This topic describes how to create a Resource Access Management (RAM) role for a trusted
identity provider (IdP). This type of RAM role is used to implement single sign-on
(SSO) between Alibaba Cloud and a trusted IdP.
Prerequisites
An IdP is created.
Create a RAM role for a SAML IdP
To implement SAML 2.0-based SSO, you must create a RAM role for a SAML IdP.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, select IdP for Select Trusted Entity and click Next.
- Specify the RAM Role Name and Note parameters.
- Select SAML for IdP Type.
- Select a trusted IdP, read the conditions, and then click OK.
Note Only the saml:recipient
condition key is supported. This condition key is required and cannot be changed.
- Click Close.
Create a RAM role for an OIDC IdP
To implement OIDC-based SSO, you must create a RAM role for an OIDC IdP.
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, select IdP for Select Trusted Entity and click Next.
- Specify the RAM Role Name and Note parameters.
- Select OIDC for IdP Type.
- Select a trusted IdP, specify the conditions in the Conditions section, and then click
OK.
The following table describes the supported conditions.
Condition key |
Description |
Required |
Example |
oidc:iss |
The issuer. You can assume the RAM role only if the iss field of the OIDC token that
you want to use to assume the RAM role meets this condition.
The conditional operator must be StringEquals. The value must be the URL of the issuer
that you specify for the selected OIDC IdP. You can specify this condition to ensure
that you can use the OIDC token to assume the RAM role only if the OIDC token is issued
by a trusted IdP.
|
Yes |
https://dev-xxxxxx.okta.com |
oidc:aud |
The audience. You can assume the RAM role only if the aud field of the OIDC token
that you want to use to assume the RAM role meets this condition.
The conditional operator must be StringEquals. The value can be one or more client
IDs that you specify for the selected OIDC IdP. You can specify this condition to
ensure that you can use the OIDC token to assume the RAM role only if the OIDC token
is generated by using the client ID that you specify.
|
Yes |
0oa294vi1vJoClev**** |
oidc:sub |
The subject. You can assume the RAM role only if the sub field of the OIDC token that
you want to use to assume the RAM role meets this condition.
The conditional operator can be a string of all types. The value can be up to 10 subjects.
You can specify this condition to further limit the identity that you can use to assume
the RAM role. You can also leave this condition unspecified.
|
No |
00u294e3mzNXt4Hi**** |
- Click Close.
What to do next
After a RAM role is created, the RAM role has no permissions. You can grant permissions
to the RAM role. For more information, see Grant permissions to a RAM role.