What is CloudSSO?
CloudSSO integrates with Alibaba Cloud Resource Directory to centralize identity management and access control across multiple accounts. You can manage users, assign permissions across accounts in a resource directory, and configure single sign-on (SSO) from your identity provider (IdP) with one-time setup.
Features
-
Centralized user management
Create a CloudSSO directory to manage all users who access Alibaba Cloud resources. You can manage users and groups manually, or use System for Cross-domain Identity Management (SCIM) to synchronize them from your IdP.
-
SSO from your IdP
CloudSSO directory users can log on with a username and password plus multi-factor authentication (MFA). For stronger security and a better user experience, configure SSO from your IdP. CloudSSO supports Security Assertion Markup Language (SAML) 2.0-based SSO — configure it once in both CloudSSO and your IdP.
-
Centralized permission assignment
Assign access permissions on resource directory members to CloudSSO users or groups. Administrators can grant, modify, or revoke permissions based on the resource directory structure.
-
Unified user portal
Employees log on to the CloudSSO user portal to view all accessible accounts in the resource directory, select an account to access the Alibaba Cloud Management Console, and switch between accounts as needed.
-
Alibaba Cloud CLI integration
CloudSSO users can log on to the user portal from a browser or Alibaba Cloud Command Line Interface (CLI), then select an account and access configuration to manage resources through the CLI.
-
Free of charge
CloudSSO is free to use.
Architecture
CloudSSO users access cloud resources in resource directory accounts through RAM user-based logon or RAM role-based logon.
The following table compares the two methods.
|
Access method |
Description |
Scenario |
References |
|
RAM role-based logon |
Create and assign an access configuration so that a CloudSSO user can log on to the Alibaba Cloud Management Console through SSO and assume a RAM role within a resource directory account. |
Use for resources that support RAM role-based access. |
|
|
RAM user-based logon |
Create a RAM user provisioning so that a CloudSSO user can log on to the Alibaba Cloud Management Console as a RAM user within a resource directory account. |
Use for resources that do not support RAM role-based access. |
If you assign both an access configuration and a RAM user provisioning to the same CloudSSO user for an account, the user can access that account through either RAM role-based logon or RAM user-based logon.
CloudSSO and RAM
RAM manages identities (users, groups, and roles) and permissions within a single Alibaba Cloud account. If your enterprise uses multiple accounts, you must configure SSO and manage identities and permissions in each account separately.
CloudSSO integrates with Resource Directory to centrally manage identities and permissions across multiple Alibaba Cloud accounts with one-time configuration. CloudSSO uses its own directory (independent of RAM) for identity management and reuses RAM system policies and custom policy syntax for permissions. For more information, see Access configuration overview. When a CloudSSO user accesses a resource directory account, the user assumes a RAM role. For more information, see Overview.
With CloudSSO managing cross-account identities and permissions, you typically do not need RAM for per-account management. However, you can still use RAM when needed — for example, to manage existing RAM users or roles, or to authorize applications with AccessKey pairs. CloudSSO and RAM work together without conflict.