[Update: With the launch of RAM 2.0, the official Alibaba Cloud official website provides official technical documentation for SAML Federation. For more information, see https://help.aliyun.com/document_detail/96239.html. We recommend that you use the RAM console to configure RAM, the original enterprise console (beta) will be phased out]]
in article compliance and security: the integration of Alibaba Cloud and the enterprise identity system, we introduced the integration of Alibaba Cloud and the enterprise identity system. You can configure sub-accounts under an Alibaba Cloud account to log on through the enterprise identity system. Configuration point is
- configure trusted enterprise SAML IdP in the Alibaba Cloud Directory
- configure Alibaba Cloud as a trusted SAML SP in an enterprise IdP
the second point has different configuration methods in different identity systems. This topic uses Windows Server 2012 R2 as an example to describe how to configure Microsoft AD as a single sign-on IdP for Alibaba Cloud.
this topic assumes that the user has properly configured the Microsoft AD and configured the following Windows Server on Server Role 2012 R2:
- DNS server: the DNS server is used to resolve identity authentication requests to the correct Federation Service.
- Active Directory domain service (AD DS): domain service allows you to create, query, and modify objects such as domain users and domain devices.
- Active Directory Federation Service (AD FS):Federation Service provides the function of configuring federated authentication dependencies and single sign-on authentication for configured dependencies.
For configuration Active Directory questions, you can refer to Microsoft official documents or search for related third-party blogs.
the following table describes the configurations used in this example.
- The default domain name of the Alibaba Cloud account directory is
- The name of the Microsoft AD service in the user-created AD FS is
- The domain name of the user-created Microsoft AD is
testdomain.com, NETBIOS name is
- The UPN of user junpu.chen in AD is
firstname.lastname@example.org, domain login can also be used
enter the following address in the browser
download and store the metadata XML file locally, and configure the downloaded IdP metadata file to the Alibaba Cloud directory according to the procedure described in compliance and security: integration of Alibaba Cloud and the enterprise identity system.
in the context of Microsoft AD FS, SAML SP is called Relying Party (dependent Party, trusted Party), because AD FS supports OAuth, OIDC, and WS-Federation, the single sign-on consumers in these three protocols are all called Relying Party, so AD FS does not use SAML-specific terms Service Provider in SAML protocol support, instead, Relying Party is used to specify single sign-on consumers in different protocols.
Create an Alibaba Cloud trusted SP as a AD FS Step 1:
工具open in menu
step 2: Add the AD FS management tool
信赖方信任(Relying Party Trust)
step 3: Set Alibaba Cloud SAML metadata for the new trusted party
the trusted party can directly configure the URL of the metadata, or download the SAML metadata of Alibaba Cloud and configure the downloaded XML file for the trusted party. You can obtain the URL of Alibaba Cloud SAML metadata by using the following methods:
- log on to the RAM console.
- In the left-side navigation pane, choose identities> Settings> Advanced Settings. Under SSO logon settings, you can view the SAML service provider metadata URL of the current Alibaba cloud account.
After the trusted party is configured, Alibaba Cloud and AD FS have created mutual trust. Alibaba Cloud will
junpu.onaliyun.comthe user authentication requests in the directory are forwarded to the AD FS.
adserver.testdomain.comAD FS also accepts authentication requests from Alibaba Cloud and forwards authentication responses to Alibaba Cloud.
Next, you need to configure the attributes to be issued in the SAML assertion for the trusted party.
to enable Alibaba Cloud to use the SAML response to locate sub-users in the cloud Directory, we need to set the NameID field in the SAML assertion to UPN of sub-users in the cloud directory.
The UPN in the configuration Active Directory is the NameID in The SAML assertion.
Here, Microsoft used
Claim(Declaration) this term refers to the attributes in the SAML assertion. This is because other protocols supported by AD FS (OAuth,WS-Fed, etc.) also use Claim to represent the fields in the Token.
Step 1: Edit the declaration rules for the trusted party
Claims Rule, that is, how the declaration (attribute) in the SAML assertion is generated from the user attribute of the Active Directory.
Step 2: Add
Issuance Transformation Rule, refers to how to convert a known user attribute into an attribute in the SAML assertion. Because we want to issue the UPN of the user in AD as NameID, we need to add a new rule.
The rule template is
in this example, the UPN domain name in the Alibaba Cloud account is
junpu.onaliyun.comand the UPN domain name in AD is
testdomain.comobviously, if the User Principal Name in AD is directly mapped to NameID, Alibaba Cloud cannot match the correct Ram User.
We provide two paths to fill this gap.
Path 1: verify the AD domain name in the Alibaba Cloud Directory
if the domain name
testdomain.comis a domain name registered in the public network DNS, you can verify your ownership of the domain name in the Alibaba Cloud directory. Log on to the Enterprise Console
After verification, the default domain of the Alibaba Cloud Directory
junpu.onaliyun.comA domain alias
After the domain name is verified, the cloud directory can be consistent with the user-created AD DS on the domain name.
testdomain.comThe domain name.
Path 2: convert the domain Name of the User Principal Name in AD and issue it as NameID
if the domain name
testdomain.comif it is an enterprise's internal domain name, Alibaba Cloud cannot verify the enterprise's ownership of the domain name. The cloud directory can only be used
onaliyun.comthe subdomain name. In this case, in the SAML assertion issued by AD FS to Alibaba Cloud, the UPN domain name suffix must be changed from
junpu.onaliyun.com(Assume that the user names correspond one to one)
in the author's example, user-created AD
testdomain.comthis domain name is an internal domain name. After mapping the assertion attributes through path 2 above, access Alibaba cloud from the internal network of the user-created AD, and enter
alibaba Cloud forwards authentication requests to adserver.testdomain.com
enter the username in AD
email@example.com the password. Log on to the Alibaba Cloud Console.
because the user-created AD configuration may vary, you may need to edit slightly different declaration rules. However, the ultimate goal is to enable SAML to return the sub-account UPN that can be recognized by the Alibaba Cloud directory in the response.
Here are some common questions
- if no declaration rule is configured, the NameID field is missing in the SAML assertion.
无法解析外部身份提供商签发的认证信息。: Unable to understand SAML response
- If the NameID domain name in the SAML assertion is inconsistent with the cloud Directory