This topic describes how to integrate Alibaba Cloud DevOps with SAML to access the enterprise SAML authentication service for single sign-on (SSO).
Configure SAML
Log on to the Alibaba Cloud DevOps console as an organization administrator, click the profile picture in the upper right corner, and select Organization Settings from the drop-down list. Then, click Identity Providers and select SAML.
Step 1: Configure an SAML connection
To establish a connection between the service provider (SP), Alibaba Cloud DevOps, and your enterprise identity provider (IdP), specify the following information:
SAML IdP Metadata URL: The metadata URL of your enterprise IdP.
Public Key: The public key of the SP, which can be found in the public.crt file.
Private Key: The private key of the SP, which can be found in the rsa_private.key file.
Run the following command to generate the private key and private key:
openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 3650 -out public.crtAfter configuration, click Next.
Step 2: Configure user synchronization
Configure the account unique identifier: Enter the attribute field that uniquely identifies a user in SAML. Once configured, it cannot be changed.
Specify the account linking method: The following methods are used for account identification and linking:
Link Accounts with Same Email: Links users with identical email addresses in Alibaba Cloud DevOps and your SAML IdP.
Link Accounts with Same Account ID: Links users with identical account IDs in Alibaba Cloud DevOps and your SAML IdP.
Link Accounts with Same Employee ID: Links users with identical employee IDs in Alibaba Cloud DevOps and your SAML IdP.
Regardless of the selected linking method, make sure that the corresponding attribute exists and is unique. This way, no error occurs when Alibaba Cloud DevOps performs account matching in a strict one-to-one manner based on this attribute. The following figure shows the linking process for the Link Accounts with Same Email option.
Specify the account synchronization mode: Decide whether to map the required user attribute fields based on whether to create a new account. The fields with mapping enabled automatically synchronize third-party data. However, the fields are not editable in Alibaba Cloud DevOps.
Link Existing Account or Create New Account: Allows the creation of new accounts. In next step "User Attribute Mapping", ensure that the name, account ID, and fields used for account linking are required.
Only Link Existing Account: Does not allow the creation of new accounts. In next step "User Attribute Mapping", ensure that only fields used for account linking are required.
Configure the mapping of user attribute fields. Accounts in Alibaba Cloud DevOps and your enterprise IdP are matched based on the configured user attribute field mapping relationship. The attributes with mapped fields automatically synchronize third-party data. However, the attributes are not editable in Alibaba Cloud DevOps.
After configuration, click Next.
Step 3: Enable SSO
During the configuration process, the SSO feature is disabled by default. Once enabled, you can adjust SAML SSO settings.
Customize the display name and icon for the SAML logon entry point, which is displayed on the Alibaba Cloud DevOps logon page.
Enable single logout (SLO): By default, SLO is disabled. Once enabled, configure the SLO URL of Alibaba Cloud DevOps in your SAML IdP to synchronize logout status.
If you choose not to enable SSO, you can still save the configuration and enable SSO later on the SAML integration details page.
After completing all configurations, you can click Save.
Step 4: Configure SP metadata
To establish trust between your enterprise IdP and Alibaba Cloud DevOps, configure Alibaba Cloud DevOps as a trusted SP in your enterprise IdP and set up SAML assertion attributes. Depending on the capabilities of your enterprise IdP, use one of the following methods:
Copy the displayed Service Provider Metadata URL and add it to your enterprise IdP.
If URL configuration is not supported, download the SP metadata file and upload it to your enterprise IdP.
If metadata file upload is not supported, manually configure the following parameters:
Entity ID: The value of the entityID attribute from the md:EntityDescriptor element in the SP metadata file.
ACS URL: The value of the Location attribute from the md:AssertionConsumerService element in the SP metadata file.
SLO URL: The value of the Location attribute from the SingleLogoutService element in the SP metadata file.
Log on to Alibaba Cloud DevOps through SAML authentication
Once SSO is enabled, select SAML as the logon method at the top of the Identity Providers page. Once selected, the Alibaba Cloud DevOps logon page is set as the SAML logon page by default, and users who are bound to SAML accounts can use the accounts for logon.
Log out of Alibaba Cloud DevOps
When users log out of Alibaba Cloud DevOps, they also log out of your SAML IdP.
To log out of Alibaba Cloud DevOps when logging out of your SAML IdP, perform the third step to configure SLO.
Session duration
The session duration is determined by Alibaba Cloud DevOps. If the session duration exceeds the logon retention time of Alibaba Cloud DevOps, users log out of Alibaba Cloud DevOps. If they want to continue the use of Alibaba Cloud DevOps, they must log on again.
Modify the SAML integration
On the SAML integration details page, you can click View/Edit Settings to adjust the account synchronization method and the mapping of user attributes. Other configurations are not editable.
Disable SSO
On the SAML integration details page, you can click Edit Settings to disable SSO. In the Edit Settings panel, turn off the Single Sign-On switch. Once disabled, you cannot use an SAML account to log on to Alibaba Cloud DevOps.
Remove the SAML integration
To remove the SAML integration, click Remove Integration on the SAML integration details page. In the message that appears, click Remove. Once removed, the following situations appear:
The linking relationship between Alibaba Cloud DevOps accounts and SAML accounts is terminated.
Logon to Alibaba Cloud DevOps with an SAML account is no longer supported.