All Products
Search
Document Center

Resource Access Management:Manage an OIDC IdP

Last Updated:Jun 28, 2024

This topic describes how to manage an OpenID Connect (OIDC) identity provider (IdP). Before you implement OIDC-based single sign-on (SSO), you must create an OIDC IdP in the Resource Access Management (RAM) console.

Create an OIDC IdP

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the OIDC tab. Then, click Add IdP.

  4. On the Create IdP page, configure the following parameters.

    Parameter

    Description

    IdP Name

    The name must be unique within an Alibaba Cloud account.

    Issuer URL

    The URL of the issuer that is provided by an external IdP. The URL of the issuer must start with https and be a valid URL. The URL cannot contain query parameters that follow a question mark (?), logon information that is identified by at signs (@), or fragment that is identified by number signs (#).

    Fingerprint

    The fingerprint that is generated based on the HTTPS certificate of an external IdP. You can use a fingerprint to prevent the URL of the issuer from being hijacked or tampered with.

    After you specify a valid value for Issuer URL, you can click Obtain Fingerprint. Alibaba Cloud calculates the fingerprint. We recommend that you calculate the fingerprint on your computer. For example, you can use OpenSSL to calculate the fingerprint. Then, you can compare the calculation result with the calculation result provided by Alibaba Cloud. For more information about OpenSSL, visit the official website of OpenSSL. If the calculation results are different, the URL of the issuer may have been attacked. Make sure that you enter a valid fingerprint.

    Note

    If you want to rotate the certificate of your IdP, we recommend that you generate the fingerprint of the new certificate and add the fingerprint to the OIDC IdP that you created in the RAM console before the rotation. After at least one day, rotate the certificate. You can delete the previous fingerprint after you obtain a Security Token Service (STS) token.

    Client IDs

    The ID that is generated for an application when you register the application in the external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. The client ID is specified in the aud field of the OIDC token that is issued. When you create an OIDC IdP, you must configure the client ID. If you want to use the OIDC token to obtain an STS token, Alibaba Cloud checks whether the client ID that is specified in the aud field is the same as the client ID that you configured in the OIDC IdP. You can assume a RAM role only when the client IDs are the same.

    If multiple clients need to access Alibaba Cloud resources, you can configure multiple client IDs. You can configure a maximum of 20 client IDs.

    Earliest Issuance Time Allowed

    The time limit on an OIDC token. If an OIDC token is issued earlier than the time limit, the OIDC token cannot be used to obtain an STS token.

    Default value: 12 hours. Valid values: 1 to 168 hours.

    Remarks

    The description of the OIDC IdP.

  5. Click OK.

View the information about an OIDC IdP

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information you want to view.

  4. In the IdP Details section of the page that appears, view IdP Name, IdP Type, Created At, Updated At, Remarks, ARN, and URL.

Modify the information about an OIDC IdP

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information you want to view.

  4. In the IdP Details section of the page that appears, click Edit to the right of Remarks to modify the description of the OIDC IdP.

  5. In the Client IDs section, click Add or Remove to add or remove a client ID.

    Note

    You can add a maximum of 20 client IDs. You must retain at least one client ID.

  6. In the Fingerprint section, click Add or Remove to add or remove a fingerprint.

    Note

    You can add a maximum of five fingerprints. You must retain at least one fingerprint.

Delete an OIDC IdP

Warning

After you delete an IdP, role-based SSO cannot be implemented between your business system and RAM.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the OIDC tab. Then, find the OIDC IdP that you want to delete and click Remove in the Actions column.

  4. In the Remove IdP message, click OK.