This topic describes how to configure single sign-on (SSO) for Alibaba Cloud DevOps in IDaaS, which allows enterprise members to access Alibaba Cloud DevOps as RAM users.
Procedure
Alibaba Cloud DevOps SSO is built on the user-based SSO feature of Alibaba Cloud. Each Alibaba Cloud account supports only one identity provider (IdP) for user-based SSO. Therefore, once you configure Alibaba Cloud DevOps SSO by using IDaaS, that IDaaS instance becomes the sole IdP for user-based SSO to the Alibaba Cloud account.
If your Alibaba Cloud account is already using user-based SSO, carefully evaluate and adjust your configuration to prevent service disruptions. To avoid service disruptions, test this configuration in a non-production account or first verify that your production account is not using the user-based SSO feature.
Step 1: Create an application
-
Log on to the IDaaS console.
-
Select an IDaaS instance and click Console in the Actions column.
-
Navigate to , search for the Alibaba Cloud DevOps SSO application template, and click Add Application.
-
Confirm the application details and click Add.
Set Application Name to "Alibaba Cloud - Alibaba Cloud DevOps" and Protocol to SAML 2.0.
Step 2: Configure application SSO
-
After adding the application, you are automatically redirected to its SSO configuration page.
On the Login Access > Single Sign-On tab, enable the SSO toggle. Enter your 16-digit Alibaba Cloud Account ID. For Application Username, select IDaaS Username. For Authorization Scope, select Manual Authorization. After selecting this option, you must assign permissions on the Application Authorization tab.
-
To find your Alibaba Cloud account ID, go to the . The application username attribute maps an IDaaS user to an Alibaba Cloud RAM user during SSO, enabling logon to Alibaba Cloud DevOps. For testing purposes, we recommend setting the authorization scope to all users to temporarily skip permission assignments.
-
In the Application Configuration Information section, download the IdP metadata file and save it to your computer. This file is used to establish the trust relationship between Alibaba Cloud and IDaaS.
-
If your IDaaS username matches the username prefix of your RAM user, select IDaaS Username for Application Username.
If your IDaaS username does not match your RAM username, select Application Username in the Application Username field. Then, go to the Application Accounts interface to bind the accounts. Select the IDaaS account for SSO and enter the RAM username prefix.
Step 3: Configure user-based SSO in Alibaba Cloud
-
Log on to the Alibaba Cloud RAM console.
-
In the left-side navigation pane, click SSO Management.
-
On the User-based SSO tab, review the current SSO logon settings.
-
Click Edit. Set Enabled to Enabled and upload the IdP metadata file that you downloaded from IDaaS in Step 2. Do not enable the auxiliary domain name.
-
Click OK to save the configuration.
Step 4: Test the SSO connection
SSO can be initiated in two ways:
-
IdP-initiated single sign-on: Log on to the IDaaS application portal with an account authorized for the Alibaba Cloud DevOps SSO application. Click the application icon to initiate SSO and log on to Alibaba Cloud DevOps.
-
SP-initiated single sign-on: In a private browsing window, go to the Alibaba Cloud DevOps URL. You are redirected to the Alibaba Cloud logon page. Click RAM User, enter the RAM username, and click Next.
-
A prompt page appears. Click Log on with Enterprise Account or copy the logon link. If you are already logged on to the IDaaS application portal, you are signed in directly to Alibaba Cloud DevOps. Otherwise, you are redirected to the IDaaS logon page to authenticate. After authenticating with IDaaS, you are automatically logged on to Alibaba Cloud DevOps.