All Products
Search

This Product

    Resource Access Management:Overview of user-based SSO

    Document Center

    Resource Access Management:Overview of user-based SSO

    Last Updated:Aug 08, 2025

    When you integrate an enterprise identity system with Alibaba Cloud for user-based single sign-on (SSO), the enterprise system acts as the identity provider (IdP) and Alibaba Cloud acts as the service provider (SP). This allows enterprise employees to access Alibaba Cloud resources as RAM users after authenticating with their corporate credentials.

    Process

    After an administrator configures user-based SSO, Employee Alice can log on to the Alibaba Cloud Management Console. The following figure shows the procedure.

    用户SSO基本流程

    1. Alice attempts to log on to the Alibaba Cloud Management Console. Alibaba Cloud, as the SP, generates a Security Assertion Markup Language (SAML) authentication request and sends it to Alice's browser.

    2. The browser forwards the SAML authentication request to the IdP.

    3. Alice authenticates with the IdP. After successful authentication, the IdP generates a SAML response containing the user's identity assertion and returns it to the browser.

    4. The browser forwards the SAML response to the SSO service.

    5. The SSO service validates the signature of the SAML response using the IdP's public key. It then maps the NameID element in the SAML assertion to the corresponding RAM user in Alibaba Cloud.

    6. The SSO service returns the URL of the Alibaba Cloud Management Console to the browser.

    7. The browser redirects Alice to the Alibaba Cloud Management Console.

      Note

      The process described in Step 1 is SP-initiated. Alternatively, Alice can start an IdP-initiated logon by accessing the Alibaba Cloud application directly from her corporate IdP portal.

    Configure user-based SSO

    Before you implement user-based SSO, you must establish trust between Alibaba Cloud and your IdP.

    1. Configure the IdP in the Alibaba Cloud Management Console to ensure that your IdP is trusted by Alibaba Cloud.

    2. In your IdP, configure Alibaba Cloud as a trusted SAML SP and SAML assertions.

    3. After configuring both the IdP and Alibaba Cloud, create RAM users whose logon names match the NameID attribute values that will be sent from the IdP. You can create these users via the RAM console, SDK, or CLI.

      For more information, see Create a RAM user.

    References

    The following examples describe how to implement user-based SSO between your enterprise services and Alibaba Cloud by using IdPs: