All Products
Search

This Product

    Resource Access Management:Create a RAM role for a trusted IdP

    Document Center

    Resource Access Management:Create a RAM role for a trusted IdP

    Last Updated:Mar 14, 2025

    A Resource Access Management (RAM) role whose trusted entity is an identity provider (IdP) is used to implement role-based single sign-on (SSO) between Alibaba Cloud and a trusted IdP. Users of a trusted IdP can assume this type of RAM role.

    Create a RAM role for a SAML IdP

    To implement Security Assertion Markup Language (SAML) 2.0-based SSO, you must create a RAM role for a SAML IdP.

    Prerequisites

    A SAML IdP is created. For more information, see Manage a SAML IdP.

    Procedure

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. In the upper-right corner of the Create Role page, click Switch to Policy Editor.

      image

    5. Specify a SAML IdP in the editor.

      The editor supports the Visual editing and JSON modes.

      • Visual editor

        Specify a SAML IdP for the Principal element.

        image

        image

      • JSON

        Specify a SAML IdP for the Federated field of the Principal parameter and configure the Condition parameter. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "acs:ram::100*******0719:saml-provider/Azure-AD"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "saml:recipient": [
            "https://signin.alibabacloud.com/saml-role/sso"
          ]
        }
      }
    }
  ]
}

    6. Specify conditions in the editor.

      The following table lists the supported service-level condition keys.

      Condition key

      Description

      Required

      Example

      saml:recipient

      The recipient of the SAML assertion. Alibaba Cloud checks the recipient of the SAML assertion based on the value of this condition.

      Yes

      Set the value to https://signin.alibabacloud.com/saml-role/sso.

    7. In the Create Role dialog box, configure the Role Name parameter and click OK.

    Create a RAM role for an OIDC IdP

    To implement OpenID Connect (OIDC)-based SSO, you must create a RAM role for an OIDC IdP.

    Prerequisites

    An OIDC IdP is created. For more information, see Create an OIDC IdP.

    Procedure

    1. Log on to the RAM console as a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

      image

    4. In the upper-right corner of the Create Role page, click Switch to Policy Editor.

      image

    5. Specify an OIDC IdP in the editor.

      The editor supports the Visual editing and JSON modes.

      • Visual editor

        Specify a specific OIDC IdP for the Principal element.

        image

        image

      • JSON

        Specify an OIDC IdP for the Federated field of the Principal parameter and configure the Condition parameter. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "acs:ram::100*******0719:oidc-provider/xiyun****"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:iss": [
            "https://dev-xxxxxx.okta.com"
          ],
          "oidc:aud": [
            "0oa294vi1vJoClev****"
          ]
        }
      }
    }
  ]
}

    6. Specify conditions in the editor.

      The following table lists the supported service-level condition keys.

      Condition key

      Description

      Required

      Example

      oidc:iss

      The issuer. You can assume the RAM role only if the iss field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The conditional operator must be StringEquals. The value must be the URL of the issuer that you specify for the selected OIDC IdP. You can specify this condition to ensure that you can use the OIDC token to assume the RAM role only if the OIDC token is issued by a trusted IdP.

      Yes

      https://dev-xxxxxx.okta.com

      oidc:aud

      The audience. You can assume the RAM role only if the aud field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The conditional operator must be StringEquals. The value can be one or more client IDs that you specify for the selected OIDC IdP. You can specify this condition to ensure that you can use the OIDC token to assume the RAM role only if the OIDC token is generated by using the client ID that you specify.

      Yes

      0oa294vi1vJoClev****

      oidc:sub

      The subject. You can assume the RAM role only if the sub field of the OIDC token that you want to use to assume the RAM role meets this condition.

      The conditional operator can be a string of all types. The value can be up to 10 subjects. You can specify this condition to further limit the identity that you can use to assume the RAM role. You can also leave this condition unspecified.

      No

      00u294e3mzNXt4Hi****

    7. In the Create Role dialog box, configure the Role Name parameter and click OK.

    What to do next

    After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.