# Use SAML2 to log in to the Alibaba Cloud console
Authing SAML Identity Provider provides single sign-on capabilities for enterprises. In Alibaba Cloud, you can log in to Alibaba Cloud from the enterprise's local account system by setting SSO, so as to realize unified management of employee identities on and off the cloud.Alibaba Cloud adopts the identity alliance standard based on SAML 2.0 to realize the interoperability of identity systems.
Alibaba Cloud supports "User SSO" and "Role SSO". These two modes are described below.
# User SSO
# Configure IdP in Authing
If you haven't created an application yet, you need to [create an application] in Authing (/quickstart/create-authing-account.md).
First enter Alibaba Cloud Access Control (opens new window)> left menu> Personnel Management> Settings, click the "Advanced Settings" tab, and record the default domain name.
Go to Control Panel > Apps > App List, find your application, and click "Configuration".
On the application details page, click the "Configure SAML2 Identity Provider" tab, turn on the "Enable SAML2 Provider" switch, default ACS address fill in https://signin-intl.aliyun.com/saml/SSO
.
Setting content is filled in as follows:
In the emailDomainSubstitution
field, fill in the default domain name just recorded in the Alibaba Cloud console.
{
"audience": null,
"recipient": "https://signin-intl.aliyun.com/saml/SSO",
"destination": "https://signin-intl.aliyun.com/saml/SSO",
"mappings": null,
"digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
"signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"lifetimeInSeconds": 3600,
"signResponse": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"samlRequestSigningCert": "",
"emailDomainSubstitution": "authing.onaliyun.com" // Replace with your Aliyun domain name
}
Important note â ī¸â ī¸â ī¸: After filling in emailDomainSubstitution
, Authing will replace the user mailbox domain name in the user pool with the content of this field before sending the identity assertion. Please be sure to close the user pool registration (** console**> * *Settings**> **Security Information**, turn on the prohibition of registration switch), otherwise there is a risk of account fraud. For example: test@authing.cn and test@123.com accounts will be considered by Alibaba Cloud as the same user.
Click "Save". Then download the metadata document of SAML2 Identity Provider:
https://core.authing.cn/api/v2/saml-idp/application ID
/metadata
# Configure in Alibaba Cloud
Use your Alibaba Cloud account Login (opens new window) Alibaba Cloud console.
Hover the mouse on your user profile picture, a drop-down menu will appear, click "Access Control (opens new window)".
Enter Left Menu > Personnel Management > User (opens new window), click "Create User".
Enter the user name, display name, check the console password to log in and click "Confirm". The login name entered in this tutorial is authing, and the display name is also authing. Check the access mode of console access and programming access. Finally click "Save".
Click Left Menu > Personnel Management > User (opens new window), you can see it in the list on the right page To the user just added, record the user login name (authing@authing.onaliyun.com in this example), which will be used later. Click "Add Permission" on the right side of the corresponding user entry.
In the permission list, select the permissions that need to be given to the account. This tutorial selects the highest permission of "AdministratorAccess". Click "OK".
Go to Left Menu > SSO Management (opens new window), click on the "User SSO" tab on the right page, and click Click "Edit" at the SSO login settings below.
Select "On" for SSO function status. Click "Upload File" to upload the SAML IdP Metadata just downloaded in Authing. Click "Confirm".
# Configure users in Authing
When creating a user, the part before the "@" symbol in the user mailbox needs to be consistent with the user login name in Alibaba Cloud.
Enter Authing Console > User Management> User List, click the "New" button in the upper right corner, fill in the relevant information, **Note **E-mail "@ Before the symbol, enter the user login name in Alibaba Cloud. Click "Save".
# Use Authing IdP to log in to Alibaba Cloud
Visit the Alibaba Cloud RAM Account Login Page (opens new window), and enter the login name of the user just created in Alibaba Cloud, like authing@xxx.onaliyun.com.
Click "Next" to jump to the Authing IdP login authentication page.
You can choose any method to log in, but the mailbox name part of the user must be the same as the user name in Alibaba Cloud.
After successful login, jump to the Alibaba Cloud console.
# Role SSO
Not yet supported