This topic describes the scenarios of two single sign-on (SSO) methods that are supported by Alibaba Cloud: role-based SSO and user-based SSO. You can select an SSO method based on your business requirements.
Role-based SSO
Role-based SSO applies to the following scenarios:
You do not want to create or manage users on Alibaba Cloud. Then, you can reduce costs and eliminate the need to synchronize users.
You want to implement SSO to Alibaba Cloud and manage some users on Alibaba Cloud. The users managed on Alibaba Cloud can be used to test new features of Alibaba Cloud and log on to Alibaba Cloud if your network or identity provider (IdP) encounters exceptions.
You want to manage the permissions on Alibaba Cloud based on the user groups in your local IdP or a specific user attribute. Then, you can manage user permissions by grouping users in your local IdP or changing the user attribute.
You have multiple Alibaba Cloud accounts and only one IdP. You want to implement SSO to multiple Alibaba Cloud accounts by configuring your IdP only once.
You have multiple IdPs and only one Alibaba Cloud account. You want to implement SSO from multiple IdPs to one Alibaba Cloud account by configuring IdPs in the Alibaba Cloud account.
You want to implement SSO by using the console or by calling API operations.
User-based SSO
User-based SSO applies to the following scenarios:
You want to initiate logon from Alibaba Cloud, not from your IdP.
Some of your Alibaba Cloud services cannot be accessed by roles (that is, through STS). For more information, see Services that work with STS.
Your IdP does not support complex configuration of attributes.
You want to simplify IdP configuration.