All Products
Search

This Product

    Resource Access Management:Example of role-based SSO using OneLogin

    Document Center

    Resource Access Management:Example of role-based SSO using OneLogin

    Last Updated:Feb 27, 2025

    This topic provides an example of role-based SSO between OneLogin and Alibaba Cloud to help you understand the end-to-end configuration flow of role-based SSO between an enterprise IdP and Alibaba Cloud.

    Background information

    In this example, the enterprise has an Alibaba Cloud account, a OneLogin administrator user, and multiple OneLogin regular users. You want to configure OneLogin regular users to directly access Alibaba Cloud using their OneLogin accounts through role-based SSO, instead of creating new accounts on Alibaba Cloud.

    For more information about OneLogin, see OneLogin Help Documentation.

    Step 1: Create an application in OneLogin

    1. Log on to OneLogin as an administrator user.

    2. Click Administration to access the administrator page, which is located to the left of the account profile picture.

    3. In the top menu bar, select Applications > Applications.

    4. In the upper-right corner of the Applications page, click Add App.

    5. On the Find Applications page, search for SAML Test Connector (Advanced) .

    6. On the Add SAML Test Connector (Advanced) page, you can configure the application's basic information and then click Save .

      In this example, you can set the Display Name of the application to LoginToAliyun, while maintaining other parameters at their default values.

    7. On the Info page, hover over More Actions in the upper-right corner. From the drop-down menu, click SAML Metadata to download the identity provider (IdP) metadata file and save it to your local computer.

    Step 2: Create an identity provider in Alibaba Cloud

    1. Log in to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, select Integration Management > SSO Management.

    3. On the Role-based SSO tab, click the SAML tab, and then click Create Identity Provider .

    4. On the Create Identity Provider page, enter the Identity Provider Name (OneLogin) and Description .

    5. In the Metadata File area, click Upload File to upload the IdP metadata you obtained from Step 1: Create an application in OneLogin.

    6. Click OK .

    View the details of the created IdP and record the Alibaba Cloud Resource Name (ARN) of the IdP for subsequent use.

    Step 3: Create a RAM role in Alibaba Cloud

    1. In the left-side navigation pane of the RAM console, select Identity Management > Roles.

    2. On the Roles page, click Create Role.

    3. In the upper-right corner of the Create Role page, click Switch Editor.

    4. Specify the specific SAML identity provider in the editor.

      The editor offers both visual and script editor modes, allowing you to choose the one that suits your needs. For instance, within the visual editor mode, it's necessary to designate the identity provider you established in Step 2: Create an identity provider in Alibaba Cloud in the Entity, and choose Identity Provider Type as SAML.

    5. Set the saml:recipient condition in the editor, assigning it the value or https://signin.alibabacloud.com/saml-role/sso.

    6. In the Create Role dialog box, enter the Role Name (for example, Reader-OneLogin), and then click OK .

    View the details of the created RAM role and record the ARN of the RAM role for subsequent use.

    Step 4: Configure the application in OneLogin

    1. Log on to OneLogin as an administrator user.

    2. Create custom user attributes.

      1. In the top menu bar, select Users > Users.

      2. On the Users page, hover over More Actions in the upper-right corner, and from the drop-down list, click Custom user fields.

      3. In the upper-right corner of the Custom User Fields page, click New User Field.

      4. In the New User Field dialog box, configure the Name and Shortname , and then click Save .

        In this example, you can set the Name to AliyunRoles for SSO and the Shortname to AliyunRoles.

    3. Configure the application.

      1. In the top menu bar, select Applications > Applications.

      2. On the Applications page, you can click the application you created in Step 1: Create an application in OneLogin (LoginToAliyun).

      3. In the left-side navigation pane, click Configuration.

      4. On the Configuration page, configure the following information, and then click Save.

        • RelayState: Configures the Alibaba Cloud page that users are redirected to following a successful logon.

          Note

          For security reasons, the URL entered as the RelayState value must be a domain name owned by Alibaba, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If the configuration is not valid, it will be rejected. Leaving this parameter blank will, by default, redirect you to the Alibaba Cloud Management Console homepage.

        • Audience (EntityID): urn:alibaba:cloudcomputing:international.

        • Recipient: For China, use ; for international users, use https://signin.alibabacloud.com/saml-role/sso.

        • ACS (Consumer) URL: For China, use ; for international access, use https://signin.alibabacloud.com/saml-role/sso.

      5. In the left-side navigation pane, click Parameters.

      6. On the Parameters page, click 添加 and add the first custom application attribute.

        1. In the New Field dialog box, you can set the Field name to https://www.aliyun.com/SAML-Role/Attributes/Role. Then, select Include in SAML assertion and Multi-value parameter. Finally, click Save.

        2. In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/Role dialog box, select Aliyun Roles for SSO (Custom) and Semicolon Delimited input (Multi-value output) from the two drop-down lists in the Default if no value selected area, and then click Save.

      7. On the Parameters page, click 添加 and add the second custom application attribute.

        1. In the New Field dialog box, you can set the Field name to https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName, select Include in SAML assertion, and click Save.

        2. In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName dialog box, you can select Email from the drop-down list in the Value area, and then click Save.

          Note

          You can also set the Value to other values based on your actual needs, such as Username or userPrincipalName.

      8. In the upper-right corner of the Parameters page, click Save.

    Step 5: Create users and assign applications in OneLogin

    1. Log on to OneLogin as an administrator user.

    2. In the top menu bar, select Users > Users.

    3. Create a user.

      Note

      If you have a OneLogin user, skip this step.

      1. In the upper-right corner of the Users page, click New User.

      2. On the New User page, enter the First name (such as Jack), Last name (such as Lee), Username (such as jacklee), and Email (such as jacklee@example.com). Then click Save User .

      3. On the User Info page, hover over More Actions in the upper-right corner. From the drop-down list, select Change Password to set a new logon password for the user, and then click Update.

        The user can log on to OneLogin by using the password.

    4. On the User Info page, locate the Custom Fields section and set the value for the user-defined property Aliyun Roles for SSO.

      The Aliyun Roles for SSO value comprises the RAM role ARN and the identity provider ARN, separated by a comma. The format is acs:ram::<account_id>:role/RoleName,acs:ram::<account_id>:saml-provider/ProviderName. You can retrieve the RAM role ARN from Step 3: Create a RAM role in Alibaba Cloud, the identity provider ARN from Step 2: Create an identity provider in Alibaba Cloud, and replace <account_id> with your Alibaba Cloud account ID.

      Note

      If a user is associated with multiple RAM roles, you can configure multiple sets of values accordingly. Each set comprises a RAM role ARN paired with its corresponding identity provider ARN, with different sets separated by commas. For example: acs:ram::125022144354****:role/reader-onelogin,acs:ram::125022144354****:saml-provider/OneLogin,acs:ram::125022144354****:role/administrator-onelogin,acs:ram::125022144354****:saml-provider/OneLogin,acs:ram::158622887609****:role/finance,acs:ram::158622887609****:saml-provider/OneLogin2.

    5. Assign the application to the user.

      1. On the Applications page, click Add.

      2. Select the application you created in Step 1: Create an application in OneLogin (LoginToAliyun), and then click Continue.

      3. In the pop-up dialog box, click Save .

    6. In the upper-right corner of the Users page, click the Save User button.

    7. Repeat steps 4 to 6 to set the Aliyun Roles for SSO attribute values and assign applications to other OneLogin regular users.

    Verify results

    1. Log on to Step 5: Create Users and Assign Applications in OneLogin using the created user (jacklee) andlog on to OneLogin.

    2. Click the application (LoginToAliyun).

      If you are successfully redirected to the page corresponding to the RelayState you set, or the default homepage of the Alibaba Cloud Management Console, this indicates a successful logon.

      Note

      If you have set multiple roles for the user in Step 5: Create Users and Assign Applications in OneLogin, you need to select a logon role before accessing Alibaba Cloud.