Implement role-based SSO from Okta - Resource Access Management

This topic provides an example of how to implement role-based single sign-on (SSO) from Okta to Alibaba Cloud. It describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Procedure

In this example, an attribute named approle is added to the profile of an Okta application. The approle attribute is used to specify a Resource Access Management (RAM) role. The following figure shows the procedure to implement role-based SSO in Alibaba Cloud and Okta.

流程图

Step 1: Create an application that supports SAML 2.0-based SSO in Okta

Log on to the Okta portal.
Click the account icon at the top right of the page, then click Your Org.
In the left-side navigation pane, select Applications > Applications.
On the Applications page, click Create App Integration.
In the Create a new app integration dialog box, click SAML 2.0, and then click Next.
Specify the application name as role-sso-test, and click Next.
Configure SAML, and then click Next.
- Single sign-on URL: https://signin.alibabacloud.com/saml-role/sso.
- Audience URI (SP Entity ID): urn:alibaba:cloudcomputing:international.
- Default RelayState: This parameter is used to specify the Alibaba Cloud page to which a user is redirected after the user logs on.
  
  Note
  For security reasons, you can specify only a URL that belongs to Alibaba Group as the value of Default RelayState. Examples: *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, and *.alipay.com. Otherwise, the configuration is invalid. If you leave this parameter empty, a user is redirected to the homepage of the Alibaba Cloud Management Console by default.
- Name ID format: Select EmailAddress.
- Application username: Select Email.
- Update application username on: Retain the default value.
On the Feedback page, select a proper application type as needed, and then click Finish.

Step 2: download the SAML IdP metadata file of Okta

On the product page of the role-sso-test application, click the Sign On tab.
In the SAML 2.0 area, copy the Metadata URL and save the IdP metadata file to your computer.

Step 3: create a SAML IdP in Alibaba Cloud

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, select Integration Management > SSO Management.
On the Role-based SSO tab, click the SAML tab, and then click Create Identity Provider.
On the Create Identity Provider page, enter the Identity Provider Name (okta-provider) and Description.
In the Metadata Document area, click Upload File to upload the IdP metadata file that you obtained in Step 2: Download the SAML IdP metadata file of Okta.
Click OK.

Step 4: Create a RAM role in Alibaba Cloud

In the left-side navigation pane of the RAM console, select Identity Management > Roles.
On the Roles page, click Create Role.
In the upper-right corner of the Create Role page, click Switch Editor.
Specify the SAML IdP in the editor.

The editor supports two modes: visual editor and script editor. You can choose either one. For example, in visual editor mode, you need to specify the Entity in which the identity provider created in Step 3: Create a SAML IdP in Alibaba Cloud is used. Select Identity Provider Type as SAML.
Set the saml:recipient condition in the editor. The value is https://signin.alibabacloud.com/saml-role/sso.
In the Create Role dialog box, enter the Role Name (admin), and then click OK.

Step 5: Configure the profile of the application in Okta

Edit the profile and create a new attribute.
1. In the left-side navigation pane of Okta, select Directory > Profile Editor.
2. Search for and click the target application name role-sso-test.
3. In the Profile Editor page, click Add Attribute in the Attributes area.
4. In the Add Attribute dialog box, enter the attribute information.
  - Data type: Select string.
  - Display name: Enter the name that is displayed in the user interface. In this example, enter approle.
  - Variable name: Enter the variable name that is referenced in the mapping. In this example, enter approle. You must record the value of this parameter for subsequent use when you configure the attribute.
  - Description: Enter a description of the attribute as needed. This parameter is optional.
  - Enum: Select Define enumerated list of values to define an enumeration list.
    
    Note
    We use Enum to ensure that users can use only predefined attribute values. You can also choose not to use Enum to obtain more flexibility.
  - Attribute members: Enter the enumeration list. The Value must be the same as the role name that you created in RAM. Examples: admin and reader.
  - Attribute Length: In this example, enumeration values are used. Therefore, you do not need to set this parameter. If no enumeration values are specified for an attribute, configure the Attribute Length parameter as needed.
  - Attribute required: Select Yes.
  - Scope: Clear the User personal check box.
5. Click Save.
Configure the attribute.
1. In the left-side navigation pane of Okta, select Applications > Applications.
2. Click the application name role-sso-test.
3. In the General tab, click Edit in the SAML Settings area.
4. In the Configure SAML page, configure the following two attribute statements in the Attribute Statements (optional) area.
  - Configure the first attribute statement:
    - Name: Enter https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName.
    - Value: Select user.email.
  - Configure the second attribute statement:
    - Name: Enter https://www.aliyun.com/SAML-Role/Attributes/Role.
    - Value: The value is String.replace("acs:ram:::role/$approle,acs:ram:::saml-provider/okta-provider", "$approle", appuser.approle). The value of the approle attribute in the application profile of the logon user is used to replace the $approle placeholder to obtain the final SAML attribute value. The approle attribute is defined in the profile attribute. The okta-provider identity provider is created in Step 3: Create a SAML IdP in Alibaba Cloud. You must replace <account_id> with your Alibaba Cloud account ID. Example: String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).

Step 6: Create a user and assign the application to the user in Okta

Create a user.
1. In the left-side navigation pane of Okta, select Directory > People.
2. Click Add person.
3. On the Add Person page, enter the basic information and specify the Primary email as the email address of the invited user. Example: username@example.com. Then, click Save.
4. In the user list, click Activate in the Status column of the user username@example.com, and then activate username@example.com as prompted.
Assign the application.
You can assign the application by using one of the following methods:
- Assign the application to a single user.
  1. In the left-side navigation pane of Okta, select Applications > Applications.
  2. Click the target application name role-sso-test. On the Assignments tab, select Assign > Assign to People.
  3. Click Assign next to the target user username@example.com.
  4. Select approle as admin.
  5. Click Save and Go Back.
  6. Click Done.
- Add the user to a group and assign the application to the group.
  1. In the left-side navigation pane of Okta, select Directory > Groups, and then click Add Group to create a group.
  2. Click the group name, and then click Manage People to add users to the group.
  3. In the left-side navigation pane of Okta, select Applications > Applications.
  4. Click the target application name role-sso-test. On the Assignments tab, click Assign > Assign to Groups.
  5. Click Assign next to the target group.
  6. Select approle as admin.
  7. Click Save and Go Back.
  8. Click Done.
  Note
  If the user belongs to multiple groups, only one value of the approle attribute can be used. The used attribute value is the value that is specified for the group to which the user is first added. If the user is added to or removed from groups, the value of the approle attribute changes. For more information, see the Okta user guide.

Verify the result

In the left-side navigation pane of Okta, select Applications > Applications.
Click the application name role-sso-test.
Under the General tab in the App Embed Link area, copy the URL from the Embed Link.
Open another browser, enter the obtained URL, and log on using username@example.com.

If you are redirected to the page that corresponds to the Default RelayState you specified (or the default homepage of the Alibaba Cloud Management Console), the logon is successful.

(Optional) Assign multiple roles to a user in Okta

If you want to assign multiple roles to a user in Okta, you must create multiple user groups in the required format and create a group attribute statement. Perform the following steps:

Create multiple groups. The group names must meet the requirements of the Role Attribute in the SAML assertion. Example: acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider.
Add username@example.com to multiple groups.
In the SAML Settings of the application, delete the attribute statement that corresponds to the Role attribute, and add a group attribute statement. Specify Name as https://www.aliyun.com/SAML-Role/Attributes/Role and specify Filter to ensure that the group names can be filtered. Example: Start with acs:ram.
After the configuration is complete, log on to Alibaba Cloud again using username@example.com. The user can select a role to log on.

For more information about Okta, see the Okta user guide.