All Products
Search

This Product

    Resource Access Management:Manage OIDC identity providers

    Document Center

    Resource Access Management:Manage OIDC identity providers

    Last Updated:May 26, 2026

    OIDC role-based SSO requires an identity provider (IdP). Create, view, modify, or delete OIDC IdPs from the RAM console.

    Create an OIDC identity provider

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click Create IdP.

    4. On the Create IdP page, configure the identity provider.

      Parameter

      Description

      IdP Name

      The name must be unique within your Alibaba Cloud account.

      Issuer URL

      Provided by your external IdP. Must start with https, follow standard URL format, and exclude query strings (?), fragments (#), and user credentials (@).

      Obtain Fingerprint

      Configure the HTTPS CA certificate thumbprint from your external IdP to prevent issuer URL hijacking or tampering.

      After you enter the Issuer URL and click Get Fingerprint, Alibaba Cloud calculates the thumbprint automatically. For security, also calculate it locally (get the thumbprint of an OIDC IdP by using OpenSSL) and compare. If the values differ, the issuer URL may be compromised — verify the URL and enter the correct thumbprint.

      Note

      Before rotating a certificate on your IdP, add the new certificate's thumbprint to your OIDC IdP configuration. Wait at least one day, then rotate the certificate. After confirming you can obtain an STS token with the new certificate, remove the old thumbprint.

      Client ID

      Your external IdP assigns a client ID when you register an application. This ID appears in the aud claim of issued OIDC tokens. During OIDC-to-STS token exchange, Alibaba Cloud verifies the aud claim against this client ID — role assumption succeeds only if they match.

      Add multiple client IDs if multiple applications access Alibaba Cloud. Maximum: 50.

      Earliest Issuance Time Allowed

      OIDC tokens issued before this time limit cannot be exchanged for STS tokens.

      Default value: 12 hours. Valid values: 1 to 168 hours.

      Note

      A description for the identity provider.

    5. Click Create IdP.

    View OIDC identity providers

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click the name of the target identity provider.

    4. In the Basic Information section, view the IdP Name, IdP Type, Created At, Updated At, Note, ARN, Issuer URL, and Earliest Issuance Time Allowed.

    Modify OIDC identity providers

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, and then click the name of the target identity provider.

    4. Modify the OIDC identity provider.

      • In the Basic Information section, modify the Note and Earliest Issuance Time Allowed.

      • In the Client ID section, add or remove client IDs.

        Note

        Maximum: 50 client IDs. The last remaining client ID cannot be deleted.

      • In the Obtain Fingerprint section, add or remove thumbprints.

        Note

        Maximum: 5 thumbprints. The last remaining thumbprint cannot be deleted.

    Delete an OIDC identity provider

    Warning

    After you delete an OIDC IdP, enterprise users can no longer use OIDC role-based SSO to access Alibaba Cloud.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab, find the target OIDC identity provider, and then click Delete IdP in the Actions column.

    4. In the Delete IdP dialog box, click Delete IdP.