Implement role-based SSO from Azure AD - Resource Access Management

This topic provides an example on how to implement role-based single sign-on (SSO) from Azure Active Directory (Azure AD) to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Background information

Before you get started, you must create an Alibaba Cloud account (Account 1) and an Azure AD tenant. An administrator and an organization user (u2) are added to the Azure AD tenant. The administrator is assigned the global administrative rights. You want to configure the required settings to enable the user u2 to access the resources of Account 1 by using role-based SSO.

You must log on to the Azure portal as the administrator that is granted the global administrative rights and perform the following steps in this example. For more information about how to create users and grant permissions to users in Azure AD, see Azure AD documentation.

Step 1: Create an application in Azure AD

Log on to the Azure portal as the administrator.
In the upper-left corner of the homepage, click the icon.
In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
On the page that appears, click New application.
Enter Alibaba Cloud Service (Role-based SSO) in the search box and click Alibaba Cloud Service (Role-based SSO) in the search results.
In the panel that appears, enter a name for the application and click Create.
For this example, use the default application name Alibaba Cloud Service (Role-based SSO). You can also enter a custom name for the application.
In the left-side navigation pane of the Alibaba Cloud Service (Role-based SSO) page, click Properties. Then, copy and save the value of Object ID for subsequent use.

Step 2: Configure SSO in Azure AD

In the left-side navigation pane of the Alibaba Cloud Service (Role-based SSO) page, click Single sign-on.
In the Select a single sign-on method section, click SAML.
In the Set up Single Sign-On with SAML section, configure SSO information.
1. In the upper-left corner, click Upload metadata file, select your metadata file, and then click Add.
  Note
  You can obtain the metadata file from the following URL: https://signin.alibabacloud.com/saml-role/sp-metadata.xml.
2. In the Basic SAML Configuration panel, configure the following parameters and click Save.
  - Identifier (Entity ID): Set this parameter to the value of entityID that is read from the preceding metadata file.
  - Reply URL (Assertion Consumer Service URL): Set this parameter to the value of Location that is read from the preceding metadata file.
  - Relay State: Set this parameter to the URL of the page that is displayed after a user logs on to the Alibaba Cloud Management Console by using role-based SSO.
    Note
    For security purposes, you must enter a URL that points to an Alibaba website for Relay State. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you enter a URL that does not point to an Alibaba website, the configuration is invalid. If you leave this parameter empty, you are redirected to the homepage of the Alibaba Cloud Management Console by default.
3. In the Attributes & Claims section, click the icon.
4. Click Add new claim, configure the following parameters, and then click Save.
  - Name: Enter Role.
  - Namespace: Enter https://www.aliyun.com/SAML-Role/Attributes.
  - Source: Select Attribute.
  - Source attribute: Select user.assignedroles from the drop-down list.
5. Repeat the previous step to add another claim.
  - Name: Enter RoleSessionName.
  - Namespace: Enter https://www.aliyun.com/SAML-Role/Attributes.
  - Source: Select Attribute.
  - Source attribute: Select user.userprincipalname from the drop-down list.
6. In the SAML Certificates section, click Download on the right of Federation Metadata XML to download the IdP metadata file.

Step 3: Create an IdP in Alibaba Cloud

Log on to the RAM console by using Account 1.
In the left-side navigation pane, choose Integrations > SSO.
On the Role-based SSO tab, click the SAML subtab and click Add IdP.
On the Create IdP page, set IdP Name to AAD and configure Remarks.
In the Metadata File section, click Upload File.
Note
You must upload the federation metadata XML file that is downloaded in Step 2: Configure SSO in Azure AD.
Click OK.
Click Close.

Step 4: Create a RAM role in Alibaba Cloud

In the left-side navigation pane of the RAM console, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select IdP for Select Trusted Entity and click Next.
Set RAM Role Name to AADrole and configure Note.
Select SAML for the IdP Type parameter.
Select AAD from the Select IdP drop-down list and click OK.
Note
- You can grant permissions to the RAM role based on your business requirements. For more information, see Grant permissions to a RAM role.
- After you create the IdP and the RAM role, save the Alibaba Cloud Resource Names (ARNs) of the IdP and the RAM role for subsequent use. For more information about how to obtain the ARN of a RAM role, see View the information about a RAM role.
Click Close.

Step 5: Associate the RAM role with the Azure AD user

Create a role in Azure AD.
1. Log on to the Azure portal as the administrator.
2. In the left-side navigation pane, choose Azure Active Directory > App registrations.
3. Click the All applications tab, and then click Alibaba Cloud Service (Role-based SSO).
4. In the left-side navigation pane, click App roles.
5. On the page that appears, click Create app role.
6. In the Create app role panel, configure the following parameters and click Apply.
  - Display name: For this example, enter Admin.
  - Allowed member types: For this example, select Both (Users/Groups + Applications).
  - Value: Enter the ARN of the RAM role and the ARN of the IdP. Separate the ARNs with commas (,). For this example, enter acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD.
  - Description: Enter a description.
  - Select Do you want to enable this app role?
Note
If you want to create multiple roles in Azure AD, repeat the preceding steps.
Assign roles to the user u2.
1. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
2. In the Name column, click Alibaba Cloud Service (Role-based SSO).
3. In the left-side navigation pane, click Users and groups.
4. On the page that appears, click Add user/group.
5. On the page that appears, click Users. In the Users panel, select u2 and click Select.
6. Click Assign.
7. View the roles that are assigned to the user u2.
  Note
  After you select u2, the created role is assigned to the user u2. If multiple roles are created, you must assign the roles to the Azure AD user based on your business requirements.

Verify the configuration results

Obtain the user access URL.
1. Log on to the Azure portal as the administrator.
2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
3. In the Name column, click Alibaba Cloud Service (Role-based SSO).
4. In the left-side navigation pane of the page that appears, click Properties and obtain the value of User access URL.
After you obtain the user access URL from the administrator, enter the URL in a browser and use the required username and password for logon.
After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

(Optional) Configure the role-based SSO between Azure AD and multiple Alibaba Cloud accounts

For example, you have two Alibaba Cloud accounts: Account 1 and Account 2. If you want the user u2 to access the resources of both Account 1 and Account 2 by using role-based SSO after the user u2 logs on to Azure AD, perform the following operations:

Create an application named Alibaba Cloud Service (Role-based SSO) in Azure AD.
For more information, see Step 1: Create an application in Azure AD.
Configure SSO in Azure AD.
For more information, see Step 2: Configure SSO in Azure AD.
Create IdPs in Alibaba Cloud.
You must create the AAD IdP for both Account 1 and Account 2.
For more information, see Step 3: Create an IdP in Alibaba Cloud.
Create RAM roles in Alibaba Cloud.
You must create RAM roles for both Account 1 and Account 2. For this example, create two RAM roles for Account 1 and one RAM role for Account 2.
- Create the adminaad and readaad RAM roles for Account 1.
- Create the financeaad RAM role for Account 2.
For more information, see Step 4: Create a RAM role in Alibaba Cloud.
Associate the RAM roles with the user u2.
Create three roles in Azure AD and assign the roles to the user u2. Values of the roles:
- acs:ram::<Account1_ID>:role/adminaad,acs:ram::<Account1_ID>:saml-provider/AAD
- acs:ram::<Account1_ID>:role/readaad,acs:ram::<Account1_ID>:saml-provider/AAD
- acs:ram::<Account2_ID>:role/financeaad,acs:ram::<Account2_ID>:saml-provider/AAD
For more information, see Step 5: Associate the RAM role with the Azure AD user.
Use the user u2 to access Alibaba Cloud by using role-based SSO.
You can log on to the Azure portal as the user u2 and click Alibaba Cloud Service (Role-based SSO) on the My apps page. Then, you must select the Alibaba Cloud account whose resources you want to access and its role as prompted in the Alibaba Cloud Management Console.