SAML response and assertion elements for CloudSSO single sign-on-CloudSSO(CloudSSO)-阿里云帮助中心

Background information

In SAML 2.0-based SSO, after a user is authenticated, the IdP generates a SAML response containing a SAML assertion and sends it to Alibaba Cloud through a browser or program via HTTP POST binding. Alibaba Cloud uses the assertion to verify the user's logon status and identity. The assertion must contain all elements required by Alibaba Cloud, or SSO fails.

SAML responses must be XML-encoded. See Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.

SAML response

Each SAML response from your IdP to Alibaba Cloud must contain the following elements. Otherwise, SSO fails.

<saml2p:Response>
    <saml2:Issuer>...</saml2:Issuer>
    <saml2p:Status>
        ...
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>...</saml2:Issuer>
        <ds:Signature>
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID>${NameID}</saml2:NameID>
            <saml2:SubjectConfirmation>
                ...
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
            <saml2:AudienceRestriction>
                <saml2:Audience>${Audience}</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
            ...
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

Elements in a SAML assertion

Common elements in SAML 2.0

See the Security Assertion Markup Language (SAML) V2.0 Technical Overview.

Element	Description
`Issuer`	The `Issuer` value must match the `EntityID` in the IdP metadata file uploaded to the CloudSSO SSO settings.
`Signature`	The SAML assertion must be signed. The `Signature` element contains the signature value and algorithm, ensuring the assertion has not been modified after signing.
`Subject`	The `Subject` element must contain the following sub-elements: One `NameID` sub-element that identifies a CloudSSO user in your Alibaba Cloud account. See the NameID element description later in this topic. One `SubjectConfirmation` sub-element with a `SubjectConfirmationData` sub-element. `SubjectConfirmationData` must include the following attributes: `NotOnOrAfter`: the expiration time of the SAML assertion. `Recipient`: the assertion recipient. Set this to the `ACS URL` specified in the CloudSSO SSO settings. Alibaba Cloud validates the assertion against this value. Example `Subject` element: `<Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@abc.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin-cn-shanghai.alibabacloudsso.com/saml/acs/51d298a9-2a3f-4e23-97c7-7ad1cfa9****"/> </SubjectConfirmation> </Subject>`
`Conditions`	The `Conditions` element must contain an `AudienceRestriction` sub-element with one or more `Audience` sub-elements. Set the `Audience` value to https://signin-<region>.alibabacloudsso.com/saml/sp/<directoryID>, which is the `EntityID` in the CloudSSO SSO settings. Example `Conditions` element: `<Conditions> <AudienceRestriction> <Audience>https://signin-cn-shanghai.alibabacloudsso.com/saml/sp/d-00fc2p61****</Audience> </AudienceRestriction> </Conditions>`

NameID element

CloudSSO identifies users by username. The SAML assertion from your IdP must contain the CloudSSO username so that Alibaba Cloud can resolve and map it to the correct user.

In your IdP's SAML assertion configuration, map the CloudSSO username to the NameID element.

References

How do I view a SAML response in Google Chrome?