SAML response and assertion structure for user-based SSO - Resource Access Management

When configuring user-based single sign-on (SSO), your identity provider (IdP) sends a SAML assertion to Alibaba Cloud. This topic describes the required elements and attributes within the SAML assertion that Alibaba Cloud needs to authenticate your users.

SAML assertion requirements

After your IdP authenticates a user, it generates a SAML response containing a SAML assertion. This assertion is a security token that provides claims about the user's identity. For SSO to succeed, the assertion must contain the elements described below, formatted according to the SAML 2.0 standard.

Required assertion elements

The following table describes the required elements within the saml2:Assertion block of the SAML response.

Element	Description and requirements
`saml2:Issuer`	The unique identifier of your IdP. This value must exactly match the `Entity ID` found in the SAML metadata you uploaded to Alibaba Cloud.
`ds:Signature`	The digital signature for the assertion. Alibaba Cloud requires that the entire `saml2:Assertion` element be signed to ensure its integrity and authenticity.
`saml2:Subject`	Contains information about the authenticated user. It must include: A `saml2:NameID` element containing the user's identifier. A `saml2:SubjectConfirmation` element with a `saml2:SubjectConfirmationData` sub-element. The `Recipient` attribute of this sub-element must be set to the Alibaba Cloud Assertion Consumer Service (ACS) URL: `https://signin-intl.aliyun.com/saml/SSO`. Example: `<Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@example.onaliyun.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin-intl.aliyun.com/saml/SSO"/> </SubjectConfirmation> </Subject>`
`saml2:Conditions`	Specifies the conditions under which the assertion is valid. It must include: An `saml2:AudienceRestriction` element with one or more `saml2:Audience` sub-elements. The value of this sub-element must be set to the Alibaba Cloud entity ID: `https://signin-intl.aliyun.com/${accountId}/saml/SSO`, where `${accountID}` is your Alibaba Cloud account ID. Example: `<Conditions> <AudienceRestriction> <Audience>https://signin-intl.aliyun.com/${accountId}/saml/SSO</Audience> </AudienceRestriction> </Conditions>`

For more information about the SAML 2.0 standard, see SAML 2.0.

Configure the NameID element

The NameID element is critical because it maps the federated identity to a unique RAM user in your Alibaba Cloud account. Alibaba Cloud uses the value of the NameID as the User Principal Name (UPN) to find the corresponding RAM user.

The value of the NameID must be in the format <username>@<logon_suffix>, where <username> is the name of the RAM user and <logon_suffix> is one of the following:

Default logon suffix: The default logon suffix provided by Alibaba Cloud (such as example.onaliyun.com). For more information, see RAM user logon suffixes.
Custom logon suffix: A custom logon suffix you have configured for RAM users within your account. This takes precedence over an auxiliary logon suffix. For more information, see Create and verify a domain alias.
Auxiliary logon suffix: An additional custom logon suffix you have configured for SSO purposes. For more information, see Configure SAML on Alibaba Cloud (as SP).

Example:

Assume you have a RAM user named Alice and your account's default logon suffix is example.onaliyun.com.

If you configure a custom logon suffix of example.com, the NameID can be Alice@example.com or Alice@example.onaliyun.com.
If you have no custom logon suffixes but configure an auxiliary logon suffix of example.net, the NameID can be Alice@example.net or Alice@example.onaliyun.com.
If you have both a custom logon suffix (example.com) and an auxiliary logon suffix (example.net), the custom logon suffix takes precedence. The valid NameID suffixes are example.com and example.onaliyun.com.

Reference

How do I view a SAML response in Google Chrome?