SSO Scenario Series: single sign-on from Microsoft AD to Alibaba Cloud-Alibaba Cloud Developer Community

[Update: With the launch of RAM 2.0, the official Alibaba Cloud official website provides official technical documentation for SAML Federation. For more information, see https://help.aliyun.com/document_detail/96239.html. We recommend that you use the RAM console to configure RAM, the original enterprise console (beta) will be phased out]]

in article compliance and security: the integration of Alibaba Cloud and the enterprise identity system, we introduced the integration of Alibaba Cloud and the enterprise identity system. You can configure sub-accounts under an Alibaba Cloud account to log on through the enterprise identity system. Configuration point is

1. configure trusted enterprise SAML IdP in the Alibaba Cloud Directory
2. configure Alibaba Cloud as a trusted SAML SP in an enterprise IdP

the second point has different configuration methods in different identity systems. This topic uses Windows Server 2012 R2 as an example to describe how to configure Microsoft AD as a single sign-on IdP for Alibaba Cloud.

this topic assumes that the user has properly configured the Microsoft AD and configured the following Windows Server on Server Role 2012 R2:

• DNS server: the DNS server is used to resolve identity authentication requests to the correct Federation Service.
• Active Directory domain service (AD DS): domain service allows you to create, query, and modify objects such as domain users and domain devices.
• Active Directory Federation Service (AD FS):Federation Service provides the function of configuring federated authentication dependencies and single sign-on authentication for configured dependencies.

For configuration Active Directory questions, you can refer to Microsoft official documents or search for related third-party blogs.

the following table describes the configurations used in this example.

1. The default domain name of the Alibaba Cloud account directory is junpu.onaliyun.com
3. The name of the Microsoft AD service in the user-created AD FS is adserver.testdomain.com.
4. The domain name of the user-created Microsoft AD is testdomain.com, NETBIOS name is testdomain.
5. The UPN of user junpu.chen in AD is junpu.chen@testdomain.com, domain login can also be used testdomain\junpu.chen

enter the following address in the browser

https://adserver.testdomain.com/FederationMetadata/2007-06/FederationMetadata.xml

download and store the metadata XML file locally, and configure the downloaded IdP metadata file to the Alibaba Cloud directory according to the procedure described in compliance and security: integration of Alibaba Cloud and the enterprise identity system.

in the context of Microsoft AD FS, SAML SP is called Relying Party (dependent Party, trusted Party), because AD FS supports OAuth, OIDC, and WS-Federation, the single sign-on consumers in these three protocols are all called Relying Party, so AD FS does not use SAML-specific terms Service Provider in SAML protocol support, instead, Relying Party is used to specify single sign-on consumers in different protocols.

Create an Alibaba Cloud trusted SP as a AD FS Step 1: 工具open in menu AD FS管理

step 2: Add the AD FS management tool 信赖方信任(Relying Party Trust)

step 3: Set Alibaba Cloud SAML metadata for the new trusted party

the trusted party can directly configure the URL of the metadata, or download the SAML metadata of Alibaba Cloud and configure the downloaded XML file for the trusted party. You can obtain the URL of Alibaba Cloud SAML metadata by using the following methods:

1. log on to the RAM console.
2. In the left-side navigation pane, choose identities> Settings> Advanced Settings. Under SSO logon settings, you can view the SAML service provider metadata URL of the current Alibaba cloud account.

After the trusted party is configured, Alibaba Cloud and AD FS have created mutual trust. Alibaba Cloud will junpu.onaliyun.comthe user authentication requests in the directory are forwarded to the AD FS. adserver.testdomain.comAD FS also accepts authentication requests from Alibaba Cloud and forwards authentication responses to Alibaba Cloud.

Next, you need to configure the attributes to be issued in the SAML assertion for the trusted party.

to enable Alibaba Cloud to use the SAML response to locate sub-users in the cloud Directory, we need to set the NameID field in the SAML assertion to UPN of sub-users in the cloud directory.

The UPN in the configuration Active Directory is the NameID in The SAML assertion.

Here, Microsoft used Claim(Declaration) this term refers to the attributes in the SAML assertion. This is because other protocols supported by AD FS (OAuth,WS-Fed, etc.) also use Claim to represent the fields in the Token.

Step 1: Edit the declaration rules for the trusted party 声明规则, refers Claims Rule, that is, how the declaration (attribute) in the SAML assertion is generated from the user attribute of the Active Directory.

Step 2: Add 颁发转换规则so-called 颁发转换规则, refers Issuance Transformation Rule, refers to how to convert a known user attribute into an attribute in the SAML assertion. Because we want to issue the UPN of the user in AD as NameID, we need to add a new rule.

The rule template is 转换传入声明

in this example, the UPN domain name in the Alibaba Cloud account is junpu.onaliyun.comand the UPN domain name in AD is testdomain.comobviously, if the User Principal Name in AD is directly mapped to NameID, Alibaba Cloud cannot match the correct Ram User.

We provide two paths to fill this gap.

Path 1: verify the AD domain name in the Alibaba Cloud Directory

if the domain name testdomain.comis a domain name registered in the public network DNS, you can verify your ownership of the domain name in the Alibaba Cloud directory. Log on to the Enterprise Console 人员目录> 域名设置> 创建域别名.

After verification, the default domain of the Alibaba Cloud Directory junpu.onaliyun.comA domain alias testdomain.com

After the domain name is verified, the cloud directory can be consistent with the user-created AD DS on the domain name. testdomain.comThe domain name.

After completing this setting, we return to the preceding declaration conversion rule editing and map UPN to NameID (name ID).

Path 2: convert the domain Name of the User Principal Name in AD and issue it as NameID

if the domain name testdomain.comif it is an enterprise's internal domain name, Alibaba Cloud cannot verify the enterprise's ownership of the domain name. The cloud directory can only be used onaliyun.comthe subdomain name. In this case, in the SAML assertion issued by AD FS to Alibaba Cloud, the UPN domain name suffix must be changed from testdomain.comreplace junpu.onaliyun.com(Assume that the user names correspond one to one)

in the author's example, user-created AD testdomain.comthis domain name is an internal domain name. After mapping the assertion attributes through path 2 above, access Alibaba cloud from the internal network of the user-created AD, and enter junpu.chen@junpu.onaliyun.com

alibaba Cloud forwards authentication requests to adserver.testdomain.com

enter the username in AD junpu.chen@testdomain.comand the password. Log on to the Alibaba Cloud Console.

because the user-created AD configuration may vary, you may need to edit slightly different declaration rules. However, the ultimate goal is to enable SAML to return the sub-account UPN that can be recognized by the Alibaba Cloud directory in the response.

Here are some common questions

• if no declaration rule is configured, the NameID field is missing in the SAML assertion.

无法解析外部身份提供商签发的认证信息。: Unable to understand SAML response

• If the NameID domain name in the SAML assertion is inconsistent with the cloud Directory

您的阿里云目录的外部单点登录配置无效，请联系管理员。: {"domainName":"testdomain.com"}