CloudSSO:Log on to the CloudSSO user portal and access Alibaba Cloud resources

Step 1: Obtain the URL of the CloudSSO user portal

1. Log on to the CloudSSO console as a CloudSSO administrator.

2. In the left-side navigation pane, click Overview.

3. In the User Logon URL section on the right side of the Overview page, view or copy the logon URL.

   

   Note

   If you enable the accelerated URL feature, CloudSSO users can use the accelerated URL when they log on to the CloudSSO user portal. For more information, see Accelerate access from outside the Chinese mainland.

Step 2: Log on to the CloudSSO user portal

1. Enter the URL that is obtained from Step 1 in your browser.

2. Log on to the CloudSSO user portal based on a specified logon method.

   • Single sign-on (SSO)

     1. Click Redirect to go to the logon page of the enterprise identity provider (IdP).

     2. Use the username and password of the enterprise IdP to log on to the CloudSSO user portal.

   • Username-password logon

     1. Enter the username and password of the CloudSSO user and click Log On.

        

     2. Optional. If multi-factor authentication (MFA) is enabled, complete MFA verification.

        • If this is your first time to log on to the CloudSSO user portal, you must bind an MFA device. For more information, see Bind the first MFA device.

        • If an MFA device is bound, enter the verification code that is obtained from the mobile device and click Verify.

Step 3: Access the resources of an account in your resource directory

RAM role-based logon

If the resources of a cloud service can be accessed as a RAM role and a CloudSSO user is assigned the access permissions on an account in your resource directory by using an access configuration, the CloudSSO user can access the resources of the account as a RAM role. This method is suitable for most cloud services.

1. On the Log on as RAM Role tab, click the required account in your resource directory and click Show Details in the Permissions column.

   You can select one of the accounts from the account list and access resources of the account based on your business requirements.

   

   Note

   If no data is available in the list, you have no access permissions on the accounts in your resource directory.

2. In the access configuration list that appears, find the access configuration that you want to use to access resources and click Log On in the Actions column.

   You can select one of the access configurations from the list and access the resources of the account based on your business requirements.

   

   Note

   If no data is available in the list, you do not have permissions to access the resources of the account.

3. Access the resources of the account as a RAM role.

   You can move the pointer over the profile picture in the upper-right corner of the console to view the current logon identity.

RAM user-based logon

If a cloud service cannot be accessed as a RAM role and you create a RAM user provisioning for an account in your resource directory by using CloudSSO, you can access the resources of the account as a RAM user.

1. On the Log on as RAM User tab, find the required account in your resource directory and click Log On in the Actions column.

   You can select one of the accounts from the account list and access resources of the account based on your business requirements.

   

   Note

   If no data is available in the list, you have no access permissions on the accounts in your resource directory.

2. Access the resources of the account as a RAM user.

   You can move the pointer over the profile picture in the upper-right corner of the console to view the current logon identity.