Configure single sign-on (SSO) between Alibaba Cloud IDaaS and CloudSSO using a pre-integrated application template. IDaaS acts as the identity provider (IdP), and CloudSSO acts as the service provider (SP).
CloudSSO provides unified identity management and access control for multiple accounts based on Alibaba Cloud Resource Directory (RD). With CloudSSO, you can centrally manage users, configure SSO between your corporate identity system and Alibaba Cloud, and set access permissions for accounts in your RD.
Prerequisites
Before you begin, make sure you have:
An active IDaaS instance with administrator access
Access to the CloudSSO console with administrator permissions
A Resource Directory with the accounts you want to manage
How it works
The setup involves three phases of configuration across IDaaS and CloudSSO:
Create a CloudSSO application in IDaaS and download its SAML metadata file.
Upload the metadata file to CloudSSO, enable SSO logon, and copy the ACS URL and Entity ID.
Paste the ACS URL and Entity ID back into IDaaS to complete the connection.
Step 1: Create an application in IDaaS
Log on to the Alibaba Cloud IDaaS console.
Select your IDaaS instance and click Manage in the Actions section.
In the navigation pane, choose Application Management > Applications. On the Applications page, click Add Application.
In the application marketplace, search for Alibaba Cloud - CloudSSO and click Add Application.
Confirm the application name and click Add Now.
Step 2: Configure SSO in IDaaS
After the application is created, IDaaS redirects you to the SSO page.
Set Authorize to All Users for testing purposes. For production, see Application authorization.
Leave CloudSSO ACS URL and CloudSSO Entity ID blank for now. You will fill these in after completing Step 3.
NoteBy default, IDaaS uses the account name as the logon identity sent to CloudSSO. The CloudSSO user account must match this name. To configure flexible account mapping, see SAML application account configuration.
In the Application Settings section, click Download to save the SAML metadata file to your computer. You will upload this file to CloudSSO in the next step.
Step 3: Configure user-based SSO in CloudSSO
Log on to the CloudSSO console.
In the navigation pane, choose Settings > SSO Logon.
Click Configure IdP.
Upload the metadata file you downloaded from IDaaS. CloudSSO automatically populates the identity provider information.
Click Enable SSO Logon.
Copy the ACS URL and Entity ID values from this page.
Return to the IDaaS SSO page from Step 2. Paste the copied values into CloudSSO ACS URL and CloudSSO Entity ID, then click Save.
Step 4: Test the SSO logon
In CloudSSO, copy the Logon URL from your SSO configuration.
Open the Logon URL in a browser. Because IDaaS is configured as the identity source, you are redirected to the IDaaS logon page.
Log in using your IDaaS credentials.
After a successful logon, you can access the service.
Troubleshooting
Redirected to an error page after logon
Check that CloudSSO ACS URL and CloudSSO Entity ID in IDaaS exactly match the values shown in CloudSSO. A mismatch is the most common cause of SAML authentication failures.
Logon succeeds in IDaaS but CloudSSO shows "user not found"
The username sent by IDaaS does not match any user in CloudSSO. Verify that the IDaaS account name matches the CloudSSO user account. To configure flexible username mapping, see SAML application account configuration.
Not redirected to IDaaS logon page
Confirm that SSO logon is enabled in CloudSSO. In the CloudSSO console, go to Settings > SSO Logon and verify that the SSO logon status is enabled.
What's next
Restrict access to specific IDaaS accounts: see Application authorization
Configure flexible account mapping between IDaaS and CloudSSO: see SAML application account configuration