CloudSSO directory regions
CloudSSO stores all identity and permission data in the directory region you select. Learn about available regions and cross-region data transmission.
Region for the CloudSSO directory
When you create a CloudSSO directory, you select a region where Alibaba Cloud stores all CloudSSO data — identities, permissions, and authorization data. Your cloud resources, such as Elastic Compute Service (ECS) instances and ApsaraDB RDS instances, can run in any other region regardless of where the directory is located. You can also use your cloud account to log in and access those resources across regions.
Select the region closest to your intended users to minimize latency when they access cloud resources through CloudSSO.
The following regions are available for the CloudSSO directory:
China (Shanghai)
China (Hong Kong)
South Korea (Seoul)
Singapore
US (Silicon Valley)
Germany (Frankfurt)
Data storage and the directory region
Alibaba Cloud stores all CloudSSO data in the region you select when you create the directory. This includes user and group information, multi-account authorization configurations, Resource Access Management (RAM) synchronization tasks, and global settings.
If you access or modify CloudSSO from a region other than the directory region, a cross-region API call transmits your data to the directory region. During logon, the username, password, and virtual multi-factor authentication (MFA) verification code are sent to the directory region for authentication. The result is returned to the requesting region, and session data is stored there to maintain logon validity. When a user binds an MFA device or changes a logon password, the verification codes and new password are also transmitted to the directory region. If you enable Cross-domain Identity Management (SCIM) synchronization, usernames, UIDs, and group names are transmitted from your enterprise identity provider (IdP) to the directory region.
You can create the CloudSSO directory in only one region. To change regions, disable the existing directory and create a new one in the desired region. Data from the previous directory cannot be migrated, and the logon URL changes.
Accelerated URL
The accelerated URL feature is in invitational preview. Contact your account manager to apply.
If your directory resides in the China (Shanghai) region, CloudSSO provides the accelerated URL feature free of charge to ensure access stability for users outside the Chinese mainland. Use this feature in the following scenarios:
-
Users outside the Chinese mainland sign in to CloudSSO, and authentication data must be transmitted to the China (Shanghai) directory region.
-
Users manage MFA devices or logon passwords, and the data must be transmitted to the China (Shanghai) directory region for update and storage.
-
SCIM synchronization is configured and your IdP resides outside the Chinese mainland. User information must be transmitted to the China (Shanghai) directory region.
Enable the 'Accelerate access from outside the Chinese mainland' feature in the CloudSSO console to obtain an accelerated sign-in URL. Data is first routed to the nearest Alibaba Cloud acceleration endpoint in China (Hong Kong), South Korea (Seoul), Singapore, US (Silicon Valley), or Germany (Frankfurt), then travels over an accelerated network to your directory region in China (Shanghai). You can continue using the original logon URL if you prefer.