This topic provides an example on how to implement role-based single sign-on (SSO)
from OneLogin to Alibaba Cloud. The example describes the end-to-end role-based SSO
process from a cloud identity provider (IdP) to Alibaba Cloud.
Background information
In this example, an enterprise has an Alibaba Cloud account, a OneLogin administrator
account, and multiple OneLogin users. The enterprise wants the OneLogin users to use
their OneLogin accounts to access Alibaba Cloud by using role-based SSO without the
need to create RAM users in Alibaba Cloud.
For more information about OneLogin, see OneLogin documentation.
Step 1: Create an application in OneLogin
- Log on to OneLogin as an administrator.
- In the left side of the profile picture, click Administration to go to the Administration page.
- In the top navigation bar, choose .
- In the upper-right corner of the Applications page, click Add App.
- On the Find Applications page, search for SAML Test Connector (Advanced).
- On the page that appears, click SAML Test Connector (Advanced). On the Add SAML Test Connector (Advanced) page, configure the parameters and click Save.
In this example, set the Display Name parameter to LoginToAliyun
. Use the default values for other parameters.
- On the page that appears, move the pointer over More Actions in the upper-right corner and select SAML Metadata from the drop-down list. The IdP metadata file is downloaded. Save the file to your
computer.
Step 2: Create an IdP in the Alibaba Cloud Management Console
- Log on to the RAM console by using the Alibaba Cloud account.
- In the left-side navigation pane, click SSO.
- On the Role-based SSO tab, click the SAML tab and click Create IdP.
- On the Create IdP page, set IdP Name to OneLogin and configure Remarks.
- In the Metadata File section, click Upload to upload the IdP metadata file that is obtained from Step 1: Create an application in OneLogin.
- Click OK.
- Click Close.
View the details of the created IdP and record the Alibaba Cloud Resource Name (ARN)
of the IdP for subsequent use.
Step 3: Create a RAM role in the Alibaba Cloud Management Console
- In the left-side navigation pane of the RAM console, choose .
- On the Roles page, click Create Role.
- In the Create Role panel, select IdP for Select Trusted Entity and click Next.
- In the Configure Role step, configure the RAM Role Name and Note parameters. For example, you can set the RAM Role Name parameter to Reader-OneLogin.
- Select SAML for the IdP Type parameter.
- Select OneLogin that you created in Step 2: Create an IdP in the Alibaba Cloud Management Console for the Select IdP parameter, read the conditions, and then click OK.
- Click Close.
View the details of the created RAM role and record the ARN of the RAM role for subsequent
use.
Step 4: Configure the application in OneLogin
- Log on to OneLogin as an administrator.
- Create a custom user attribute.
- In the top navigation bar, choose .
- On the Users page, move the pointer over More Actions in the upper-right corner and select Custom user fields from the drop-down list.
- In the upper-right corner of the Custom User Fields page, click New User Field.
- In the New User Field dialog box, configure the Name and Shortname parameters and click Save.
In this example, set the Name parameter to AliyunRoles for SSO
and the Shortname parameter to AliyunRoles
.
- Configure the application.
- In the top navigation bar, choose .
- On the Applications page, click LoginToAliyun that you created in Step 1: Create an application in OneLogin.
- In the left-side navigation pane of the page that appears, click Configuration.
- In the Application details section, configure the following parameters and click Save.
- RelayState: Enter a URL. You are redirected to the URL after logon.
Note For security purposes, you must enter a URL that points to an Alibaba website for
the RelayState parameter. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com,
*.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you
leave this parameter empty, you are redirected to the homepage of the Alibaba Cloud
Management Console after logon.
- Audience (EntityID): Enter
urn:alibaba:cloudcomputing:international
.
- Recipient: Enter
https://signin.alibabacloud.com/saml-role/sso
.
- ACS (Consumer) URL: Enter
https://signin.alibabacloud.com/saml-role/sso
.
- In the left-side navigation pane, click Parameters.
- Click the
icon to create the first custom application attribute.
- In the New Field dialog box, set the Field name parameter to
https://www.aliyun.com/SAML-Role/Attributes/Role
, select Include in SAML assertion and Multi-value parameter, and then click Save.
- In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/Role dialog box, select Aliyun Roles for SSO (Custom) from the first drop-down list and Semicolon Delimited input (Multi-value output) from the second drop-down list in the Default if no value selected section. Then, click Save.
- Click the
icon again to create the second custom application attribute.
- In the New Field dialog box, set the Field name parameter to
https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
, select Include in SAML assertion, and then click Save.
- In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName dialog box, select Email from the drop-down list in the Value section and click Save.
Note You can also select another value such as Username or userPrincipalName from the drop-down list in the Value section based on your business requirements.
- In the upper-right corner of the page, click Save.
Step 5: Create a user in OneLogin and assign the application to the user
- Log on to OneLogin as an administrator.
- In the top navigation bar, choose .
- Create a user.
Note If you have a OneLogin user, skip this step.
- In the upper-right corner of the Users page, click New User.
- On the New User page, configure the parameters. For example, set the First name parameter to Jack, the Last name parameter to Lee, the Username parameter to jacklee, the Email parameter to jacklee@example.com, and then click Save User.
- On the page that appears, move the pointer over More Actions in the upper-right corner and select Change Password from the drop-down list. Configure a password for the user and click Update.
The user can log on to OneLogin by using the password.
- In the Custom Fields section of the page that appears, configure the Aliyun Roles for SSO parameter.
The value of the Aliyun Roles for SSO parameter consists of the ARN of the RAM role and the ARN of the IdP. The ARNs are
separated by commas (,). The value must be in the acs:ram::<account_id>:role/RoleName,acs:ram::<account_id>:saml-provider/ProviderName
format. The ARN of the RAM role is obtained from Step 3: Create a RAM role in the Alibaba Cloud Management Console, the ARN of the IdP is obtained from Step 2: Create an IdP in the Alibaba Cloud Management Console, and <account_id> is the ID of the Alibaba Cloud account.
Note If a user corresponds to multiple RAM roles, you can configure more than one value.
The values are separated by semicolons (;). For example, you can set acs:ram::125022144354****:role/reader-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::125022144354****:role/administrator-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::158622887609****:role/finance,acs:ram::158622887609****:saml-provider/OneLogin2
for the Aliyun Roles for SSO parameter.
- Assign the application to the user.
- On the Applications page, click the
icon.
- Select LoginToAliyun created in Step 1: Create an application in OneLogin and click Continue.
- In the dialog box that appears, click Save.
- In the upper-right corner of the Users page, click Save User.
- Repeat 4 to 6 to configure the Aliyun Roles for SSO parameter for other users of the enterprise and assign LoginToAliyun to the users.