Alibaba Cloud supports Security Assertion Markup Language (SAML) 2.0-based and OpenID Connect (OIDC)-based single sign-on (SSO). This feature is also known as identity federation. This topic introduces the terms that are related to SSO, and describes how to implement SSO between an enterprise identity management system and Alibaba Cloud.

Terms

TermDescription
identity provider (IdP)

A RAM entity that provides identity management services. IdPs are classified into the following types:

  • IdPs that use the on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth
  • IdPs that use the cloud-based architecture, such as Azure AD, Google Workspace, Okta, and OneLogin
service provider (SP)An application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In specific identity systems, such as OIDC, that are not based on the SAML protocol, SP is known as the relying party of an IdP.
SAML 2.0A protocol that is designed for enterprise-level user identity authentication. SAML 2.0 is used for communication between an SP and an IdP. SAML 2.0 is a standard that enterprises use to implement enterprise-level SSO.
SAML assertionA core element that is defined in the SAML protocol. This element describes the authentication request and response. For example, the SAML assertion for an authentication response can contain user attributes.
trustA mutual trust relationship between an SP and an IdP. In most cases, the trust relationship is established by using public and private keys. An SP can obtain the SAML metadata of a trusted IdP. The metadata includes a public key. The SP uses the public key to verify the integrity of the SAML assertion that is issued by the IdP.
OIDCAn authentication protocol that is developed based on Open Authorization (OAuth) 2.0. For more information, see OIDC and OAuth 2.0. OAuth is an authorization protocol. OIDC adds an identity layer to extend OAuth. This way, OIDC can use OAuth for authorization. OIDC also allows clients to verify the identities of users and use an HTTP RESTful API to obtain basic information about the users.
OIDC tokenAn identity token that is issued by OIDC to an application. An OIDC token is an identity token that indicates a logon user. An OIDC token can be used to obtain the basic information about a logon user.
client IDAn ID that is generated for an application when you register the application in an external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. The client ID is specified in the aud field of the OIDC token that is issued. When you create an OIDC IdP, you must configure the client ID. If you want to use the OIDC token to obtain an STS token, Alibaba Cloud checks whether the client ID that is included in the aud field is the same as the client ID that you configured in the OIDC IdP. You can assume a RAM role only when the client IDs are the same.
fingerprintThe fingerprint that is generated based on the HTTPS certificate of an external IdP. You can use a fingerprint to prevent the URL of the issuer from being hijacked or tampered with. Alibaba Cloud calculates the fingerprint. We recommend that you calculate the fingerprint on your computer. For example, you can use OpenSSL to calculate the fingerprint. Then, you can compare the calculation result with the calculation result provided by Alibaba Cloud. For more information about OpenSSL, visit the official website of OpenSSL. If the calculation results are different, the URL of the issuer may have been attacked. Make sure that you enter a valid fingerprint.
URL of an issuerThe URL of an issuer that is provided by an external IdP. The URL is indicated by the iss field in an OIDC token. The URL of the issuer must start with https and be in the valid URL format. The URL cannot contain query parameters that follow a question mark (?) or logon information that is identified by at signs (@). The URL cannot be a fragment URL that contains number signs (#).
STS tokenA temporary identity credential that is provided by Alibaba Cloud Security Token Service (STS). STS allows you to manage temporary credentials for your Alibaba Cloud resources. You can configure a validity period and specify access permissions for an STS token. For more information about STS, see What is STS?

SSO methods

Alibaba Cloud provides the following SSO methods:

  • User-based SSO

    The RAM user identity that you can use to log on to the Alibaba Cloud Management Console is determined based on an SAML assertion. After you log on to the Alibaba Cloud Management Console, you can access Alibaba Cloud resources as a RAM user. For more information, see Overview of user-based SSO.

  • Role-based SSO
    Alibaba Cloud supports SAML 2.0-based SSO and OIDC-based SSO.
    • SAML 2.0-based SSO: The RAM role that you can use to log on to the Alibaba Cloud Management Console is determined based on a SAML assertion. After you log on to the Alibaba Cloud Management Console, you can use the RAM role specified in the SAML assertion to access Alibaba Cloud resources. For more information, see Overview.
    • OIDC-based SSO: You can use an OIDC token that is issued by an IdP to call an Alibaba Cloud operation to assume a specific RAM role and use the OIDC token to obtain an STS token. Then, you can use the STS token to access Alibaba Cloud resources. For more information, see Overview of OIDC-based SSO.

Comparison between role-based SSO and user-based SSO

SSO methodSP-initiated SSOIdP-initiated SSOLogon by using logon names and passwords of RAM usersAssociation of multiple Alibaba Cloud accounts with a single IdPMultiple IdPs
User-based SSOSupportedSupportedNot supportedNot supportedNot supported
Role-based SSONot supportedSupportedSupportedSupportedSupported
Note For more information about the differences between the two SSO methods, see Scenarios of SSO.