All Products
Search
Document Center

Resource Access Management:SSO overview

Last Updated:May 27, 2026

Alibaba Cloud supports single sign-on (SSO) through identity federation, allowing users from an external identity provider (IdP) to access Alibaba Cloud resources without separate RAM user credentials.

Key concepts

Concept

Description

Identity provider (IdP)

An external system that manages and authenticates user identities. Examples include on-premises IdPs such as Microsoft Active Directory Federation Services (AD FS) and cloud-based IdPs such as Microsoft Entra ID, Okta, Google Workspace, and Alibaba Cloud IDaaS.

Service provider (SP)

An application or service that trusts the IdP to authenticate users. In SSO with Alibaba Cloud, Alibaba Cloud acts as the SP.

SAML 2.0

Security Assertion Markup Language (SAML) 2.0 is an open standard for exchanging authentication and authorization data between an IdP and an SP.

SAML assertion

A security token issued by the IdP containing the authenticated user's information, such as username and group memberships. The SP uses this assertion to grant access.

Trust

A configured relationship that allows the SP (Alibaba Cloud) to trust authentication assertions from the IdP, typically established by exchanging SAML metadata containing the IdP's public signing certificate. Alibaba Cloud uses this certificate to verify the integrity and authenticity of assertions.

OIDC

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0. It lets clients verify a user's identity through an authorization server and obtain basic profile information.

OIDC token (ID token)

A JSON Web Token (JWT) containing claims about the authentication event, such as the user's ID, the token issuer, and the intended client.

Client ID

A unique identifier for an application registered with an OIDC IdP. Included as the audience (aud) claim in the OIDC token to verify the token's intended recipient.

Issuer URL

The URL that identifies the OIDC IdP, included as the issuer (iss) claim in the OIDC token.

Thumbprint (Fingerprint)

A unique identifier for the root CA certificate of an OIDC IdP's server, used to verify the authenticity of the IdP's public keys. For more information, see Obtain an OIDC IdP thumbprint with OpenSSL.

STS token

A temporary security credential from Alibaba Cloud Security Token Service (STS). In federated SSO, users exchange a SAML assertion or OIDC token for STS tokens to make authenticated API calls to Alibaba Cloud services.

SSO methods

Alibaba Cloud supports two federated SSO methods:

  • User-based SSO (SAML only)

    The SAML assertion maps the federated user to a specific RAM user in your Alibaba Cloud account. The user logs in with that RAM user's permanent permissions. This method is less flexible and not recommended for new implementations. Overview of user-based SSO.

  • Role-based SSO

    The federated user assumes a RAM role for temporary access to Alibaba Cloud resources. This is the recommended and most flexible approach.

    • SAML 2.0: The IdP sends a SAML assertion specifying which RAM role the user can assume. The user then logs in to the Alibaba Cloud Management Console with the role's permissions. Overview of SAML 2.0 federation.

    • OIDC: The application calls AssumeRoleWithOIDC with an OIDC token from the IdP to obtain STS tokens for accessing Alibaba Cloud resources. Overview of OIDC federation.

Comparison of SSO methods

Feature

User-based SSO

Role-based SSO

Initiation method

IdP-initiated and SP-initiated

IdP-initiated

Credential management

Requires one-to-one mapping between IdP users and RAM users.

No individual RAM users required. Access is managed through RAM roles.

Multi-account federation

Not supported

Supported. A single IdP user can access multiple Alibaba Cloud accounts.

Support for multiple IdPs

Not supported. Each account supports only one IdP.

Supported. An account can trust multiple IdPs.

References

SSO use cases

SSO FAQ