This topic provides a step-by-step guide for configuring user-based single sign-on (SSO) from Microsoft Active Directory Federation Services (AD FS) to Alibaba Cloud. After you complete the configuration, users in your AD FS organization can log on to the Alibaba Cloud Management Console by using their AD FS credentials.
Prerequisites
You have an operational AD FS environment. This tutorial uses AD FS on an Elastic Compute Service (ECS) instance that runs Windows Server 2012 R2 as an example.
You have administrative permissions in both your AD FS environment and your Alibaba Cloud account.
You have already created the necessary Resource Access Management (RAM) users in your Alibaba Cloud account. The username of each RAM user must correspond to an identity in your AD FS.
This tutorial provides a reference for integrating AD FS with Alibaba Cloud. Alibaba Cloud does not provide support for the configuration of third-party software like AD FS. For detailed information on deploying AD FS, see Build an AD domain on a Windows instance.
Configuration overview
The SSO configuration involves establishing a two-way trust relationship:
Configure Alibaba Cloud to trust AD FS: You create an identity provider (IdP) in Alibaba Cloud RAM using the metadata from your AD FS server.
Configure AD FS to trust Alibaba Cloud: You create a Relying Party Trust in AD FS using the metadata from Alibaba Cloud.
Configure claim rules in AD FS: You define rules in AD FS to send the correct user identity attributes in the SAML assertion.
Step 1: Configure Alibaba Cloud to trust AD FS
Obtain the AD FS federation metadata.
In a browser, navigate to your AD FS federation metadata URL. The URL is typically in the format:
https://<your_adfs_server>/FederationMetadata/2007-06/FederationMetadata.xml. Save the resulting XML file to your computer.Create an SAML IdP in Alibaba Cloud.
Log on to the RAM console, navigate to SSO, and on the User-based SSO tab, upload the metadata file you just downloaded. For detailed instructions, see Configure SAML on Alibaba Cloud (as SP).
NoteIf the metadata file is too large, you can reduce its size by removing the content within the
<fed:ClaimTypesRequested>and<fed:ClaimTypesOffered>tags before uploading.
Step 2: Configure AD FS to trust Alibaba Cloud
Get the Alibaba Cloud SP metadata URL.
In the RAM console, under SSO > User-based SSO, find the SAML Service Provider Metadata URL section and copy the URL.
Add a relying party trust in AD FS.
On your AD FS server, open Server Manager.
In Server Manager, click Tools, and then select AD FS Management.
Navigate to Relying Party Trusts, right-click, and select Add Relying Party Trust.
In the wizard, select Import data about the relying party published online or on a local network. Paste the Alibaba Cloud SP metadata URL you copied earlier.
Complete the wizard using the default settings.
Step 3: Configure claim rules in AD FS
Claim rules instruct AD FS on which user attributes to include in the SAML assertion. For user-based SSO, you must configure a rule to send a NameID that Alibaba Cloud can map to a RAM user.
A common challenge is that the User Principal Name (UPN) suffix in your internal Active Directory (such as secloud.club) does not match a logon suffix verified in your Alibaba Cloud account (such as secloud.onaliyun.com). You can solve this in one of the following ways.
Solution A: Use a custom logon suffix in Alibaba Cloud
If your Active Directory domain is a public domain name that you own (such as secloud.club), the simplest solution is to add it as a custom logon suffix in the Alibaba Cloud RAM console. Once verified, AD FS can send the user's UPN as is, and Alibaba Cloud will recognize it.
In the AD FS Management console, right-click your new relying party trust and select Edit Claim Rules.
On the Issuance Transform Rules tab, click Add Rule.
Select the Transform an Incoming Claim template and click Next.
Configure the rule with the following settings:
Claim rule name: Enter a descriptive name, such as
UPN2NameID.Incoming claim type: Select UPN.
Outgoing claim type: Select Name ID.
Outgoing name ID format: Select Email.
Select the Pass through all claim values option.
Solution B: Transform the UPN suffix in AD FS
If your AD domain is internal (such as secloud.club) and cannot be verified in Alibaba Cloud, you must use your default RAM logon suffix (such as secloud.onaliyun.com) instead.
To do this, create a claim rule in AD FS to transform the UPN's domain suffix. This rule should change the suffix from your internal domain to your Alibaba Cloud domain within the SAML assertion that is sent to Alibaba Cloud.
Configure the Transform an Incoming Claim rule with the following settings:
Claim rule name: Enter a descriptive name, such as
UPN2NameID.Incoming claim type: Select UPN.
Outgoing claim type: Select Name ID.
Outgoing name ID format: Select Email.
Select the Replace incoming e-mail suffix claims with a new e-mail suffix option and enter your default logon suffix for Alibaba Cloud (such as
secloud.onaliyun.com).
Solution C: Use an auxiliary logon suffix in Alibaba Cloud
As an alternative to transformation, you can configure your internal AD domain as an auxiliary logon suffix in the RAM console's SSO settings. This tells Alibaba Cloud to accept assertions with this suffix without requiring domain name ownership verification. Once this is configured in RAM, you can use the same simple claim rule as in Solution A to create a claim rule that transforms the UPN to a Name ID.