All Products
Search

This Product

    Resource Access Management:Implement role-based SSO from Alibaba Cloud IDaaS

    Document Center

    Resource Access Management:Implement role-based SSO from Alibaba Cloud IDaaS

    Last Updated:Dec 15, 2025

    This topic describes how to configure role-based single sign-on (SSO) in Alibaba Cloud IDaaS. Role-based SSO eliminates the need to create a Resource Access Management (RAM) user for each member.

    Step 1: Create an application in IDaaS

    1. Log on to the IDaaS console.

    2. Select an IDaaS instance and click Manage in the Action column.image

    3. Navigate to Applications > Add Application > Marketplace, search for the Alibaba Cloud Role - based SSO (International Site) application template, and click Add Application.

    4. Confirm the application name and click Add.​

    Step 2: Configure application SSO in IDaaS

    1. After you add the application, you are automatically redirected to the application SSO configuration page.

      image

    2. Configure the SSO settings.

      1. Alibaba Cloud Account ID: You can obtain this ID from the console home page by clicking your profile picture or navigating to the Account Center.

        image.png

      2. IdP Name: The name can contain only letters, digits, and the following special characters: .-_. It cannot start or end with a special character.

      3. Application Username: This account is used as the primary key during SSO to match the RAM role.

      4. Authorize: For testing purposes, select "All Users" to skip the permission assignment step.

    1. In the Application Settings section, click Download to save the IdP Metadata file. This file is used to establish a trust relationship between Alibaba Cloud and IDaaS.

      image.png

    1. In Sign-In > Application User, click Add Application User.

      image.png

    1. Select the accounts that will use Alibaba Cloud role-based SSO and add application accounts for them. The application account name must be identical to the Alibaba Cloud RAM role name. If one IDaaS account corresponds to multiple Alibaba Cloud RAM roles, you can create multiple application accounts.

      image

    Step 3: Configure role-based SSO in RAM

    1. Log on to the RAM console.

    2. In the navigation pane on the left, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the SAML tab, and then click Create IdP.

      image.png

    4. Enter a name for the identity provider. The name must be the same as the Identity Provider Name that you specified in Step 2. Upload the IdP metadata file that you downloaded from IDaaS in Step 2. Click Create IdP.

    Step 4: Configure identity provider permissions in RAM

    1. Log on to the RAM console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.image

    4. On the Create Role page, click Switch To Policy Editor in the upper-right corner.image

    5. Select Identity Provider and click Edit. For Identity Provider Type, select the identity provider that you created in Step 3, and then click OK.image

    6. In the Create Role dialog box, enter a Role Name and click OK. The Role Name must be the same as the application account name that you specified in Step 2.

      image

    1. You can grant permissions to the RAM role. All IDaaS accounts that use this role for SSO to Alibaba Cloud are granted the same permissions.

    Step 5: Verify SSO

    1. Log on to the IDaaS application portal using an IDaaS account that has permissions for the Alibaba Cloud Role - based SSO (International Site) application. On the portal page, click the Alibaba Cloud - CloudSSO icon to initiate SSO.

      image.png

    1. If the IDaaS account has multiple application accounts that correspond to different Alibaba Cloud RAM roles, you must select one to use for SSO.

    1. Select the appropriate application account and click OK to log on to Alibaba Cloud using the selected role.