Alibaba Cloud supports two single sign-on (SSO) methods: role-based SSO and user-based SSO. This topic describes the use cases for each method to help you select the one that best fits your business requirements.
Use cases of role-based SSO
You do not want to create or manage users on Alibaba Cloud to avoid user synchronization and reduce costs.
You want to use SSO for primary access but also retain a small number of native RAM users. These native users can serve as a backup logon method in case of an identity provider (IdP) or network outage, or for testing new cloud features.
You want to manage cloud permissions centrally within your IdP. By mapping IdP user groups or attributes to different RAM users, you can grant or revoke access simply by modifying a user's group membership or attributes in your IdP.
You have multiple Alibaba Cloud accounts and only one IdP. You want to implement SSO to multiple Alibaba Cloud accounts by configuring your IdP only once.
You have multiple IdPs and only one Alibaba Cloud account. You want to implement SSO from multiple IdPs to one Alibaba Cloud account by configuring the IdPs in your account.
You need both console access and programmatic access (API calls) for your users.
Use cases of user-based SSO
You require Service Provider (SP)-initiated SSO, where users start the logon process from the Alibaba Cloud console logon page.
Some of your Alibaba Cloud services cannot be accessed by RAM roles (that is, through STS). For more information about Alibaba Cloud services that can be accessed by RAM roles, see Services that work with STS.
Your IdP does not support complex configuration of attributes.
Your requirements are met without the advanced features of role-based SSO, and you prefer to simplify your IdP configuration.