl.aliyun.com/57******81/saml/SSO. -
Location: TheLocationattribute of the<md:AssertionConsumerService>element. Example:https://signin-intl.aliyun.com/saml/SSO.
-
Step 2: Create a SAML application in Okta
-
Log on to the Okta portal.
-
In the left-side navigation pane of the Okta Admin Console, choose .
-
On the Applications page, click Create App Integration.
-
In the Create a new app integration dialog box, select SAML 2.0 and click Next.
-
On the General Settings page, enter an App name, such as AliyunSSODemo, and click Next.
-
On the Configure SAML page, set the following in the SAML Settings section, then click Next.
-
Single sign-on URL: Enter the
Locationvalue that you recorded in the previous step. -
Audience URI (SP Entity ID): Enter the
entityIDvalue that you recorded in the previous step. -
Default RelayState: URL that users are redirected to after SSO logon. If empty, users land on the Alibaba Cloud Management Console homepage.
NoteFor security reasons, the value of Default RelayState must be a URL under an Alibaba-owned domain, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. Otherwise, this setting is ignored.
-
Name ID format: Select Persistent.
-
Application username: Select Email.
-
-
On the Feedback page, select an application type and click Finish.
Step 3: Obtain the SAML IdP metadata from Okta
-
On the details page of the application that you created (AliyunSSODemo), click the Sign On tab.
-
In the Settings section, click Identity provider metadata and save the IdP metadata file to your computer.
Step 4: Enable user-based SSO in Alibaba Cloud
-
In the left-side navigation pane of the RAM console, choose .
-
Click the User-based SSO tab. In the SSO Status section, click Enabled.
NoteIf you are a RAM user, complete all configuration steps, including creating the necessary RAM user, before enabling SSO to avoid being locked out. To reduce this risk, use your Alibaba Cloud account to perform the configuration.
-
In the Metadata File section, click Upload Metadata File and upload the IdP metadata file that you obtained in Step 3: Obtain the SAML IdP metadata from Okta.
-
In the Auxiliary Domain Name section, click Edit, enable the feature, and set the auxiliary domain name to the email suffix of your Okta usernames.
NoteIf your Okta organization uses multiple email suffixes, only users whose suffix matches the configured value can SSO into Alibaba Cloud.
Step 5: Create a user and assign the application in Okta
-
In the left-side navigation pane of Okta, choose .
-
Click Add Person.
-
On the Add Person page, enter the user's information, set Primary email to u2@example.com, and then click Save.
-
In the user list, find u2@example.com, click Activate in the Status column, and confirm the activation.
-
In the left-side navigation pane, choose .
-
Click the name of your application (AliyunSSODemo). On the Assignments tab, choose .
-
Click Assign next to the target user (u2@example.com).
-
Click Save and Go Back.
-
Click Done.
Step 6: Create a RAM user in Alibaba Cloud
-
In the left-side navigation pane of the RAM console, choose .
-
On the Users page, click Create User.
-
On the Create User page, enter the Logon Name and Display Name.
NoteThe RAM user's logon name prefix must match the corresponding Okta username prefix. In this example, the prefix is u2.
-
In the Access Mode section, select Console Access and configure settings such as the logon password.
-
Click OK.
Verify the results
Verify the setup by initiating an SSO logon from either Alibaba Cloud or Okta.
Service provider (SP)-initiated logon
-
In the RAM console, go to the Overview page and copy the logon URL for RAM users.
-
Hover over your profile picture and click Log out, or open the RAM user logon URL in a new browser window.
-
Click Log on with corporate account. You are redirected to the Okta logon page.
-
On the Okta logon page, enter the username (u2@example.com) and password, and then click Sign In.
After successful logon, you are redirected to the page specified by DefaultRelayState. If DefaultRelayState is not set or is invalid, you land on the Alibaba Cloud Management Console homepage.
Identity provider (IdP)-initiated logon
Log on to the Okta portal. On the homepage, click the AliyunSSODemo application.
After successful logon, you are redirected to the page specified by DefaultRelayState. If DefaultRelayState is not set or is invalid, you land on the Alibaba Cloud Management Console homepage.