This topic describes how to configure single sign-on (SSO) from Identity as a Service (IDaaS) to CloudSSO.
To facilitate configuration, IDaaS provides the Alibaba Cloud CloudSSO application template. You need to only add an Alibaba Cloud CloudSSO application in IDaaS and upload the metadata file provided by IDaaS to CloudSSO.
Overview
CloudSSO is integrated with Alibaba Cloud Resource Directory to provide unified multi-account identity management and access control. You can use CloudSSO to centrally manage users of an enterprise who need to access Alibaba Cloud resources and assign access permissions on the accounts in a resource directory to the users. You can also configure settings to implement SSO access to Alibaba Cloud resources from an identity provider (IdP). You need to configure the settings only once.
Procedure
Step 1: Add an application in IDaaS
Log on to the IDaaS console.
On the EIAM page, find the required IDaaS instance and click Manage in the Actions column.
In the left-side navigation pane, click Applications. On the Applications page, click Add Application to go to the Marketplace tab. Then, search for Alibaba Cloud CloudSSO. Click Add Application.
Confirm the application name and click Add. The application is added.
Step 2: Configure SSO for the application
After you add the application, you are automatically redirected to the SSO tab.
For testing purposes, we recommend that you set the Authorize parameter to All Users.
CloudSSO ACS URL: Enter the value of the ACS URL parameter on the Settings page in the CloudSSO console. For more information, see Step 3: Configure user-based SSO in CloudSSO.
CloudSSO Entity ID: Enter the value of the Entity ID parameter on the Settings page in the CloudSSO console. For more information, see Step 3: Configure user-based SSO in CloudSSO.
Application Username: By default, the Application Username parameter is set to IDaaS Username. To implement SSO, the application must contain a username that is the same as the IDaaS username. For more information about how to configure this parameter, see Configure Application User for SAML.
Authorize: the IDaaS accounts that can access the application. For more information about how to configure specific accounts, see Authorization.
In the Application Settings section, download the Security Assertion Markup Language (SAML) metadata file to your computer. In the next step, you need to upload this file to CloudSSO to complete the SSO configuration.
Step 3: Configure user-based SSO in CloudSSO
Log on to the CloudSSO console.
In the left-side navigation pane, click Settings.
In the SSO Logon section of the Settings page, click Configure IdP.
Upload the metadata file that you obtained in Step 2. The IdP information is automatically configured. Turn on the switch in the upper-right corner to enable SSO logon.
Copy the values of ACS URL and Entity ID in the SP Information section. Go to the IDaaS console and paste the values on the SSO tab.
Click Save. The SSO configuration is complete in IDaaS.
Step 4: Test SSO
Visit the logon URL displayed in the CloudSSO console.
You are redirected to the IDaaS logon page because the IDaaS IdP is enabled. You can use multiple authentication methods and identity security capabilities provided by IDaaS for logon.
After successful logon, you can access the accounts on which you have access permissions.
