This topic provides an example on how to implement role-based single sign-on (SSO) from OneLogin to Alibaba Cloud. The example describes the end-to-end role-based SSO process from a cloud identity provider (IdP) to Alibaba Cloud.
Background information
In this example, an enterprise has an Alibaba Cloud account, a OneLogin administrator account, and multiple OneLogin users. The enterprise wants the OneLogin users to use their OneLogin accounts to access Alibaba Cloud by using role-based SSO without the need to create RAM users in Alibaba Cloud.
For more information about OneLogin, see OneLogin documentation.
Step 1: Create an application in OneLogin
- Log on to OneLogin as an administrator.
- In the left side of the profile picture, click Administration to go to the Administration page.
- In the top navigation bar, choose .
- In the upper-right corner of the Applications page, click Add App.
- On the Find Applications page, search for SAML Test Connector (Advanced).
- On the page that appears, click SAML Test Connector (Advanced). On the Add SAML Test Connector (Advanced) page, configure the parameters and click Save. In this example, set the Display Name parameter to
LoginToAliyun
. Use the default values for other parameters. - On the page that appears, move the pointer over More Actions in the upper-right corner and select SAML Metadata from the drop-down list. The IdP metadata file is downloaded. Save the file to your computer.
Step 2: Create an IdP in the Alibaba Cloud Management Console
- Log on to the RAM console by using the Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Role-based SSO tab, click the SAML tab and click Create IdP.
- On the Create IdP page, set IdP Name to OneLogin and configure Remarks.
- In the Metadata File section, click Upload to upload the IdP metadata file that is obtained from Step 1: Create an application in OneLogin.
- Click OK. View the details of the created IdP and record the Alibaba Cloud Resource Name (ARN) of the IdP for subsequent use.
Step 3: Create a RAM role in the Alibaba Cloud Management Console
- In the left-side navigation pane of the RAM console, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, select IdP for Select Trusted Entity and click Next.
- In the Configure Role step, configure the RAM Role Name and Note parameters. For example, you can set the RAM Role Name parameter to Reader-OneLogin.
- Select SAML for the IdP Type parameter.
- Select OneLogin that you created in Step 2: Create an IdP in the Alibaba Cloud Management Console for the Select IdP parameter, read the conditions, and then click OK.
- Click Close. View the details of the created RAM role and record the ARN of the RAM role for subsequent use.
Step 4: Configure the application in OneLogin
- Log on to OneLogin as an administrator.
- Create a custom user attribute.
- Configure the application.
Step 5: Create a user in OneLogin and assign the application to the user
- Log on to OneLogin as an administrator.
- In the top navigation bar, choose .
- Create a user. Note If you have a OneLogin user, skip this step.
- In the Custom Fields section of the page that appears, configure the Aliyun Roles for SSO parameter.
The value of the Aliyun Roles for SSO parameter consists of the ARN of the RAM role and the ARN of the IdP. The ARNs are separated by commas (,). The value must be in the
acs:ram::<account_id>:role/RoleName,acs:ram::<account_id>:saml-provider/ProviderName
format. The ARN of the RAM role is obtained from Step 3: Create a RAM role in the Alibaba Cloud Management Console, the ARN of the IdP is obtained from Step 2: Create an IdP in the Alibaba Cloud Management Console, and <account_id> is the ID of the Alibaba Cloud account.Note If a user corresponds to multiple RAM roles, you can configure more than one value. The values are separated by semicolons (;). For example, you can setacs:ram::125022144354****:role/reader-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::125022144354****:role/administrator-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::158622887609****:role/finance,acs:ram::158622887609****:saml-provider/OneLogin2
for the Aliyun Roles for SSO parameter. - Assign the application to the user.
- On the Applications page, click the icon.
- Select LoginToAliyun created in Step 1: Create an application in OneLogin and click Continue.
- In the dialog box that appears, click Save.
- In the upper-right corner of the Users page, click Save User.
- Repeat 4 to 6 to configure the Aliyun Roles for SSO parameter for other users of the enterprise and assign LoginToAliyun to the users.
Step 6: Test role-based SSO
- Log on to OneLogin by using the user jacklee that is created in Step 5: Create a user in OneLogin and assign the application to the user.
- Click LoginToAliyun. The logon succeeds if one of the following pages appear: the page to which the URL entered for the RelayState parameter points and the homepage of the Alibaba Cloud Management Console.Note If you configure more than one value for the Aliyun Roles for SSO parameter in Step 5: Create a user in OneLogin and assign the application to the user, you must select a specific RAM role before you can access Alibaba Cloud.