In Identity as a Service (IDaaS), applications provide the systems and services that support your business processes. You can implement single sign-on (SSO) for applications and synchronize accounts between IDaaS applications.
The example in this topic shows you how to configure the User-based SSO for Alibaba Cloud application to log on to the Alibaba Cloud Management Console by using an IDaaS account.
Add an application
Log on to the IDaaS console. On the EIAM page, click the required instance. In the left-side navigation pane, click Applications. On the Applications page, click Add Application to go to the Marketplace tab.
IDaaS provides multiple templates for common enterprise applications. The templates are configured and optimized. You can use these templates to add applications with ease.
You can connect other applications and self-developed applications by using the templates on the Standard Protocols tab and Custom Applications tab.
User-based SSO for Alibaba Cloud is the first application in the marketplace. Click Add Application, specify the application name, and then click Add. The configuration page appears.
Configure SSO
IDaaS interacts with an application during an SSO process. You must configure SSO in IDaaS and the application.
The User-based SSO for Alibaba Cloud application uses the Security Assertion Markup Language (SAML) 2.0 protocol. SAML 2.0 has more than 10 common parameters and is complicated to configure. However, IDaaS provides a simple configuration method.
Configure SSO in IDaaS
After you add the application, the SSO configuration page appears and the parameters are specified.
The following table describes the parameters.
Parameter | Description |
Alibaba Cloud Account ID | The Alibaba Cloud account for which you want to implement SSO. |
Application Username | The account that is used for SSO. Default value: IDaaS Username. For more information, see Configure an account for an SAML application. |
Authorize | Specifies the accounts that can access the application. Default value: Manually. For more information, see Configure SSO. |
RAM Default Domain Name | This parameter is required only if an auxiliary domain name is configured in Resource Access Management (RAM). |
In this example, we recommend that you click Save without modifying the parameters.
In the lower part of the page, click Download in the Application Settings section. The file contains all the SSO configuration information. In the next step, you need to upload the file in RAM.
Configure SSO in RAM
IDaaS Username is selected for the Application Username parameter in the previous step. Make sure that the username of the IDaaS account is the same as the RAM username. If no RAM username is the same as the username of the IDaaS account, create a RAM user first. For more information about how to flexibly associate application accounts, see Configure application accounts.
Click RAM SSO configuration page. On the page that appears, click the User-based SSO tab and click Edit.
Select Enabled for the SSO Status parameter. Click Upload File and upload the file downloaded in the previous step.
Click OK. You can use the IDaaS account to log on to the User-based SSO for Alibaba Cloud application.
The next step in this guide describes how to log on by using SSO. Go to the last step: 4. Log on by using SSO.