If Alibaba Cloud and the identity management system of an enterprise work together
to implement user-based SSO, Alibaba Cloud is the SP and the enterprise is the IdP.
User-based SSO allows an employee of the enterprise to access Alibaba Cloud resources
as a RAM user.
Process
After an administrator configures user-based SSO, Employee Alice can log on to the
Alibaba Cloud Management Console. The following figure shows the procedure.

- Alice uses a browser to log on to the Alibaba Cloud Management Console. Then, the
Alibaba Cloud Management Console returns a Security Assertion Markup Language (SAML)
authentication request to the browser.
- The browser forwards the SAML authentication request to the IdP.
- Alice is prompted to log on to the IdP portal. After Alice logs on to the IdP portal,
the IdP returns a SAML response to the browser.
- The browser forwards the SAML response to the SSO service.
- The SSO service verifies the digital signature in the SAML response based on the SAML
mutual trust configuration to check the authenticity of the SAML assertion. Then,
the SSO service maps the value of the
NameID
element in the SAML assertion to the RAM user.
- The SSO service returns the URL of the Alibaba Cloud Management Console to the browser.
- The browser redirects Alice to the Alibaba Cloud Management Console.
Note In Step
1, Alice initiates the logon from the Alibaba Cloud Management Console. This is optional.
Instead, Alice can click the Alibaba Cloud logon URL in the IdP portal to send a SAML
authentication request to the IdP.
Configure user-based SSO
Before you implement user-based SSO, you must establish trust between Alibaba Cloud
and your IdP.
- Configure the IdP in the Alibaba Cloud Management Console to ensure that your IdP
is trusted by Alibaba Cloud.
- Configure Alibaba Cloud as a trusted SAML SP and configure SAML assertions in your
IdP to ensure that Alibaba Cloud is trusted by your IdP.
- After the IdP and Alibaba Cloud SAML settings are configured, you must create RAM
users that correspond to the users in the IdP by using SDKs, CLIs, or the RAM console.
Examples
The following examples describe how to implement user-based SSO between your enterprise
services and Alibaba Cloud by using IdPs, such as AD FS, Okta, and Azure AD: