SetApplicationSsoConfig - Identity as a Service - Alibaba Cloud Documentation Center

Specifies the single sign-on (SSO) configuration attributes of an application in Identity as a Service (IDaaS) Employee IAM (EIAM).

Operation description

In IDaaS EIAM, the application management feature supports multiple SSO protocols for applications, including SAML 2.0 and OIDC protocols. Each application supports only one protocol, and the protocol cannot be changed after the application is created. You can specify the SSO configuration attributes of an application based on the supported SSO protocol.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
eiam:SetApplicationSsoConfig	create	*Application `acs:eiam:{#regionId}:{#accountId}:instance/{#InstanceId}/application/{#ApplicationId}`	none	none

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The instance ID.	idaas_ue2jvisn35ea5lmthk267xxxxx
ApplicationId	string	Yes	The ID of the application.	app_mkv7rgt4d7i4u7zqtzev2mxxxx
SamlSsoConfig	object	No	The Security Assertion Markup Language (SAML)-based single sign-on (SSO) configuration attributes of the application.
SpSsoAcsUrl	string	No	The Assertion Consumer Service (ACS) URL of the application in SAML.	https://signin.aliyun.com/saml-role/sso
SpEntityId	string	No	The entity ID of the application in SAML.	urn:alibaba:cloudcomputing
NameIdFormat	string	No	The Format attribute of the NameID element in the SAML assertion. Valid values: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: No format is specified. How to resolve the NameID element depends on the application. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: The NameID element must be an email address. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: The NameID element must be persistent. urn:oasis:names:tc:SAML:2.0:nameid-format:transient: The NameID element must be transient.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameIdValueExpression	string	No	The expression that is used to generate the value of NameID in the SAML assertion.	user.email
DefaultRelayState	string	No	The default value of the RelayState attribute. If the SSO request is initiated in EIAM, the RelayState attribute in the SAML response is set to this default value.	https://home.console.aliyun.com
SignatureAlgorithm	string	No	The algorithm that is used to calculate the signature for the SAML assertion. Enumeration value: RSA-SHA256 : the Rivest-Shamir-Adleman (RSA)-Secure Hash Algorithm 256 (SHA-256) algorithm .	RSA-SHA256
ResponseSigned	boolean	No	Specifies whether to calculate the signature for the response. You cannot set ResponseSigned and AssertionSigned to false at the same time. true false	true
AssertionSigned	boolean	No	Specifies whether to calculate the signature for the assertion. You cannot set ResponseSigned and AssertionSigned to false at the same time. true false	true
AttributeStatements	array<object>	No	The additional user attributes in the SAML assertion.
	object	No
AttributeName	string	No	The attribute name.	https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName
AttributeValueExpression	string	No	The expression that is used to generate the value of the attribute.	user.username
OidcSsoConfig	object	No	The Open ID Connect (OIDC)-based SSO configuration attributes of the application.
RedirectUris	array	No	The list of redirect URIs that are supported by the application.
	string	No	A supported redirect URI.	https://example.com/oidc/login/callback
PostLogoutRedirectUris	array	No	The list of logout redirect URIs that are supported by the application.
	string	No	A supported logout redirect URI. When you initiate a logout request, you can set the post_logout_redirect_uri parameter to one of the supported logout redirect URIs.	https://example.com/oidc/logout/callback
GrantTypes	array	No	The list of grant types that are supported for OIDC protocols.
	string	No	A supported grant type. Valid values: authorization_code: authorization code mode. implicit: implicit mode. refresh_token: token refresh mode. urn:ietf:params:oauth:grant-type:device_code: device code mode. password: password mode.	authorization_code
ResponseTypes	array	No	The response types that are supported by the application. Specify this parameter when the value of the GrantTypes parameter includes the implicit mode.
	string	No	A supported response type. Valid values: token: return only the access token. id_token: return only the ID token. token id_token: return both the access token and the ID token.	token id_token
GrantScopes	array	No	The scopes of user attributes that can be returned for the UserInfo endpoint or ID token.
	string	No	A scope of user attributes that can be returned for the UserInfo endpoint or ID token. Valid values: openid: the unique ID of the user. profile: the details of the user. email: the email address of the user. phone: the mobile number of the user.	openid
PasswordTotpMfaRequired	boolean	No	Specifies whether time-based one-time password (TOTP) authentication is required in password mode. Specify this parameter only when the value of the GrantTypes parameter includes the password mode.	true
PasswordAuthenticationSourceId	string	No	The ID of the identity authentication source in password mode. Specify this parameter only when the value of the GrantTypes parameter includes the password mode.	ia_password
PkceRequired	boolean	No	Specifies whether the SSO of the application requires Proof Key for Code Exchange (PKCE) (RFC 7636).	true
PkceChallengeMethods	array	No	The algorithms that are used to calculate the code challenge for PKCE.
	string	No	An algorithm that is used to calculate the code challenge for PKCE. Valid values: plain: plaintext. S256: SHA-256 algorithm.	S256
AccessTokenEffectiveTime	long	No	The validity period of the issued access token. Unit: seconds. Default value: 1200.	1200
CodeEffectiveTime	long	No	The validity period of the issued code. Unit: seconds. Default value: 60.	60
IdTokenEffectiveTime	long	No	The validity period of the issued ID token. Unit: seconds. Default value: 300.	300
RefreshTokenEffective	long	No	The validity period of the issued refresh token. Unit: seconds. Default value: 86400.	86400
CustomClaims	array<object>	No	The custom claims that are returned for the ID token.
	object	No
ClaimName	string	No	The claim name.	"Role"
ClaimValueExpression	string	No	The expression that is used to generate the value of the claim.	user.dict.applicationRole
SubjectIdExpression	string	No	The custom expression that is used to generate the subject ID returned for the ID token.	user.userid
InitLoginType	string	No	The initial SSO method. Valid values: only_app_init_sso: Only application-initiated SSO is allowed. This method is selected by default when the SSO protocol of the application is an OIDC protocol. If this method is selected when the SSO protocol of the application is SAML, the InitLoginUrl parameter is required. idaas_or_app_init_sso: IDaaS-initiated SSO and application-initiated SSO are allowed. This method is selected by default when the SSO protocol of the application is SAML. If this method is selected when the SSO protocol of the application is an OIDC protocol, the InitLoginUrl parameter is required.	only_app_init_sso
InitLoginUrl	string	No	The initial webhook URL of SSO. This parameter is required when the SSO protocol of the application is an OIDC protocol and the InitLoginType parameters is set to idaas_or_app_init_sso or when the SSO protocol of the application is SAML and the InitLoginType parameter is set to only_app_init_sso.	http://127.0.0.1:8000/start_login?enterprise_code=ABCDEF

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	0441BD79-92F3-53AA-8657-F8CE4A2B912A

Examples

Sample success responses

JSONformat

{
  "RequestId": "0441BD79-92F3-53AA-8657-F8CE4A2B912A"
}

Error codes

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-09-18	The internal configuration of the API is changed, but the call is not affected	View Change Details
2023-06-30	The response structure of the API has changed	View Change Details
2023-01-04	The internal configuration of the API is changed, but the call is not affected	View Change Details