This topic describes how to configure role-based single sign-on (SSO) for Alibaba Cloud in the Identity as a Service (IDaaS) console. Role-based SSO eliminates the need to create a Resource Access Management (RAM) user for every member of your enterprise or organization.
Procedure
Step 1: Add an application in the IDaaS console
Log on to the IDaaS console.
On the EIAM page, find the required IDaaS instance and click Manage in the Actions column.
In the left-side navigation pane, click Applications. On the Applications page, click Add Application to go to the Marketplace tab. Then, search for Alibaba Cloud Role-Based SSO. Click Add Application.
Confirm the application name and click Add. The application is added.
Step 2: Configure SSO for the application
After you add the application, you are automatically redirected to the SSO tab. You can configure SSO on this tab.
Enter the ID of your Alibaba Cloud account. You can move the pointer over the profile picture on the homepage of the Alibaba Cloud Management Console and go to the Account Management page to obtain the ID.
Enter the name of the identity provider (IdP) that you want to create on Alibaba Cloud. The name can contain only letters, digits, periods (.), hyphens (-), and underscores (_), and cannot start or end with a special character. The name must be the same as the name that you want to enter in Step 3.
Select an attribute from the Application Username drop-down list. This attribute is used as the primary key for SSO to Alibaba Cloud. You must set this attribute to the prefix of Alibaba Cloud RAM roles.
For testing purposes, we recommend that you set the Authorize parameter to All Users to skip the step of granting permissions to IDaaS accounts.
In the Application Settings section, download the IdP metadata file to your computer. This file is used to establish the trust relationship between Alibaba Cloud and IDaaS.
On the tab, click Add Application User.
Select the IDaaS account that you want to use to initiate role-based SSO for Alibaba Cloud and add an application account for the account. The name of the application account must be the same as the name of the Alibaba Cloud role. If an IDaaS account is assigned multiple Alibaba Cloud roles, you can create multiple application accounts.
Step 3: Configure role-based SSO in Alibaba Cloud
Log on to the RAM console.
In the left-side navigation pane, click SSO.
On the Role-based SSO tab, view the basic information about role-based SSO.
Click Add IdP.
Enter the IdP name, which must be the same as the name that you entered in Step 2. Upload the IdP metadata file that you downloaded from IDaaS in Step 2 and click OK.
Step 4: Grant permissions to the IdP in the Alibaba Cloud RAM console
In the left-side navigation pane, choose .
Click Create Role and select IdP.
Set the RAM Role Name parameter to the application account name that is added in Step 2, and select the name of the IdP that you entered in Step 3. Configure other parameters based on your business requirements and click OK.
The role is created. Grant permissions to your role. All IDaaS accounts that assume this role to log on to Alibaba Cloud have the same permissions.
Step 5: Test role-based SSO
After you perform the preceding steps, you can test role-based SSO.
Log on to the IDaaS application portal by using an IDaaS account that is authorized to initiate role-based SSO for Alibaba Cloud. Click the Alibaba Cloud Role-Based SSO icon to initiate SSO.
If the IDaaS account is configured with two or more application accounts or Alibaba Cloud roles, select only one application account to initiate SSO.
Select an application account based on your business requirements and click OK. Then, you can initiate role-based SSO for Alibaba Cloud.