All Products
Search
Document Center

Resource Access Management:Overview of OIDC-based SSO

Last Updated:Apr 16, 2024

OpenID Connect (OIDC) is an authentication protocol that is developed based on Open Authorization (OAuth) 2.0. Alibaba Cloud Resource Access Management (RAM) supports OIDC-based single sign-on (SSO).

Terms

Term

Description

OIDC

An authentication protocol that is developed based on OAuth 2.0. For more information, see OIDC and OAuth 2.0. OAuth is an authorization protocol. OIDC adds an identity layer to extend OAuth. This way, OIDC can use OAuth for authorization. OIDC also allows clients to verify the identities of users and use an HTTP RESTful API to obtain basic information about the users.

OIDC token

An identity token that is issued by OIDC to an application. An OIDC token is an identity token that indicates a logon user. An OIDC token can be used to obtain the basic information about a logon user.

STS token

A temporary identity credential that is provided by Alibaba Cloud Security Token Service (STS). STS allows you to manage temporary credentials for your Alibaba Cloud resources. You can configure a validity period and specify access permissions for an STS token. For more information about STS, see What is STS?

URL of an issuer

The URL of an issuer that is provided by an external IdP. The URL is indicated by the iss field in an OIDC token. The URL of the issuer must start with https and be in the valid URL format. The URL cannot contain query parameters that follow a question mark (?) or logon information that is identified by at signs (@). The URL cannot be a fragment URL that contains number signs (#).

fingerprint

The fingerprint that is generated based on the HTTPS certificate of an external IdP. You can use a fingerprint to prevent the URL of the issuer from being hijacked or tampered with. Alibaba Cloud calculates the fingerprint. We recommend that you calculate the fingerprint on your computer. For example, you can use OpenSSL to calculate the fingerprint. Then, you can compare the calculation result with the calculation result provided by Alibaba Cloud. For more information about OpenSSL, visit the official website of OpenSSL. If the calculation results are different, the URL of the issuer may have been attacked. Make sure that you enter a valid fingerprint.

Note

If you want to rotate the certificate of your IdP, we recommend that you generate the fingerprint of the new certificate and add the fingerprint to the OIDC IdP that you created in the RAM console before the rotation. After at least one day, rotate the certificate. You can delete the previous fingerprint after you obtain a Security Token Service (STS) token.

client ID

An ID that is generated for an application when you register the application in an external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. The client ID is specified in the aud field of the OIDC token that is issued. When you create an OIDC IdP, you must configure the client ID. If you want to use the OIDC token to obtain an STS token, Alibaba Cloud checks whether the client ID that is specified in the aud field is the same as the client ID that you configured in the OIDC IdP. You can assume a RAM role only when the client IDs are the same.

Scenarios

If applications of enterprises use fixed AccessKey pairs to frequently access Alibaba Cloud resources and the enterprises lacks security protection measures, potential risks may arise due to AccessKey pair leaks. To resolve this issue, the enterprises register applications in self-managed OIDC IdPs or third-party OIDC IdPs, such as Google G Suite and Okta. This way, the OIDC IdPs can generate OIDC tokens for the applications. Then, the applications can use the OIDC tokens to obtain STS tokens to access Alibaba Cloud resources in a secure manner.

In addition, individual developers or employees of small and medium-sized enterprises are allowed to log on to the Alibaba Cloud Management Console by using the identities that are registered in websites, such as social networking websites. If the websites support OIDC tokens, the individual developers or employees can use RAM to implement OIDC-based SSO.

Process

OIDC角色SSO流程图

  1. Register an application in an external IdP and obtain the client ID of the application.

  2. In the RAM console, create an OIDC IdP and configure a trust relationship between Alibaba Cloud and the external IdP.

    For more information, see Create an OIDC IdP.

  3. In the RAM console, create a RAM role whose trusted entity is an OIDC IdP and grant permissions to the RAM role.

    For more information, see Create a RAM role for an OIDC IdP and Grant permissions to a RAM role.

  4. Apply for an OIDC token from the external IdP.

    For more information, see the documentation of the external IdP.

  5. Use the OIDC token to obtain an STS token.

    For more information, see AssumeRoleWithOIDC.

  6. Use the STS token to access Alibaba Cloud resources.

Configuration example

Implement OIDC-based SSO from Okta

Limits

Item

Upper limit

The number of OIDC IdPs that can be created within an Alibaba Cloud account

100

The number of client IDs that can be added to an OIDC IdP

20

The number of fingerprints that can be added to an OIDC IdP

5