All Products
Search

This Product

    Resource Access Management:Manage an OIDC IdP

    Document Center

    Resource Access Management:Manage an OIDC IdP

    Last Updated:Mar 25, 2026

    To enable OIDC-based single sign-on (SSO), you must first create an OIDC identity provider (IdP) in the Resource Access Management (RAM) console. This topic describes how to create, view, modify, and delete OIDC IdPs.

    Create an OIDC IdP

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. Select the Role-based SSO tab, then click the OIDC sub-tab.

    4. Click Create IdP.

    5. On the Create IdP page, configure the following parameters:

      Parameter

      Description

      IdP Name

      Enter a unique name for the OIDC IdP within your Alibaba Cloud account.

      Issuer URL

      Enter the secure (HTTPS) URL of your external IdP. This URL must not contain query parameters (?), fragments (#), or user information (@).

      Fingerprint

      Enter the SHA-1 thumbprint of your external IdP's root CA certificate. After entering the Issuer URL, you can click Get Fingerprint to have RAM fetch it automatically. However, for security, we recommend you also calculate the thumbprint locally and verify that it matches. You can add up to 5 thumbprints.

      Note

      Before rotating your IdP's certificate, add the new certificate's thumbprint here. After confirming that federation with the new certificate works, you can remove the old thumbprint.

      Client ID

      Enter one or more client IDs that you obtained when registering your application(s) with the external IdP. When your application later exchanges an OIDC token for an STS token, Alibaba Cloud verifies that the client ID in the token's aud claim is present in this list. You can add up to 50 client IDs.

      Earliest Issuance Time Allowed

      Specify a time limit for an OIDC token. If a token was issued before this time, it cannot be used to obtain an STS token. Valid values are 1 to 168 hours. The default is 12 hours.

      Description

      (Optional) Enter a description for the OIDC IdP.

    6. Click Create IdP.

    View and modify an OIDC IdP

    1. Navigate to the OIDC sub-tab on the Role-based SSO tab.

    2. Click the name of the OIDC IdP you want to view or modify.

    3. On the details page, you can:

      • View the IdP's basic information, including its ARN.

      • Click Edit next to Description to modify the description.

      • In the Client ID section, click Add or Delete to manage the list of trusted client IDs.

      • In the Fingerprint section, click Add or Delete to manage the list of trusted certificate thumbprints.

    Delete an OIDC IdP

    Warning

    Before you delete an OIDC IdP, you must first disassociate it from any RAM roles that trust it. Deleting an IdP will permanently break OIDC SSO for any applications that rely on it.

    1. Navigate to the OIDC sub-tab on the Role-based SSO tab.

    2. Find the OIDC IdP you want to delete and click Delete IdP in the Actions column.

    3. In the confirmation dialog box, click Delete IdP.