SAML response syntax and assertion elements for role-based SSO - Resource Access Management

When you configure role-based single sign-on (SSO), your identity provider (IdP) sends a SAML assertion to Alibaba Cloud. This topic describes the required elements and attributes within the SAML assertion for the SSO to succeed.

SAML assertion requirements

After your IdP authenticates a user, it generates a SAML response containing a SAML assertion. This assertion is a security token that provides claims about the user's identity. For SSO to succeed, the assertion must contain the elements described below, formatted according to the SAML 2.0 standard.

Required assertion elements

The saml2:Assertion block of the SAML response must include the following standard elements, formatted according to the SAML 2.0 specification.

Element	Description and requirements
`saml2:Issuer`	The unique identifier of your IdP. This value must exactly match the `Entity ID` found in the SAML metadata you uploaded to Alibaba Cloud.
`ds:Signature`	The digital signature for the assertion. Alibaba Cloud requires that the entire `saml2:Assertion` element be signed to ensure its integrity and authenticity.
`saml2:Subject`	Contains information about the authenticated user. It must include: A `saml2:NameID` element containing the user's identifier. A `saml2:SubjectConfirmation` element with a `saml2:SubjectConfirmationData` sub-element. The `Recipient` attribute of this sub-element must be set to the Alibaba Cloud Assertion Consumer Service (ACS) URL for role-based SSO: `https://signin.alibabacloud.com/saml-role/sso`. Example: `<Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">administrator</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin.alibabacloud.com/saml-role/sso"/> </SubjectConfirmation> </Subject>`
`saml2:Conditions`	Specifies the conditions under which the assertion is valid. It must include: An `saml2:AudienceRestriction` element with one or more `saml2:Audience` sub-elements. The value of this sub-element must be set to the Alibaba Cloud entity ID for role-based SSO: `urn:alibaba:cloudcomputing:international`. Example: `<Conditions> <AudienceRestriction> <Audience>urn:alibaba:cloudcomputing:international</Audience> </AudienceRestriction> </Conditions>`

Alibaba Cloud custom role attributes

In addition to the standard elements, the SAML assertion must include a saml2:AttributeStatement element that contains the following custom attributes. These attributes provide the role-specific information that Alibaba Cloud needs.

Role attribute (Required)

This attribute specifies which RAM roles the user is allowed to assume.

Name: https://www.aliyun.com/SAML-Role/Attributes/Role

Value: The value is one or more AttributeValue elements. Each element contains a comma-separated pair of the RAM role ARN and the IdP ARN. You can find these ARNs on the RAM role and IdP details pages in the RAM console.

Example:

<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/Role">      
  <AttributeValue>acs:ram::$account_id:role/role1,acs:ram::$account_id:saml-provider/provider1</AttributeValue>
  <AttributeValue>acs:ram::$account_id:role/role2,acs:ram::$account_id:saml-provider/provider1</AttributeValue>
</Attribute>

Note

If multiple AttributeValue elements are provided, the user is prompted to select a role upon logon.

RoleSessionName attribute (Required)

This attribute provides a user-friendly identifier for the session. It appears in the console and in ActionTrail logs, helping you distinguish between different users assuming the same role.

Name: https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
Value: A single AttributeValue element containing a string from 2 to 64 characters. You can use letters, digits, and the special characters - _ . @ =. A user's email address or employee ID is a good choice for this value. Example:
```
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName">
  <AttributeValue>user_id</AttributeValue>
</Attribute>   
```

SessionDuration attribute (Optional)

This attribute specifies the requested duration of the console session in seconds.

Name: https://www.aliyun.com/SAML-Role/Attributes/SessionDuration
Value: A single AttributeValue element containing an integer. The value must be between 900 seconds (15 minutes) and the maximum session duration configured for the RAM role. Example:
```
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/SessionDuration">
  <AttributeValue>1800</AttributeValue>
</Attribute>  
```

Session duration precedence

The final duration of a federated session is determined by the minimum of several possible values.

For console SSO

The session duration is the minimum of the following:

The value of the SessionDuration attribute in the SAML assertion.
The expiration time defined by the SessionNotOnOrAfter attribute in the assertion's AuthnStatement.
The maximum session duration configured on the RAM role itself. For how to configure the duration, see Set maximum session duration.
The logon session duration of the RAM user that assumes the role. For how to configure the duration, see Manage security settings.

If none of these are specified, the session defaults to 1 hour (3,600 seconds).

For API calls (AssumeRoleWithSAML)

The temporary credential duration is the minimum of the following:

The value of the DurationSeconds parameter in the AssumeRoleWithSAML API operation.
The expiration time defined by the SessionNotOnOrAfter attribute in the assertion's AuthnStatement.
The maximum session duration configured on the RAM role.

If none of these are specified, the session defaults to 1 hour (3,600 seconds).

Reference

How do I view a SAML response in Google Chrome?