This topic provides an example on how to implement user-based single sign-on (SSO) from Active Directory Federation Services (AD FS) to Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud. In the following example, AD FS is deployed on an Elastic Compute Service (ECS) instance that runs Windows Server 2012 R2.
Prerequisites
Before you configure SSO, perform the following operations:
Deploy the following services on an ECS instance that runs Windows Server 2012 R2:
DNS server: resolves and sends identity authentication requests to the correct Federation Service.
Active Directory Domain Service (AD DS): allows you to create, query, and modify objects, such as domain users and domain devices.
AD FS: allows you to configure the SSO relying party and performs SSO authentication for the configured relying party.
ImportantThe configuration of Microsoft AD described in this topic is for reference only and helps you understand the configuration procedure of SSO logon to Alibaba Cloud. Alibaba Cloud does not provide consultation services for the configuration of Microsoft AD. For more information about how to deploy AD FS, see Build an AD domain on a Windows instance.
Prepare the following data:
The default domain name of the Alibaba Cloud account:
secloud.onaliyun.com.The username of the RAM user that belongs to the Alibaba Cloud account:
alice. The User Principal Name (UPN) of the RAM user isalice@secloud.onaliyun.com.The name of the AD FS service that has been registered in Microsoft AD:
adfs.secloud.club.The domain name of Microsoft AD:
secloud.club. The NetBIOS name issecloud.The UPN of the RAM user
alicein Microsoft AD:alice@secloud.club. The RAM user can also usesecloud\aliceto log on from the Microsoft AD domain.
Step 1: Configure AD FS as a trusted SAML IdP in RAM
Enter the following URL in the address bar of your browser:
https://adfs.secloud.club/FederationMetadata/2007-06/FederationMetadata.xml.Download the metadata file in the XML format to your computer.
Log on to the RAM console and use the metadata file for SSO configuration.
For more information, see Configure the SAML settings of Alibaba Cloud for user-based SSO.
NoteIf the size of the metadata file exceeds the upper limit, you can delete all content in
<fed:ClaimTypesRequested>and<fed:ClaimTypesOffered>.
Step 2: Configure Alibaba Cloud as a trusted SAML SP in AD FS
In AD FS, the Security Assertion Markup Language (SAML) service provider (SP) is called the relying party. To configure Alibaba Cloud as a trusted SP, perform the following steps:
In the top navigation bar of Server Manager, choose Tools > AD FS Management.
Right-click Relying Parties and select Add Relying Party Trust.
Configure the SAML metadata of Alibaba Cloud for the relying party.
To view the URL of the SAML metadata, log on to the RAM console. In the left-side navigation pane, click SSO. On the page that appears, click User-based SSO. You can view the URL in the Setup SSO section. You can directly enter the metadata URL when you configure the relying party in AD FS.
After the relying party is configured, Alibaba Cloud sends a request to the AD FS service whose name is adfs.secloud.club. The request is sent to authenticate RAM users that belong to the Alibaba Cloud account whose default domain name is secloud.onaliyun.com. After AD FS receives the request, it authenticates the RAM users and sends a response to Alibaba Cloud.
Step 3: Configure SAML assertion attributes for the Alibaba Cloud SP
We recommend that you set the value of the NameID field in the SAML assertion to the UPN of the RAM user. This way, Alibaba Cloud can locate the correct RAM user based on the SAML response.
You must set the UPN in Microsoft AD to the value of NameID in the SAML assertion.
Right-click the display name of the relying party and select Edit Claim Rules.
Click Issuance Transform Rules to add a rule.
NoteIssuance transform rules indicate how to transform a known user attribute and issue it as an attribute in the SAML assertion. You must issue the UPN of a user in Microsoft AD as a
NameID. In this case, a new rule is required.
Set Claim rule template to Transform an Incoming Claim.
Select Edit Rule.
NoteIn this example, the domain name of the UPN in the Alibaba Cloud account is
secloud.onaliyun.com, and the domain name of the UPN in Microsoft AD issecloud.club. If you map the UPN in Microsoft AD to theNameID, the user cannot be identified by Alibaba Cloud.To solve this problem, use one of the following methods:
Method 1: Set the domain name of Microsoft AD to the domain alias that is configured in RAM.
If the domain name
secloud.clubof Microsoft AD is registered in a DNS on the Internet, you can changesecloud.clubto the domain alias that is configured in RAM. For more information about how to configure a domain alias, see Create and verify a domain alias.After the settings are complete, map the UPN to the
NameIDin the Edit Rule dialog box.
Method 2: Transform the domain name in AD FS.
If the domain name
secloud.clubis an internal domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. RAM can use only the default domain namesecloud.onaliyun.com.In this case, you must change the domain name suffix
secloud.clubof the UPN tosecloud.onaliyun.comin the SAML assertion that is issued by AD FS to Alibaba Cloud.
Method 3: Specify the domain name of Microsoft AD as the auxiliary domain name for user-based SSO.
If the domain name
secloud.clubis an internal domain name of an enterprise, the domain ownership of the enterprise cannot be verified by Alibaba Cloud. In this case, you can specifysecloud.clubas the auxiliary domain name without the need to transform the domain name. For information about how to specify an auxiliary domain name, see Configure the SAML settings of Alibaba Cloud for user-based SSO.After the settings are complete, map the UPN to the
NameIDin the Edit Rule dialog box.