Terms-CloudSSO(CloudSSO)-阿里云帮助中心

Learn about the basic concepts of CloudSSO, such as directories, users, groups, access configurations, and SSO.

Term	Description
directory	A directory is a CloudSSO instance that manages all CloudSSO resources. You must create a directory before you can use CloudSSO. When you create a directory, you must select a region. Alibaba Cloud stores all data in the directory only in the selected region to prevent security compliance risks. Each Alibaba Cloud account can have only one directory.
user	A user is a type of CloudSSO identity. You can create and manage users who need to access Alibaba Cloud resources in the CloudSSO console, and assign access permissions on accounts in a resource directory to users.
group	A group is a type of CloudSSO identity. You can add users to groups and assign permissions to users by group. This helps you centrally manage permissions.
MFA	Multi-factor authentication (MFA) adds an extra layer of protection beyond your username and password. When a user logs on to the CloudSSO user portal by using the username-password logon method, MFA is enabled by default. CloudSSO allows you to use MFA devices for authentication. For more information, see Manage MFA.
identity synchronization	CloudSSO supports user and group synchronization based on System for Cross-domain Identity Management (SCIM), also known as identity provisioning or identity push. With identity synchronization enabled, you manage identities only in your identity provider (IdP), without manually managing users and groups in the CloudSSO console.
access configuration	An access configuration is a permission template used to assign access permissions on accounts in your resource directory to CloudSSO users. For more information, see Access configuration overview.
Resource Directory	Resource Directory is an Alibaba Cloud service that allows you to manage relationships among multiple levels of enterprise resources and accounts. For more information, see Resource Directory overview.
account in a resource directory	A resource directory contains two types of accounts: Management account: an Alibaba Cloud account that has passed enterprise identity verification. After you use this account to enable a resource directory, it becomes the management account and super administrator of the resource directory, with full administrative permissions on the directory and all its folders and members. Each resource directory has only one management account. Member: a resource account created in a resource directory, used to isolate the resources of a project or application from other resources. You can also invite existing Alibaba Cloud accounts to join your resource directory. After the owners accept the invitations, the accounts become members of the resource directory as cloud accounts.
multi-account authorization	Multi-account authorization allows you to specify which users or groups can access accounts in your resource directory, and assign access configurations to them. You can assign access permissions on the management account or member accounts. For more information, see Overview.
access configuration provisioning	When you assign access permissions on an account in your resource directory to a user, the specified access configuration is provisioned for the account. The provisioned access configuration serves as the Resource Access Management (RAM) role, RAM policy, and IdP for single sign-on (SSO) of the account. You can also de-provision access configurations from an account. If you modify a provisioned access configuration, you must manually re-provision it for the changes to take effect. The modification cannot be automatically applied to the account. For more information, see Access configuration overview.
asynchronous task	CloudSSO automatically creates an asynchronous task when you provision or de-provision an access configuration. An asynchronous task is created in the following scenarios: Assign access permissions on the accounts in your resource directory to the CloudSSO user. Remove access permissions on an account in your resource directory from a user. Provision an access configuration for an account in your resource directory. De-provision an access configuration from an account in your resource directory. In the CloudSSO console, go to the Historical Tasks page to view asynchronous tasks created in the last seven days.
CloudSSO user portal	The CloudSSO user portal is an independent portal for CloudSSO users to access Alibaba Cloud resources. After logging on, a user can view all accessible accounts in a resource directory, select an account, and go to the Alibaba Cloud Management Console to access resources based on the permissions in an access configuration. In the CloudSSO console, go to the Overview page to view the logon URL of your CloudSSO user portal. For more information, see Access resources through the CloudSSO user portal.
CloudSSO administrator	A CloudSSO administrator is the management account used to enable a resource directory, or a RAM user created by that account with the AliyunCloudSSOFullAccess policy attached.
SSO	CloudSSO supports SSO based on Security Assertion Markup Language (SAML) 2.0. In this model, Alibaba Cloud is the service provider (SP) and the enterprise identity management system is the identity provider (IdP). SSO allows enterprise employees to log on to the CloudSSO console by using user identities in the IdP. An IdP provides identity management services. Common IdPs include Active Directory Federation Service (AD FS), Azure Active Directory (Azure AD), Okta, and Keycloak. An SP is an application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. In some identity systems, such as OpenID Connect (OIDC) that do not comply with the SAML protocol, SP is known as the relying party of an IdP. For more information, see Overview.