implement role-based SSO from Azure AD - Resource Access Management

This topic provides an example of how to implement role-based single sign-on (SSO) from Azure Active Directory (Azure AD) to Alibaba Cloud. It includes the steps required to configure role-based SSO on both an identity provider (IdP) and Alibaba Cloud.

Background information

In this example, an organization has an Alibaba Cloud account (Account 1) and an Azure AD tenant. An administrator user with global administrative rights and an organization user (u2) are present. The goal is to configure the necessary settings to allow user u2 to access the resources of Account 1 using role-based SSO after logging on to Azure AD.

You must log on to the Azure portal as the administrator with global administrative rights to perform the steps in this example. For more information on how to create users and grant permissions in Azure AD, see Azure AD documentation.

Step 1: Create an application in Azure AD

The administrator user logs on to the Azure portal.
In the upper-left corner of the home page, click the icon.
In the left-side navigation pane, select Azure Active Directory > Enterprise Applications > All Applications.
Click New Application.
Search for Alibaba Cloud Service (Role-based SSO) and select it.
Enter the application name, then click Create.
In this example, the default application name Alibaba Cloud Service (Role-based SSO) is used, but you can customize the application name as well.
On the Alibaba Cloud Service (Role-based SSO) page, click Properties in the left-side navigation pane, then copy and save the Object ID.

Step 2: Configure SSO in Azure AD

On the Alibaba Cloud Service (Role-based SSO) page, click Single Sign-on in the left-side navigation pane.
On the Select A Single Sign-on Method page, click SAML.
On the Set Up Single Sign-On with SAML page, configure the SSO information.
1. In the upper-left corner of the page, click Upload Metadata File , select the file, and then click Add .
  
  Note
  You can obtain the metadata file from the following URL: https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
2. On the Basic SAML Configuration page, configure the following information, and then click Save .
  - Identifier (entity ID) : Automatically read the value of entityID from the metadata file in the previous step.
  - Reply URL (assertion Consumer Service URL) : Automatically read the value of Location from the metadata file in the previous step.
  - Relay State : Used to configure the Alibaba Cloud page to which you are redirected after a successful role-based SSO logon.
    
    Note
    For security reasons, you can only enter a URL of a domain name that belongs to Alibaba Group as the value of Relay State . Examples include *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, *.alipay.com. Otherwise, the configuration is invalid. If you leave this parameter empty, you are redirected to the homepage of the Alibaba Cloud Management Console by default.
3. In the Attributes & Claims area, click the icon.
4. Click Add A New Claim , configure the following information, and then click Save .
  - In the Name area, enter Role.
  - In the Namespace area, enter https://www.aliyun.com/SAML-Role/Attributes.
  - In the Source area, select Attribute .
  - In the Source Attribute area, select user.assignedroles from the drop-down list.
5. Repeat the preceding steps to add a new claim.
  - In the Name area, enter RoleSessionName.
  - In the Namespace area, enter https://www.aliyun.com/SAML-Role/Attributes.
  - In the Source area, select Attribute .
  - In the Source Attribute area, select user.userprincipalname from the drop-down list.
6. In the SAML Certificates area, click Download to obtain the Federation Metadata XML .

Step 3: Create an IdP in Alibaba Cloud

Log on to the RAM console using the Alibaba Cloud account (Account 1).
In the left-side navigation pane, select Integration Management > SSO Management.
On the Role-based SSO tab, click the SAML tab, then click Create Identity Provider.
On the Create Identity Provider page, enter the Identity Provider Name AAD and Description.
In the Metadata Document area, click Upload File.

Note
Upload the Federation Metadata XML that you downloaded from Step 2: Configure SSO in Azure AD.
Click Complete.
Click Close.

Step 4: Create a RAM role in Alibaba Cloud

In the left-side navigation pane of the RAM console, select Identity Management > Roles.
On the Roles page, click Create Role.
In the upper-right corner of the Create Role page, click Switch Editor.
Specify the specific SAML identity provider in the editor.

The editor supports both visual and script editor modes. You can choose either mode. In this example, the visual editor mode is used. You must specify the identity provider you created in Step 3: Create an IdP in Alibaba Cloud in the Entity field, and select SAML as the Identity Provider Type.
Set the condition saml:recipient in the editor. The value is https://signin.alibabacloud.com/saml-role/sso.
In the Create Role dialog box, enter the Role Name (AADrole), then click OK.

Note

You can grant permissions to the RAM role based on your business requirements. For more information on how to grant permissions to a RAM role, see Grant permissions to a RAM role.
After creating the IdP and RAM role, save the Alibaba Cloud Resource Names (ARNs) of both for future reference. For more information on how to view ARNs, see View RAM roles.

Step 5: associate the RAM role with the Azure AD user

Create a role in Azure AD.
1. The administrator logs into the Azure Portal.
2. In the left-side navigation pane, select Azure Active Directory > App Registrations.
3. Click the All Applications tab, and then click Alibaba Cloud Service (Role-based SSO).
4. In the left-side navigation pane, click App Roles.
5. Click Create App Role.
6. On the Create App Role page, configure the following role information, and then click Apply.
  - Display Name: In this example, enter Admin.
  - Allowed Member Types: In this example, select Users/groups + Applications.
  - Value: Enter the RAM role ARN and IdP ARN, separated by a comma. In this example, enter acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD.
  - Description: Enter the description.
  - Select Do You Want To Enable This App Role?.
Note
To create multiple roles in Azure AD, simply repeat the steps outlined above.
Assign the role to user u2.
1. In the left-side navigation pane, select Azure Active Directory > Enterprise Applications > All Applications.
2. In the Name list, click Alibaba Cloud Service (Role-based SSO).
3. In the left-side navigation pane, click Users And Groups.
4. In the upper-left corner, click Add User/group.
5. Click Users, select the user (u2) from the user list, and then click Select.
6. Click Assign.
7. View the assigned role.
  
  Note
  After you select u2, the created role is assigned to the user u2. If multiple roles are created, you must assign the roles to the Azure AD user based on your business requirements.

Verify the result

Retrieve the user access URL.
1. The administrator logs on to the Azure Portal.
2. In the left-side navigation pane, select Azure Active Directory > Enterprise Applications > All Applications.
3. In the Name list, click Alibaba Cloud Service (Role-based SSO).
4. In the left-side navigation pane, select Properties to retrieve the User Access URL.
The user (u2) retrieves the User Access URL provided by the administrator, enters it into the browser, and logs in with their account.

The system automatically signs in using SSO and redirects you to the Relay State page you specified. If you do not specify a Relay State or if the relay state is outside the permitted range, the system will default to the homepage of the Alibaba Cloud Management Console.

(Optional) Configure the role-based SSO between Azure AD and multiple Alibaba Cloud accounts

Assume you have two Alibaba Cloud accounts, Account 1 and Account 2. To allow user u2 to access resources of both accounts using role-based SSO after logging on to Azure AD, perform the following operations:

In Azure AD, create an application named Alibaba Cloud Service (Role-based SSO).
For more information, see Step 1: Create an application in Azure AD.
Configure Single Sign-On (SSO) in Azure AD.
For more information, see Step 2: Configure SSO in Azure AD.
Create an Identity Provider (IdP) in Alibaba Cloud.

You must create an IdP AAD for both Account 1 and Account 2.

For more information about the required operations in each Alibaba Cloud account, see Step 3: Create an IdP in Alibaba Cloud.
Create a RAM role on Alibaba Cloud.
You must create RAM roles for both Account 1 and Account 2. In this example, create two RAM roles for Account 1 and one RAM role for Account 2. The following RAM roles are created:
- RAM roles for Account 1: adminaad and readaad.
- RAM role for Account 2: financeaad.
For more information about the operations you must perform in each Alibaba Cloud account, see Step 4: Create a RAM role in Alibaba Cloud.
Associate the RAM roles with Azure AD user (u2).
In Azure AD, create three roles and assign them to user u2. The role values are:
- acs:ram::<Account1_ID>:role/adminaad, acs:ram::<Account1_ID>:saml-provider/AAD
- acs:ram::<Account1_ID>:role/readaad, acs:ram::<Account1_ID>:saml-provider/AAD
- acs:ram::<Account2_ID>:role/financeaad, acs:ram::<Account2_ID>:saml-provider/AAD
For more information, see Step 5: Associate the RAM role with the Azure AD user.
The Azure AD user (u2) accesses Alibaba Cloud through role-based SSO.

The user (u2) logs in to the My Apps page on Azure and then clicks the Alibaba Cloud Service (Role-based SSO) application. Next, within the Alibaba Cloud interface, you must choose either Alibaba Cloud account (Account 1 or Account 2) and the corresponding role as instructed to access Alibaba Cloud services via role-based SSO.