This topic describes how to configure Alibaba Cloud as a trusted Security Assertion Markup Language (SAML) service provider (SP) of your identity provider (IdP) for role-based single sign-on (SSO).
Procedure
Obtain the SAML SP metadata URL of Alibaba Cloud in the Resource Access Management (RAM) console.
The SAML SP metadata URL is
https://signin.alibabacloud.com/saml-role/sp-metadata.xml.Create a SAML SP in your IdP and configure Alibaba Cloud as the trusted party by using one of the following methods:
Use the SAML SP metadata URL of Alibaba Cloud that you copied in the Step 1.
If your IdP does not support the URL-based configuration of the trusted party, download the metadata file from the URL that you copied in Step 1 and upload the metadata file.
If your IdP does not allow you to upload the metadata file, configure the following parameters:
Entity ID:urn:alibaba:cloudcomputing:internationalACS URL:https://signin.alibabacloud.com/saml-role/ssoRelayState: This parameter is optional. If your IdP requires theRelayStateparameter, set the value of the parameter to a URL. Users will be redirected to the URL after SSO succeeds. If you do not configure this parameter, users are redirected to the homepage of the Alibaba Cloud Management Console after SSO succeeds.NoteFor security purposes, you must enter a URL that points to an Alibaba website for the
RelayStateparameter. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com.
What to do next
After you configure Alibaba Cloud as a trusted SAML SP, you must configure SAML assertions for your IdP. For more information, see SAML response for role-based SSO.