Alibaba Cloud supports SAML 2.0-based SSO(Single Sign On, Single Sign-On), also known as identity Federated logon. This topic uses Microsoft Active Directory (AD) as an example to describe how to use your own identity system to implement SSO with Alibaba Cloud and perform identity verification in container service ACK clusters.
This topic describes AD FS installation and deployment , user SSO for more information about configuration and logon role SSO configuration and login please reference in AlibabaCloud on, how to use AD FS THE roles SSO] and complete the container service ACK in the CLUSTER authentication
1. Install and deploy Microsoft AD
- open Server Manager and click Add roles and features"
- click Next"
- select Active Director Domain Service Add Featrues"
- after the installation is complete, click Promote this server to a domain controller"
- "Add a new forest" in this example, we use "testdomain.com"
after the installation is complete, the server restarts:
- Start Menu -> Active Directory Users and Computers
- new Org and new Users
2. Install CA
- select Add roles and features to install CA
- click next until "Active Directory Certificate Services" is selected"
- visit http:// localhost/certsrv to ensure that the CA is installed successfully.
3. Install ADFS
- add a service account
- install ADFS
- test access https://adserver.testdomain.com/adfs/ls/idpinitiatedsignon
4. Configure single sign-on from AD to Alibaba Cloud
- configure ADFS in the RAM console to access https://adserver.testdomain.com/FederationMetadata/2007-06/FederationMetadata.xml下载FederationMetadata.xml文件 first
visit the Alibaba Cloud RAM console Settings -> Advanced -> SSO Settings:
change "SSO Status" to "Enabled" and "Upload" FederationMetadata.xml file:
click OK ":
- in ADFS, configure Alibaba Cloud RAM as a trusted SAML SPAD FS -> Tools -> AD FS Management:
Trust Relationships -> Replying Party Trusts -> Add Replying Trust:
the URL can be found in ram console:
select Transform an Incoming Claim ":
now we have the following groups and users on AD: Group001:testuser01 testuser02Group002:testuser03 testuser04
we also create groups and users in the RAM console:
use the sub-account testuser01 testuser02 testuser03 testuser04 to test the logon operation:
5. Authorize the sub-account to operate the ACK cluster
the Ram user does not have any cluster operation permissions: you can create a custom policy that allows users in group01 to have read and write permissions on namespace ci: access Cluster Resources after authorization:
for more information, see configure RBAC permissions for Ram users.