All Products
Search

This Product

    Resource Access Management:Manage an OIDC IdP

    Document Center

    Resource Access Management:Manage an OIDC IdP

    Last Updated:Sep 17, 2025

    To use OpenID Connect (OIDC) role-based single sign-on (SSO), you must create an identity provider (IdP). This topic describes how to create, view, modify, and delete an OIDC IdP.

    Create an OIDC IdP

    1. Log on to the Resource Access Management (RAM) console as a RAM administrator.

    2. In the navigation pane on the left, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click Create IdP.

    4. On the Create IdP page, set the IdP information.

      Parameter

      Description

      IdP Name

      The name must be unique within an Alibaba Cloud account.

      Issuer URL

      The URL of the issuer that is provided by an external IdP. The issuer URL must start with https and be a valid URL. The URL cannot contain query parameters that follow a question mark (?), fragment segments that are identified by number signs (#), or logon information that is identified by at signs (@).

      Verification Fingerprint

      To prevent the issuer URL from being hijacked or tampered with, configure the verification fingerprint generated from the HTTPS CA certificate of the external IdP.

      After you enter the Issuer URL, click Get Fingerprint. Alibaba Cloud helps you automatically calculate the verification fingerprint. We recommend that you also calculate it locally and compare the results. For more information, see Obtain the fingerprint of an OIDC IdP using OpenSSL. If the fingerprints do not match, the issuer URL may be under attack. Confirm the URL and enter the correct fingerprint.

      Note

      If you plan to rotate the certificate of your IdP, generate the fingerprint of the new certificate and add it to the OIDC IdP information in Alibaba Cloud before the rotation. Wait for at least one day before you rotate the certificate. After you confirm that you can use the new certificate to obtain a Security Token Service (STS) token, you can delete the old fingerprint.

      Client ID

      When you register your application with the external IdP, a client ID is generated. You must use this client ID when you request an OIDC token from the external IdP. The issued OIDC token contains this client ID in the aud field. When you create the OIDC IdP, configure this client ID. When you use the OIDC token to obtain an STS token, Alibaba Cloud verifies that the client ID in the aud field of the OIDC token matches the client ID configured for the OIDC IdP. You can assume the role only if the client IDs match.

      If you have multiple applications that need to access Alibaba Cloud, you can configure multiple client IDs. You can add a maximum of 50 client IDs.

      Earliest Issuance Time

      OIDC tokens issued before this time cannot be used to obtain STS tokens.

      Default: 12 hours. Valid values: 1 to 168 hours.

      Remarks

      The description of the IdP.

    5. Click Create IdP.

    View OIDC IdP information

    1. Log on to the RAM console as a RAM administrator.

    2. In the navigation pane on the left, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click the name of the target IdP.

    4. In the Basic Information section, view the IdP Name, IdP Type, Creation Time, Update Time, Remarks, ARN, Issuer URL, and Earliest Issuance Time.

    Modify OIDC IdP information

    1. Log on to the RAM console as a RAM administrator.

    2. In the navigation pane on the left, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click the name of the target IdP.

    4. Modify the OIDC IdP information.

      • In the Basic Information section, modify the Remarks and Earliest Issuance Time.

      • In the Client ID section, add or delete a client ID.

        Note

        You can add a maximum of 50 client IDs. If only one client ID exists, you cannot delete it.

      • In the Verification Fingerprint section, add or delete a verification fingerprint.

        Note

        You can add a maximum of five verification fingerprints. If only one verification fingerprint exists, you cannot delete it.

    Delete an OIDC IdP

    Warning

    After you delete an OIDC IdP, you can no longer use OIDC role-based SSO with RAM.

    1. Log on to the RAM console as a RAM administrator.

    2. In the navigation pane on the left, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab. Then, find the OIDC IdP that you want to delete and click Delete IdP in the Actions column.

    4. In the Delete IdP dialog box, click Delete IdP.