All Products
Search

This Product

    Resource Access Management:Configure user-based SSO from Okta

    Document Center

    Resource Access Management:Configure user-based SSO from Okta

    Last Updated:Jan 09, 2026

    This topic provides a step-by-step guide for configuring user-based single sign-on (SSO) from Okta to Alibaba Cloud. After you complete the configuration, users in your Okta organization can log on to the Alibaba Cloud Management Console by using their Okta credentials.

    Step 1: Download the SAML SP metadata file from Alibaba Cloud

    1. Log on to the Resource Access Management (RAM) console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the SSO page, click the User-based SSO tab. In the SAML Service Provider Metadata URL section, copy the URL.

    4. Open the metadata URL in a new browser tab. Right-click the page and save it as an XML file. This file contains the SAML service provider (SP) metadata for Alibaba Cloud.

      Open the downloaded metadata file and record the following values, which you will need to configure Okta:

      • entityID: The value of the entityID attribute in the <md:EntityDescriptor> element. Example: https://signin-intl.aliyun.com/57******81/saml/SSO.

      • Location: The value of the Location attribute in the <md:AssertionConsumerService> element. Example: https://signin-intl.aliyun.com/saml/SSO.

    Step 2: Create an application in Okta

    1. Log on to the Okta portal.

    2. In the left-side navigation pane, choose Applications > Applications.

    3. On the Applications page, click Create App Integration.

    4. In the Create a new app integration dialog box, select SAML 2.0 and click Next.

    5. In the General Settings step, enter an application name in the App name field, such as AliyunSSODemo, and click Next.

    6. In the Configure SAML step, configure the following parameters in the SAML Settings section and click Next.

      • Single sign on URL: Enter the Location value that you recorded in Step 1.

      • Audience URI (SP Entity ID): Enter the entityID value that you recorded in Step 1.

      • Default RelayState: Specify the Alibaba Cloud console page where users are redirected after a successful SSO logon. If you leave this empty, users are redirected to the homepage of the Alibaba Cloud Management Console.

        Note

        For security reasons, the URL for Default RelayState must belong to an Alibaba-owned domain name, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you specify a URL from an unauthorized domain name, the Default RelayState will be ignored.

      • Name ID format: Select Persistent.

      • Application username: Select Email.

    7. On the Feedback page, select an application type based on your requirements and click Finish.

    Step 3: Obtain the SAML IdP metadata from Okta

    1. On the details page of the SAML application that you created (such as AliyunSSODemo), click the Sign On tab.

    2. In the Settings section, copy the Metadata URL. Open the URL in a new browser tab. On the page that appears, right-click the page and click Save As to download the metadata file to your computer.

    Step 4: Configure user-based SSO in Alibaba Cloud

    1. In the left-side navigation pane of the RAM console, choose Integrations > SSO.

    2. Click the User-based SSO tab. Select Enabled on the right of SSO Status.

      Note

      This is a global setting that affects all RAM users. After you enable it, RAM users can no longer log on with a username and password. If you are logged on as a RAM user, do not enable SSO until you have verified the configuration is correct. To avoid being locked out, we recommend performing this configuration while logged on with your Alibaba Cloud account.

    3. In the Metadata File section, click Upload Metadata File to upload the IdP metadata file that you downloaded in Step 3.

    4. Click Edit on the right of Auxiliary Domain Name. Enable the feature and enter the suffix of your Okta users' email address suffix (such as example.com).

      Note

      If your Okta organization contains users with multiple email domain names, only users whose email address suffix matches the one configured here can log on to Alibaba Cloud by using SSO.

    Step 5: Assign the application to an Okta user

    1. In the left-side navigation pane, choose Directory > People.

    2. Click Add person.

    3. On the Add Person page, enter the basic information, set Primary email to u2@example.com, and click Save.

    4. In the user list, find the user u2@example.com and click Activate in the Status column. Then, activate the user as prompted.

    5. In the left-side navigation pane, choose Applications > Applications.

    6. Click the name of the application (AliyunSSODemo) to navigate its details page. On the Assignments tab, choose Assign > Assign to People.

    7. Find the user (u2@example.com) and click Assign.

    8. Click Save and Go Back.

    9. Click Done.

    Step 6: Create a RAM user in Alibaba Cloud

    1. In the left-side navigation pane of the RAM console, choose Identities > Users.

    2. On the Users page, click Create User.

    3. On the Create User page, configure the Logon Name and Display Name parameters.

      Note

      The prefix of the RAM user's logon name (the part before the @ symbol) must exactly match the username prefix of the Okta user. In this example, because the Okta username is u2@example.com, the RAM user's logon name must start with u2.

    4. In the Access Mode section, select Console Access. You do not need to configure a password because the user will authenticate through SSO.

    5. Click OK.

    Verify the SSO configuration

    You can verify the configuration by initiating SSO from both Alibaba Cloud (SP-initiated) and Okta (IdP-initiated).

    SP-initiated logon

    1. Log on to the RAM console. On the Overview page, copy the logon URL for RAM users.

    2. Hover over the profile picture in the upper-right corner and click Log Out. Then, navigate to the RAM user logon URL.

    3. Click Login with Cloud Account. You are redirected to the logon page of Okta.

    4. On the Okta logon page, enter the username (u2@example.com) and password, then click Login.

      After successful authentication, you are automatically logged on to the Alibaba Cloud Management Console. You are redirected to the page specified by the DefaultRelayState parameter. If DefaultRelayState is not set or is invalid, you are redirected to the Alibaba Cloud Management Console homepage.

    IdP-initiated logon

    Log on to the Okta portal as an Okta user. On the Okta homepage, click the application you created (AliyunSSODemo).

    After successful authentication, you are automatically logged on to the Alibaba Cloud Management Console. You are redirected to the page specified by the DefaultRelayState parameter. If DefaultRelayState is not set or is invalid, you are redirected to the Alibaba Cloud Management Console homepage.