Obtains a Security Token Service (STS) token to assume a Resource Access Management (RAM) role during role-based single sign-on (SSO) by using Security Assertion Markup Language (SAML).
Operation Description
Prerequisites
- A SAML response is obtained from an external identity provider (IdP).
- A SAML IdP is created in the RAM console. For more information, see Create a SAML IdP or CreateSAMLProvider.
- A RAM role whose trusted entity is a SAML IdP is created in the RAM console. For more information, see Create a RAM role for a trusted IdP or CreateRole.
Authorization information
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
SAMLProviderArn | string | Yes |
The Alibaba Cloud Resource Name (ARN) of the SAML IdP that is created in the RAM console. Format: You can view the ARN in the RAM console or by calling operations.
|
acs:ram::123456789012****:saml-provider/company1 |
RoleArn | string | Yes |
The ARN of the RAM role. The trust entity of the RAM role is a SAML IdP. For more information, see Create a RAM role for a trusted IdP or CreateRole. Format: You can view the ARN in the RAM console or by calling operations.
|
acs:ram::123456789012****:role/adminrole |
SAMLAssertion | string | Yes |
The Base64-encoded SAML assertion. The value must be 4 to 100,000 characters in length.
Note
A complete SAML response rather than a single SAMLAssertion field must be retrieved from the external IdP.
|
base64_encoded_saml_assertion |
Policy | string | No |
The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.
The value must be 1 to 2,048 characters in length. |
url_encoded_policy |
DurationSeconds | long | No |
The validity period of the STS token. Unit: seconds. Minimum value: 900. Maximum value: the value of the You can call the CreateRole or UpdateRole operation to configure the |
3600 |
Signature
, SignatureMethod
, SignatureVersion
, and AccessKeyId
.
Response parameters
Example
Normal return example
JSON
Format
{
"RequestId": "6894B13B-6D71-4EF5-88FA-F32781734A7F",
"SAMLAssertionInfo": {
"SubjectType": "persistent",
"Subject": "alice@example.com",
"Issuer": "http://example.com/adfs/services/trust",
"Recipient": "https://signin.aliyun.com/saml-role/SSO"
},
"AssumedRoleUser": {
"AssumedRoleId": "34458433936495****:alice",
"Arn": "acs:sts::123456789012****:assumed-role/AdminRole/alice"
},
"Credentials": {
"SecurityToken": "********",
"Expiration": "2015-04-09T11:52:19Z",
"AccessKeySecret": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pK****",
"AccessKeyId": "STS.L4aBSCSJVMuKg5U1****"
}
}
Error codes
Http code | Error code | Error message |
---|---|---|
500 | InternalError | STS Server Internal Error happened, please send the RequestId to us. |
500 | InternalError | STS Server Internal Error happened, please send the RequestId to us. |
For a list of error codes, visit the API error center.