This topic describes how to manage an OpenID Connect (OIDC) identity provider (IdP). Before you implement OIDC-based single sign-on (SSO), you must create an OIDC IdP.

Create an OIDC IdP

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Integrations > SSO.
  3. On the Role-based SSO tab, click the OIDC tab. Then, click Create IdP.
  4. On the Create IdP page, configure the following parameters.
    ParameterDescription
    IdP NameThe name must be unique within an Alibaba Cloud account.
    IdP URLThe URL of the issuer that is provided by an external IdP. The URL of the issuer must start with https and be in the valid URL format. The URL cannot contain query parameters that follow a question mark (?) or logon information that is identified by at signs (@). The URL cannot be a fragment URL that contains number signs (#).
    FingerprintThe fingerprint that is generated based on the HTTPS certificate of an external IdP. You can use a fingerprint to prevent the URL of the issuer from being hijacked or tampered with. Alibaba Cloud calculates the fingerprint. We recommend that you calculate the fingerprint on your computer. For example, you can use OpenSSL to calculate the fingerprint. Then, you can compare the calculation result with the calculation result provided by Alibaba Cloud. For more information about OpenSSL, visit the official website of OpenSSL. If the calculation results are different, the URL of the issuer may have been attacked. Make sure that you enter a valid fingerprint.
    Client IDThe ID that is generated for an application when you register the application in the external IdP. When you apply for an OIDC token from an external IdP, you must use the client ID. The client ID is specified in the aud field of the OIDC token that is issued. When you create an OIDC IdP, you must configure the client ID. If you want to use the OIDC token to obtain an STS token, Alibaba Cloud checks whether the client ID that is included in the aud field is the same as the client ID that you configured in the OIDC IdP. You can assume a RAM role only when the client IDs are the same.

    If multiple clients need to access Alibaba Cloud resources, you can configure multiple client IDs. You can configure a maximum of 20 client IDs.

    RemarksThe description of the OIDC IdP.
  5. Click OK.

View the information about an OIDC IdP

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Integrations > SSO.
  3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information that you want to view.
  4. In the Details section of the page that appears, view IdP Name, IdP Type, Created At, Updated At, Remarks, ARN, and URL.

Modify the information about an OIDC IdP

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Integrations > SSO.
  3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information that you want to view.
  4. In the Details section of the page that appears, click Edit to the right of Remarks to modify the description of the OIDC IdP.
  5. In the Client ID section, click Add or Delete to add or remove a client ID.
    Note You can add a maximum of 20 client IDs. You must retain at least one client ID.
  6. In the Fingerprint section, click Add or Delete to add or delete a fingerprint.
    Note You can add a maximum of five client IDs. You must retain at least one fingerprint.

Delete an OIDC IdP

Warning After you delete an IdP, role-based single sign-on (SSO) cannot be implemented between your business system and Resource Access Management (RAM).
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Integrations > SSO.
  3. On the Role-based SSO tab, click the OIDC tab. Then, find the OIDC IdP that you want to delete and click Delete in the Actions column.
  4. In the Delete message, click OK.