The single sign-on (SSO) process requires interaction between Identity as a Service (IDaaS) and applications. You must configure SSO settings at both ends.
In this topic, the Security Assertion Markup Language 2.0 (SAML 2.0) protocol is uses as an example to describe how to configure SSO.
For more information about the SSO protocols supported by IDaaS, see 2. Standard protocols.
Configuration in IDaaS
Upload an application configuration file
Some applications allow you to download configuration information metadata on the SSO configuration page of the applications. In this case, you can directly upload the downloaded data to IDaaS. Some applications provide a public API that allows IDaaS to pull the configuration information metadata.
IDaaS obtains all information that is required to configure SSO and pre-populates the related form. You need to only confirm and save the pre-populated information.
IDaaS parameters
| Parameter | Description | Example |
Basic settings (required) |
ACS URL | The URL that directs IDaaS where to send its SAML responses after IDaaS authenticates a user. | https://signin.example.com/1021*****4813/saml/SSO |
SP Entity ID | The globally unique identifier of the application in IDaaS. In most cases, the identifier is a URI that can be obtained from the application. If the application has no special requirements, you can set the value to the Assertion Consumer Service (ACS) URL. | https://signin.example.com/1021*****4813/saml/SSO | |
App User | The NameID parameter defined in the SAML protocol. For more information, see Configure Application User for SAML. | IDaaS User Username | |
Authorize | For more information, see Configure SSO. | All Users | |
Advanced settings (optional) |
Default RelayState | The address to which the application automatically redirects after a successful identity provider-initiated (IdP-initiated) SSO. In a SAML response, the address is passed to the | |
NameIDFormat | The format of the | 1.1 Unspecified | |
Binding | The request method. Only |
| |
Sign Assertion | IDaaS signs all SAML requests. You cannot modify this parameter. | - | |
Signing Algorithm | The asymmetric algorithm used to sign SAML requests. Only RSA-SHA256 is supported. You do not need to modify this parameter. | RSA-SHA256 | |
Attribute Statements | A SAML response can contain additional information about a user, such as the email and name attributes. For more information, see Configuration of SAML Attribute Statements. | - | |
SSO Implemented By | Specifies whether SSO can be initiated only from the application or from the portal and the application. | Application Only | |
IDaaS Sign-In URL | If the SSO Implemented By parameter is set to IDaaS & Application, you can specify this parameter. When you access the application from the portal, you are redirected to this URL, and a SAML logon request is automatically sent to IDaaS. | - |
Configuration in applications
Upload an IDaaS configuration file
To facilitate application configuration, IDaaS allows you to download the configuration metadata with a few clicks.
When you configure SSO in some applications, you can directly upload the metadata. You can upload the configuration file that you downloaded in IDaaS or enter the metadata address in your application. You do not need to manually configure parameters.
Application parameters
You must specify IDaaS information in your application for integration.
IDaaS displays the information that may be required by the application on the SSO configuration page. This facilitates configuration. The following table describes the parameters.
Parameter | Description | Example |
IDP Entity ID | The identifier of IDaaS in the application. You may need to enter the identifier on the SSO configuration page of the application. | https://xxxxx.aliyunidaas.com |
IdP Sign-in URL | The SAML protocol supports service provider-initiated (SP-initiated) SSO. You may need to enter the URL on the SSO configuration page of the application. | https://xxxxx.aliyunidaas.com.cn/saml/idp/saml1 |
SLO URL | The SAML protocol supports single logout (SLO). If you want to use this feature, you must enter the URL on the SSO configuration page of the application. | - |
Certificate | The electronic signature in the SSO result sent by IDaaS. The application can use the required public key to verify the signature and check whether the result is sent by IDaaS. This helps ensure security. | -----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIHAYnNmX60izANBgkqhkiG9w0BAQsFADApMRowGAYDVQQD.....
|