All Products
Search

This Product

    Resource Access Management:Manage an OIDC IdP

    Document Center

    Resource Access Management:Manage an OIDC IdP

    Last Updated:Apr 18, 2024

    This topic describes how to manage an OpenID Connect (OIDC) identity provider (IdP). Before you implement OIDC-based single sign-on (SSO), you must create an OIDC IdP in the Resource Access Management (RAM) console.

    Create an OIDC IdP

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab. Then, click Add IdP.

    4. On the Create IdP page, configure the following parameters.

      Parameter

      Description

      IdP Name

      The name must be unique within an Alibaba Cloud account.

      IdP URL

      The URL of the issuer that is provided by an external IdP. The URL of the issuer that is provided by an external IdP. The URL of the issuer must start with https and be a valid URL. The URL cannot contain query parameters that follow a question mark (?), logon information that is identified by at signs (@), or fragment that is identified by number signs (#).

      Fingerprint

      The fingerprint that is generated based on the HTTPS certificate of an external IdP. You can use a fingerprint to prevent the URL of the issuer from being hijacked or tampered with. Alibaba Cloud calculates the fingerprint. We recommend that you calculate the fingerprint on your computer. For example, you can use OpenSSL to calculate the fingerprint. Then, you can compare the calculation result with the calculation result provided by Alibaba Cloud. For more information about OpenSSL, visit the official website of OpenSSL. If the calculation results are different, the URL of the issuer may have been attacked. Make sure that you enter a valid fingerprint.

      Note

      If you want to rotate the certificate of your IdP, we recommend that you generate the fingerprint of the new certificate and add the fingerprint to the OIDC IdP that you created in the RAM console before the rotation. After at least one day, rotate the certificate. You can delete the previous fingerprint after you obtain a Security Token Service (STS) token.

      Client ID

      The ID that is generated for an application when you register the application in the external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. The client ID is specified in the aud field of the OIDC token that is issued. When you create an OIDC IdP, you must configure the client ID. If you want to use the OIDC token to obtain an STS token, Alibaba Cloud checks whether the client ID that is specified in the aud field is the same as the client ID that you configured in the OIDC IdP. You can assume a RAM role only when the client IDs are the same.

      If multiple clients need to access Alibaba Cloud resources, you can configure multiple client IDs. You can configure a maximum of 20 client IDs.

      Remarks

      The description of the OIDC IdP.

    5. Click OK.

    View the information about an OIDC IdP

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information that you want to view.

    4. In the Details section of the page that appears, view IdP Name, IdP Type, Created At, Updated At, Remarks, ARN, and URL.

    Modify the information about an OIDC IdP

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab. Then, click the name of the OIDC IdP whose information that you want to view.

    4. In the Details section of the page that appears, click Edit to the right of Remarks to modify the description of the OIDC IdP.

    5. In the Client ID section, click Add or Delete to add or remove a client ID.

      Note

      You can add a maximum of 20 client IDs. You must retain at least one client ID.

    6. In the Fingerprint section, click Add or Delete to add or delete a fingerprint.

      Note

      You can add a maximum of five client IDs. You must retain at least one fingerprint.

    Delete an OIDC IdP

    Warning

    After you delete an IdP, role-based SSO cannot be implemented between your business system and RAM.

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Integrations > SSO.

    3. On the Role-based SSO tab, click the OIDC tab. Then, find the OIDC IdP that you want to delete and click Remove in the Actions column.

    4. In the Remove IdP message, click OK.