Set up user-based single sign-on (SSO) between IDaaS and Alibaba Cloud so that enterprise members can log on to Alibaba Cloud as Resource Access Management (RAM) users through your identity provider (IdP).
How it works
In user-based SSO, IDaaS acts as the IdP and Alibaba Cloud RAM acts as the service provider (SP). The trust relationship between the two sides is established by downloading the IdP metadata from IDaaS and uploading it to Alibaba Cloud RAM.
IdP-initiated flow: A user logs on to the IDaaS application portal and clicks the Alibaba Cloud application icon. IDaaS generates a SAML assertion and redirects the user to Alibaba Cloud.
SP-initiated flow: A user opens the Alibaba Cloud logon page, clicks Logon As RAM User, and enters a RAM username. Alibaba Cloud redirects the user to IDaaS for authentication. After a successful logon, the user is redirected back to Alibaba Cloud.
Prerequisites
Before you begin, make sure you have:
An active IDaaS instance
An Alibaba Cloud account with permission to manage RAM settings
The Alibaba Cloud account ID (find it under your profile picture in the upper-right corner of the Alibaba Cloud Management Console > Account Center)
Configure user-based SSO
The setup involves three systems: IDaaS, Alibaba Cloud RAM, and optionally the RAM Users section for permission assignment.
Step 1: Create an application in IDaaS
Log on to the IDaaS console.IDaaS console
Select an IDaaS instance and click Manage in the Operations column.
Go to Application Management > Applications > Add Application > Marketplace, search for the Alibaba Cloud User - based SSO (International Site) application template, and click Add Application.
Confirm the Application Name and click Add.
Step 2: Configure SSO settings in IDaaS
After adding the application, IDaaS automatically redirects you to the SSO configuration page.
Enter your Alibaba Cloud account ID.
Select an application account name property. This field serves as the primary key that maps each IDaaS user to the corresponding RAM user when SSO is initiated. For testing purposes, set the authorization scope to all members. You can skip assigning permissions to the IDaaS account at this stage.
In the Application Settings section, click Download to download the IdP metadata file and save it to your computer. This file is used to establish a trust relationship between Alibaba Cloud and IDaaS.
Configure the username mapping based on how your IDaaS account names relate to your RAM user prefixes:
Scenario Setting IDaaS account name matches the RAM user prefix Set Application Username to IDaaS Username IDaaS account name differs from the RAM user prefix Set Application Username to Application Username, then go to the Application User interface, select the IDaaS account to use for SSO, and enter the corresponding RAM user prefix 
Step 3: Enable user-based SSO in RAM
Log on to the RAM console.
In the left navigation pane, click SSO.
On the User-based SSO tab, view the current SSO logon settings.
Set SSO Status to On, then upload the IdP metadata file downloaded in step 2. This establishes the trust relationship between Alibaba Cloud and IDaaS. You do not need to enable the auxiliary domain name.
Step 4: Assign RAM user permissions (optional)
If you have existing RAM users, or plan to sync accounts from IDaaS to Alibaba Cloud, go to Users in the left navigation pane and assign the required permissions. This ensures that SSO users have access to Alibaba Cloud resources after they log on.
For account synchronization, see Account synchronization - Event callback.
Skip this step if you only want to test the SSO flow.
Step 5: Test SSO
Initiate SSO from either IDaaS or Alibaba Cloud:
IdP-initiated: Log on to the IDaaS application portal using an account that has access to the Alibaba Cloud User-based SSO application. Click the application icon to start SSO.
SP-initiated: Open the Alibaba Cloud logon page in a private browser window. Click Logon As RAM User, enter the RAM username, and click Next.
When prompted, click Logon With Enterprise Account or copy the logon link. If you are already logged on to the IDaaS application portal, you are logged on to Alibaba Cloud directly. Otherwise, you are redirected to the IDaaS logon page—after a successful IDaaS logon, you are automatically logged on to Alibaba Cloud.
