All Products
Search
Document Center

Resource Access Management:Implement user-based SSO by using Azure AD

最終更新日:Jun 01, 2023

This topic provides an example on how to implement user-based single sign-on (SSO) between Azure Active Directory (Azure AD) and Alibaba Cloud. The example describes the end-to-end SSO process from a cloud identity provider (IdP) to Alibaba Cloud.

Background information

Before you get started, you must create an Alibaba Cloud account and an Azure AD tenant. An administrator and an organization user u2 are added to the Azure AD tenant. The administrator is assigned the global administrative rights. You want the organization user u2 to access Alibaba Cloud by using user-based SSO.

You must log on to the Azure portal as the administrator that is assigned the global administrative rights and perform the following steps in this example. For information about how to create users and grant permissions to users in Azure AD, see Azure AD documentation.

Step 1: Download the SAML SP metadata file of Alibaba Cloud

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the SSO page, click the User-based SSO tab.

  4. In the Setup SSO section, copy the value of SAML Service Provider Metadata URL.

  5. Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and select Save As to download the Security Assertion Markup Language (SAML) service provider (SP) metadata file in the XML format to your computer.

    Note

    The XML file contains the information that is required to configure Alibaba Cloud as a SAML SP. Record the values of the entityID and Location parameters for subsequent use.

Step 2: Create an application in Azure AD

  1. Log on to the Azure portal as the administrator.

  2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.

  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

  4. On the page that appears, click New application.

  5. On the Browse Azure AD Gallery page, click Create your own application.

  6. In the Create your own application panel, enter a name for your application. For example, you can enter AliyunSSODemo. Then, select Integrate any other application you don't find in the gallery and click Create.

Step 3: Configure SAML in Azure AD

  1. On the AliyunSSODemo page, click Single sign-on in the left-side navigation pane.

  2. In the Select a single sign-on method section, click SAML.

  3. On the Set up Single Sign-On with SAML page, perform the following steps:

    1. In the upper-left corner of the page, click Upload metadata file, select your metadata file, and then click Add.

      Note

      In this example, the XML file that you downloaded in Step 1: Download the SAML SP metadata file of Alibaba Cloud is uploaded.

    2. In the Basic SAML Configuration panel, configure the following parameters and click Save.

      • Identifier (Entity ID): Set this parameter to the value of entityID that is read from the preceding metadata file.

      • Reply URL (Assertion Consumer Service URL): Set this parameter to the value of Location that is read from the preceding metadata file.

      • Relay State: Enter the URL of the Alibaba Cloud service page to which an Azure AD user is redirected after the user logs on to Azure AD by using SSO.

        Note

        For security purposes, you must enter a URL that points to an Alibaba website for Relay State. For example, the domain name in the URL can be *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. If you enter a URL that does not point to an Alibaba website, the configuration is invalid. If you leave this parameter empty, you are redirected to the homepage of the Alibaba Cloud Management Console by default.

    3. In the SAML Signing Certificate section, click Download in the Federation Metadata XML field to download the related XML file.

Step 4: Assign a user to the application in Azure AD

  1. In the upper-left corner of the Azure AD homepage, click the SSO_AAD_icon icon.

  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

  3. In the Name column, click AliyunSSODemo.

  4. In the left-side navigation pane, click Users and groups.

  5. On the page that appears, click Add user/group.

  6. On the Add Assignment page, click Users. In the Users panel, select u2 and click Select.

  7. Click Assign.

Step 5: Create a RAM user in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, choose Identities > Users.

  2. On the Users page, click Create User.

  3. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.

    The logon name and Azure AD username must have the same prefix. In this example, the prefix of the logon name must be u2.

  4. In the Access Mode section, select an access mode.

  5. Click OK.

Step 6: Enable user-based SSO in the Alibaba Cloud Management Console

  1. In the left-side navigation pane of the RAM console, choose Integrations > SSO.

  2. On the SSO page, click the User-based SSO tab.

  3. Click Edit to the right of Setup SSO.

  4. In the SSO Status section of the SSO Settings panel, click Enabled.

    Note

    User-based SSO takes effect on all RAM users in your Alibaba Cloud account. If you enable this feature, all RAM users in your Alibaba Cloud account must log on to the Alibaba Cloud Management Console by using SSO. If you use a RAM user, set the SSO Status parameter to Disabled in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you cannot log on as the RAM user. To avoid this issue, you can also use the Alibaba Cloud account to configure user-based SSO.

  5. In the Metadata File section, click Upload File to upload the IdP metadata file obtained in Step 3: Configure SAML in Azure AD.

  6. Select Enabled for Auxiliary Domain Name. In the field that appears, enter the domain name of the email address that you use as the Azure AD username.

    In this example, the domain name is test.onmicrosoft.com because the username of the Azure AD user u2 is u2@test.onmicrosoft.com.

  7. Click OK.

Verify the user-based SSO configurations

After you configure SSO, you can initiate SSO logon from both Alibaba Cloud and Azure AD.

  • Logon from Alibaba Cloud

    1. Log on to the RAM console with your Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.

    2. Move the pointer over the profile picture in the upper-right corner of the page and click Log Out. Then, paste the logon URL into the address bar of your browser and press Enter. You can also access the URL on a new tab.

    3. On the page that appears, click Logon with Organization Account. You are redirected to the logon page of Azure AD.Logon by using an organization account

    4. Logon by using the Azure AD user u2.

      After the logon succeeds, you are redirected to the page that is specified by Relay State. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

      Verify the user-based SSO configurations
  • Logon from Azure AD

    1. Obtain the user access URL.

      1. Log on to the Azure portal as the administrator.

      2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.

      3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

      4. Click AliyunSSODemo.

      5. In the left-side navigation pane, click Properties and copy the value of User access URL.

        You can enter the user access URL in the address bar of your browser to access the application.

        User access URL
    2. Enter the user access URL in the address bar of your browser and enter the username and password of u2 for the logon. You can obtain the URL from the administrator.

      After the logon succeeds, you are redirected to the page that is specified by the Relay State parameter. If Relay State is invalid or not specified, you are redirected to the homepage of the Alibaba Cloud Management Console.

      Verify the user-based SSO configurations