This topic provides an example on how to implement user-based single sign-on (SSO) between Google Workspace and Alibaba Cloud. The example describes the end-to-end SSO process between a cloud identity provider (IdP) and Alibaba Cloud.
Step 1: Download the Security Assertion Markup Language (SAML) SP metadata file of Alibaba Cloud
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the SSO page, click the User-based SSO tab.
- In the Setup SSO section, copy the value of SAML Service Provider Metadata URL.
- Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and select Save As to download the SAML service provider (SP) metadata file in the XML format to your computer.
Note The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the value of
entityID
in theEntityDescriptor
element and the value ofLocation
in theAssertionConsumerService
element for subsequent use.
Step 2: Create an application that supports SAML-based SSO in Google Workspace
- Log on to the Google Workspace Admin Console by using a super administrator.
- In the left-side navigation pane, choose .
- Choose Add app > Add custom SAML app.
- In the Add custom SAML app wizard, create an application that supports SAML-based SSO.
- On the page that appears, click User access.
- Optional:On the page that appears, select an organizational unit based on which you want to log on by using SSO from the Organizational Units drop-down list. By default, all organizational units are selected.
- In the Service status section, select ON for everyone.
Note If you select an organizational unit in Step 6, you must select ON for everyone.
- Click SAVE.
Step 3: Enable user-based SSO in the Alibaba Cloud Management Console
- In the left-side navigation pane of the RAM console, choose .
- On the SSO page, click the User-based SSO tab.
- Click Edit to the right of Setup SSO.
- In the SSO Status section of the SSO Settings panel, click Enabled.
Note User-based SSO takes effect on all RAM users in your Alibaba Cloud account. If you enable this feature, all RAM users in your Alibaba Cloud account must log on to the Alibaba Cloud Management Console by using SSO. If you use a RAM user, set the SSO Status parameter to Disabled in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you cannot log on as the RAM user. To avoid this issue, you can also use your Alibaba Cloud account to configure user-based SSO.
- In the Metadata File section, click Upload to upload the IdP metadata file that you obtained in Step 2: Create an application that supports SAML-based SSO in Google Workspace.
- In the Auxiliary Domain Name section, click Enabled. In the field that appears, enter the domain name of the email address that you use as the Google Workspace username.
Note If the usernames that belong to your Google Workspace account are suffixed with different domain names, only the users whose usernames are suffixed with the specified domain name can log on to the Alibaba Cloud Management Console.
- Click OK.
Step 4: Create a user in Google Workspace
- In the left-side navigation pane of the Google Workspace Admin Console, choose .
- Click Add new user.
- On the User Information page, configure the First name, Last name, Primary email, and the Organizational unit parameters. For example, you can specify u2@example.com for the Primary email parameter. Then, click ADD NEW USER.
Note If you select an organizational unit in Step 2: Create an application that supports SAML-based SSO in Google Workspace, you must specify the same organizational unit for the Organizational unit parameter.
Step 5: Create a RAM user in the Alibaba Cloud Management Console
- In the left-side navigation pane of the RAM console, choose .
- On the Users page, click Create User.
- On the Create User page, configure the Logon Name and Display Name parameters.
Note The logon name and Google Workspace username must contain the same prefix. In this example, the prefix of the logon name is u2.
- In the Access Mode section, select Console Access and configure the parameters.
- Click OK.
Verify the user-based SSO configurations
After you configure SSO, you can initiate SSO logon from both Alibaba Cloud and Google Workspace.
- Logon from Alibaba Cloud
- Log on to the RAM console by using your Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.
- Move the pointer over the profile picture in the upper-right corner of the page and click Log Out. Then, paste the logon URL in the address bar of your browser and press Enter. You can also access the URL on a new tab.
- Click Login with Organization Account. You are redirected to the logon page of Google Workspace.
- On the logon page of Google Workspace, enter the username and password of the user that you created. In this example, the username is u2@example.com. Then, click Sign In.
You are redirected to the page that is specified by the Start URL parameter. If the value of the Start URL parameter is invalid or a value is not specified for the parameter, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page that is shown in the following figure appears, the user-based SSO configurations are successful.
- Logon from Google Workspace
Log on to Google Workspace as the Google Workspace user. On the homepage of Google Workspace, find and click the application that you created in Step 2: Create an application that supports SAML-based SSO in Google Workspace.
You are redirected to the page that is specified by the Start URL parameter. If the value of the Start URL parameter is invalid or a value is not specified for the parameter, you are redirected to the homepage of the Alibaba Cloud Management Console. If the page that is shown in the following figure appears, the user-based SSO configurations are successful.