Resource Access Management:FAQ about SSO

Cause

Solution

Alibaba Cloud uses a User Principal Name (UPN) to identify a RAM user. The SAML response that is generated by your identity provider (IdP) must contain the UPN of the RAM user. The suffix of the UPN can be a domain alias, an auxiliary domain name, or a default domain name. If the suffix of the username of the user in your IdP is different from the suffix of the UPN of the RAM user, the match fails. For more information, see the NameID element and NameID example sections in SAML response for user-based SSO.

Specify an auxiliary domain name to make sure that the suffix of the UPN of the RAM user is the same as the suffix of the username of the user in your IdP. For more information, see Configure the SAML settings of Alibaba Cloud for role-based SSO.

No RAM users are created in RAM, or the username of the created RAM user is different from the username of the user in your IdP.

• Change the username of the RAM user to the username of the user in your IdP.

• The username of a RAM user can be up to 64 characters in length, and can contain only letters, digits, hyphens (-), underscores (_), and periods (.). The username of the user in your IdP must also meet the preceding requirements. If the username of the user in your IdP does not meet the preceding requirements, use one of the following methods to resolve the issue:

  • Change the username of the user in your IdP based on the preceding requirements.

  • Change the field that uniquely identifies the user in the SSO settings of your IdP. For example, you can use the email address of the user, which can uniquely identify the user and does not contain special characters.

  • Configure a conversion rule of username mapping in the SSO settings of your IdP.

The user failed to be synchronized by using System for Cross-domain Identity Management (SCIM).

Query the SCIM synchronization logs in your IdP and troubleshoot the issue.

The UPN of the user in your IdP is different from the UPN that is synchronized to RAM. The following list describes the possible causes:

• The username of the user that is synchronized to RAM by using SCIM does not use a UPN.

• A conversion rule of username mapping is configured in the SCIM synchronization settings.

Make sure that the conversion rule that is configured in the SSO settings of your IdP is the same as the conversion rule that is configured in the SCIM synchronization settings.

The Audience sub-element that is contained in the Conditions element in the SAML response is set to an invalid value. Specifically, the value of accountId is invalid.

In the SAML response, find the AudienceRestriction sub-element in the Conditions element and make sure that the AudienceRestiction sub-element contains an Audience sub-element, the Audience sub-element is set to https://signin-intl.aliyun.com/${accountId}/saml/SSO, and the value of ${accountId} is the ID of the Alibaba Cloud account.

Some IdPs use the Audience URL sub-element. Make sure that the value of the sub-element is correct.

Cause

Solution

In the AttributeStatement element of the SAML response, search for the Attribute element whose Name attribute is set to https://www.aliyun.com/SAML-Role/Attributes/Role. The value of the Attribute element is the combination of the name of the RAM role and the name of your IdP. If the name of the RAM role and the name of your IdP do not exist in Alibaba Cloud, or the IdP that is configured in the trust policy of the RAM role is different from the IdP in the value of the Name attribute, the error message is reported. For more information, see SAML response for role-based SSO.

• Modify the name of the RAM role in Alibaba Cloud or the name of your IdP to ensure that the name of the RAM role in Alibaba Cloud or the name of your IdP is the same as the name of the RAM role or the name of the IdP in the SAML response. For more information, see Configure the SAML settings of Alibaba Cloud for role-based SSO and Configure Alibaba Cloud as a trusted SP for role-based SSO.

• Modify the trust policy of the RAM role to make sure that the IdP name that is specified in the trust policy of the RAM role is the same as the actual name of the IdP. For more information, see Example 3: Change the trusted entity of a RAM role to an IdP.

Cause

Solution

The Attribute element whose Name attribute is set to https://www.aliyun.com/SAML-Role/Attributes/Role is not configured or is invalid in your IdP.

Modify the configuration of the Attribute element in your IdP. For more information, see SAML response for role-based SSO.

Cause

Solution

The Attribute element whose Name attribute is set to https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName is invalid in your IdP.

Check and modify the configuration of the Attribute element in your IdP. Check whether the Attribute element exists. Then, check whether the Attribute element is correctly specified. The value of the Attribute element must be 2 to 64 characters in length, and can contain only letters, digits, and the following special characters: - _ . @ =. For more information, see SAML response for role-based SSO.

You do not specify a value for the attribute that corresponds to the RoleSessionName element in the IdP for the current logon user. For example, the Email attribute is specified for the RoleSessionName element in the IdP, but you do not specify a value for the Email attribute for the current logon user in the IdP.

Make sure that an attribute is specified for the RoleSessionName element and a value is specified for the attribute for the current logon user in the IdP.

Cause

Solution

The public-private key pair that is used for signatures in your IdP is rotated. However, the metadata of your IdP in Alibaba Cloud is not updated.

Update the metadata of your IdP in Alibaba Cloud. You can download the latest metadata file from your IdP, and then upload the metadata file to Alibaba Cloud.

The public-private key pair that is used for signatures in your IdP is rotated, and the metadata of your IdP in Alibaba Cloud is updated. During the rotation, the original private key may still be used in your IdP. The metadata of your IdP in Alibaba Cloud contains only the new public key.

We recommend that you specify both the original public key and the new public key in the metadata of your IdP.

• Create a certificate. Do not disable or delete the original certificate.

• Download the new metadata file and check whether the original public key and the new public key are included in the metadata file.

  • For some IdPs, such as Azure AD, the original certificate and new certificate are included in the new metadata file.

  • If the new metadata file does not contain the original public key and the new public key, you must manually add the original certificate and new certificate to the new metadata file. You can download the original metadata file from the SSO settings in the RAM console and copy the information about the X509Certificate element, which is the information about the original certificate. Add the copied information to the KeyDescriptor element of the new metadata file and save the modification.

  • Upload the new metadata file to the SSO settings in the RAM console.

  • Enable the new certificate and disable the original certificate in the SSO settings of your IdP.

The metadata file failed to be uploaded because the size of the metadata file is excessively large.

Wait until the upload is complete. After the upload is complete, download the uploaded metadata file to check whether the metadata file is uploaded.

Cause

Solution

Parameters in your metadata are not configured based on the SAML 2.0 protocol.

Configure the parameters based on the SAML 2.0 protocol. For more information, visit SAML 2.0.