GetApplicationSsoConfig - Identity as a Service - Alibaba Cloud Documentation Center

Queries the single sign-on (SSO) configuration attributes of an application in Identity as a Service (IDaaS) Employee IAM (EIAM).

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
eiam:GetApplicationSsoConfig	get	*Application `acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}`	none	none

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the instance.	idaas_ue2jvisn35ea5lmthk267xxxxx
ApplicationId	string	Yes	The ID of the application.	app_mkv7rgt4d7i4u7zqtzev2mxxxx

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	0441BD79-92F3-53AA-8657-F8CE4A2B912A
ApplicationSsoConfig	object	The single sign-on (SSO) configuration information of the application.
SamlSsoConfig	object	The Security Assertion Markup Language (SAML)-based SSO configuration attributes of the application. This parameter is returned only if the SSO protocol of the application is SAML 2.0.
SpSsoAcsUrl	string	The Assertion Consumer Service (ACS) URL of the application in SAML. The application assumes the role of service provider.	https://signin.aliyun.com/saml-role/sso
SpEntityId	string	The entity ID of the application in SAML. The application assumes the role of service provider.	urn:alibaba:cloudcomputing
NameIdFormat	string	The Format attribute of the NameID element in the SAML assertion. Valid values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: No format is specified. How to resolve the NameID element depends on the application. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: The NameID element must be an email address. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: The NameID element must be persistent. urn:oasis:names:tc:SAML:2.0:nameid-format:transient: The NameID element must be transient.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameIdValueExpression	string	The expression that is used to generate the value of NameID in the SAML assertion.	user.username
DefaultRelayState	string	The default value of the RelayState attribute. If the SSO request is initiated in EIAM, the RelayState attribute in the SAML response is set to this default value.	https://home.console.aliyun.com
SignatureAlgorithm	string	The algorithm that is used to calculate the signature for the SAML assertion.	RSA-SHA256
ResponseSigned	boolean	Whether the response needs to be signed. ResponseSigned and AssertionSigned cannot be false at the same time. true: signature is required. false: signature is not required.	true
AssertionSigned	boolean	Whether the Assertion needs a signature. ResponseSigned and AssertionSigned cannot be false at the same time. true: signature is required. false: signature is not required.	true
AttributeStatements	array<object>	The additional user attributes in the SAML assertion.
AttributeStatement	object
AttributeName	string	The attribute name.	https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
AttributeValueExpression	string	The expression that is used to generate the value of the attribute.	user.username
IdPEntityId	string	The custom issuer ID.	https://example.com/
OptionalRelayStates	array<object>	Optional RelayState. The user will see the display names of multiple optional redirect addresses in the application card of the application portal. After the user clicks and completes SSO, they will automatically jump to the corresponding address. This field can only be filled in after the default redirect address is filled in.
OptionalRelayStates	object
RelayState	string	RelayState.The user will see the display names of multiple optional redirect addresses in the application card of the application portal. After the user clicks and completes SSO, they will automatically jump to the corresponding address. This field can only be filled in after the default redirect address is filled in.	https://home.console.aliyun.com
DisplayName	string	The display name of the RelayState	Ram Account SSO
OidcSsoConfig	object	The Open ID Connect (OIDC)-based SSO configuration attributes of the application. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.
RedirectUris	array	The list of redirect URIs that are supported by the application.
RedirectUri	string	A supported redirect URI.	https://example.com/oidc/login/callback
PostLogoutRedirectUris	array	The list of logout redirect URIs that are supported by the application.
PostLogoutRedirectUri	string	A supported logout redirect URI. When you initiate a logout request, you can set the post_logout_redirect_uri parameter to one of the supported logout redirect URIs.	https://example.com/oidc/login/logout
GrantTypes	array	The list of grant types that are supported for OIDC protocols.
GrantTyp	string	A supported grant type. Valid values: authorization_code: authorization code mode. implicit: implicit mode. refresh_token: token refresh mode. urn:ietf:params:oauth:grant-type:device_code: device code mode. password: password mode.	refresh_token
ResponseTypes	array	The response types that are supported by the application. This parameter is returned when the value of the GrantTypes parameter includes the implicit mode.
ResponseTyp	string	A supported response type. Valid values: token: Only the access token is returned. id_token: Only the ID token is returned. token id_token: Both the access token and the ID token are returned.	token id_token
GrantScopes	array	The scopes of user attributes that can be returned for the UserInfo endpoint or ID token.
GrantScop	string	A scope of user attributes that can be returned for the UserInfo endpoint or ID token. Valid values: openid: the unique ID of the user. profile: the details of the user. email: the email address of the user. phone: the mobile number of the user.	openid
PasswordTotpMfaRequired	boolean	Indicates whether time-based one-time password (TOTP) authentication is required in password mode. This parameter is returned only when the value of the GrantTypes parameter includes the password mode.	true
PasswordAuthenticationSourceId	string	The ID of the identity authentication source in password mode. This parameter is returned only when the value of the GrantTypes parameter includes the password mode.	ia_password
PkceRequired	boolean	Indicates whether the SSO of the application requires Proof Key for Code Exchange (PKCE) (RFC 7636).	true
PkceChallengeMethods	array	The algorithms that are used to calculate the code challenge for PKCE.
PkceChallengeMethod	string	An algorithm that is used to calculate the code challenge for PKCE. Valid values: plain: plaintext. S256: SHA-256 algorithm.	S256
AccessTokenEffectiveTime	long	The validity period of the issued access token. Unit: seconds. Default value: 1200.	1200
CodeEffectiveTime	long	The validity period of the issued code. Unit: seconds. Default value: 60.	60
IdTokenEffectiveTime	long	The validity period of the issued ID token. Unit: seconds. Default value: 300.	1200
RefreshTokenEffective	long	The validity period of the issued refresh token. Unit: seconds. Default value: 86400.	86400
CustomClaims	array<object>	The custom claims that are returned for the ID token.
CustomClaim	object
ClaimName	string	The claim name.	userOuIds
ClaimValueExpression	string	The expression that is used to generate the value of the claim.	ObjectToJsonString(user.organizationalUnits)
SubjectIdExpression	string	The custom expression that is used to generate the subject ID returned for the ID token.	user.userid
ProtocolEndpointDomain	object	The configuration of the metadata endpoint provided by the application.
SamlSsoEndpoint	string	The request receiving URL of the SAML protocol. This parameter is returned only when the SSO protocol of the application is SAML 2.0.	https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso
SamlMetaEndpoint	string	The metadata URL of the SAML protocol. This parameter is returned only when the SSO protocol of the application is SAML 2.0.	https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta
OidcIssuer	string	The information about the OIDC issuer. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc
OidcJwksEndpoint	string	The JSON Web Key Set (JWKS) URL of the OIDC issuer. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks
Oauth2AuthorizationEndpoint	string	The OAuth2.0 authorization endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize
Oauth2RevokeEndpoint	string	The OAuth2.0 token revocation endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke
Oauth2TokenEndpoint	string	The OAuth2.0 token endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token
Oauth2DeviceAuthorizationEndpoint	string	The OAuth2.0 device authorization endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code
Oauth2UserinfoEndpoint	string	The OIDC UserInfo endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo
OidcLogoutEndpoint	string	The OIDC relying party (RP)-initiated logout endpoint. This parameter is returned only when the SSO protocol of the application is an OIDC protocol.	https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout
SsoStatus	string	The SSO feature status of the application. Valid values: enabled: The feature is enabled. disabled: The feature is disabled.	enabled
InitLoginType	string	The initial SSO method. Valid values: only_app_init_sso: Only application-initiated SSO is allowed. This method is selected by default when the SSO protocol of the application is an OIDC protocol. If this method is selected when the SSO protocol of the application is SAML, the InitLoginUrl parameter is required. idaas_or_app_init_sso: IDaaS-initiated SSO and application-initiated SSO are allowed. This method is selected by default when the SSO protocol of the application is SAML. If this method is selected when the SSO protocol of the application is an OIDC protocol, the InitLoginUrl parameter is required.	only_app_init_sso
InitLoginUrl	string	The initial webhook URL of SSO. This parameter is required when the SSO protocol of the application is an OIDC protocol and the InitLoginType parameters is set to idaas_or_app_init_sso or when the SSO protocol of the application is SAML and the InitLoginType parameter is set to only_app_init_sso.	http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF

Examples

Sample success responses

JSONformat

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A",
  "ApplicationSsoConfig": {
    "SamlSsoConfig": {
      "SpSsoAcsUrl": "https://signin.aliyun.com/saml-role/sso",
      "SpEntityId": "urn:alibaba:cloudcomputing",
      "NameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
      "NameIdValueExpression": "user.username",
      "DefaultRelayState": "https://home.console.aliyun.com",
      "SignatureAlgorithm": "RSA-SHA256",
      "ResponseSigned": true,
      "AssertionSigned": true,
      "AttributeStatements": [
        {
          "AttributeName": "https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName",
          "AttributeValueExpression": "user.username"
        }
      ],
      "IdPEntityId": "https://example.com/",
      "OptionalRelayStates": [
        {
          "RelayState": "https://home.console.aliyun.com",
          "DisplayName": "Ram Account SSO"
        }
      ]
    },
    "OidcSsoConfig": {
      "RedirectUris": [
        "https://example.com/oidc/login/callback\n"
      ],
      "PostLogoutRedirectUris": [
        "https://example.com/oidc/login/logout\n"
      ],
      "GrantTypes": [
        "refresh_token"
      ],
      "ResponseTypes": [
        "token id_token"
      ],
      "GrantScopes": [
        "openid"
      ],
      "PasswordTotpMfaRequired": true,
      "PasswordAuthenticationSourceId": "ia_password",
      "PkceRequired": true,
      "PkceChallengeMethods": [
        "S256"
      ],
      "AccessTokenEffectiveTime": 1200,
      "CodeEffectiveTime": 60,
      "IdTokenEffectiveTime": 1200,
      "RefreshTokenEffective": 86400,
      "CustomClaims": [
        {
          "ClaimName": "userOuIds",
          "ClaimValueExpression": "ObjectToJsonString(user.organizationalUnits)"
        }
      ],
      "SubjectIdExpression": "user.userid"
    },
    "ProtocolEndpointDomain": {
      "SamlSsoEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/sso",
      "SamlMetaEndpoint": "https://l1seshcn.aliyunidaas.com/api/v2/app_mltuxdwd4lq4eer6tmtlmaxm5e/saml2/meta",
      "OidcIssuer": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc",
      "OidcJwksEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oidc/jwks",
      "Oauth2AuthorizationEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/authorize",
      "Oauth2RevokeEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/revoke",
      "Oauth2TokenEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/token",
      "Oauth2DeviceAuthorizationEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/device/code",
      "Oauth2UserinfoEndpoint": "https://eiam-api-cn-hangzhou.aliyuncs.com/v2/idaas_ue2jvisn35ea5lmthk2676rypm/app_mltta64q65enci54slingvvsgq/oauth2/userinfo",
      "OidcLogoutEndpoint": "https://l1seshcn.aliyunidaas.com/login/app/app_mltta64q65enci54slingvvsgq/oauth2/logout"
    },
    "SsoStatus": "enabled",
    "InitLoginType": "only_app_init_sso",
    "InitLoginUrl": "http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF"
  }
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-09-18	The response structure of the API has changed	View Change Details
2023-06-30	The response structure of the API has changed	View Change Details
2023-01-04	The response structure of the API has changed	View Change Details