This topic shows how to configure role-based single sign-on (SSO) between Okta, as an enterprise identity provider (IdP), and Alibaba Cloud.
Procedure
The goal of this configuration is to create an attribute named approle in an Okta application. This attribute maps users to a specific Resource Access Management (RAM) role in Alibaba Cloud. Follow the procedure in the following figure to configure both Alibaba Cloud and Okta.

Step 1: Create a SAML SSO application in Okta
-
Log on to the Okta portal.
-
In the upper-right corner of the page, click your account icon, and then click Your Org.
-
In the navigation pane, choose Applications > Applications.
-
On the Applications page, click Create App Integration.
-
In the Create a new app integration dialog box, select SAML 2.0, and then click Next.
-
Set the application name to
role-sso-test, and then click Next. -
Configure the SAML settings, and then click Next.
-
Single sign-on URL:
https://signin.aliyun.com/saml-role/sso. -
Audience URI (SP Entity ID):
urn:alibaba:cloudcomputing. -
Default RelayState: Specify the Alibaba Cloud page to which users are redirected after a successful sign-in.
NoteFor security, you can enter only URLs of Alibaba-owned domains as the value of Default RelayState, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, and *.alipay.com. If you enter an invalid URL, the configuration does not take effect. If you leave this parameter empty, users are redirected to the homepage of the Alibaba Cloud Management Console by default.
-
Name ID format: Select EmailAddress.
-
Application username: Select Email.
-
Update application username on: Keep the default value.
-
-
On the Feedback page, select an application type, and then click Finish.
Step 2: Get SAML IdP metadata from Okta
-
On the details page of the
role-sso-testapplication, click the Sign On tab. -
In the SAML 2.0 section, copy the Metadata URL and save the IdP metadata to a local file.
Step 3: Create a SAML IdP in Alibaba Cloud
-
Log on to the RAM console as a RAM administrator.
-
In the navigation pane, choose .
-
On the Role-based SSO tab, click the SAML tab and then click Create IdP.
-
On the Create IdP page, enter an IdP Name such as
okta-providerand a Note. -
In the Metadata File section, click Upload Metadata File and upload the IdP metadata you obtained in Step 2: Get SAML IdP metadata from Okta.
-
Click Create IdP.
Step 4: Create a RAM role in Alibaba Cloud
-
In the navigation pane of the RAM console, choose .
-
On the Roles page, click Create Role.
-
In the upper-right corner of the Create Role panel, click Switch to Policy Editor.
-
Specify the SAML identity provider in the editor.
The editor supports a visual editor and a script editor. You can use either one. For example, in the visual editor, you must specify the identity provider that you created in Step 3: Create a SAML identity provider in Alibaba Cloud in the Principal field, and select SAML for IdP Type.
-
In the editor, set the Condition
saml:recipienttohttps://signin.aliyun.com/saml-role/sso. -
In the Create Role dialog box, enter a Role Name such as
adminand then click OK.
Step 5: Configure the application profile in Okta
-
Edit the profile to add a new attribute.
-
In the navigation pane, choose Directory > Profile Editor.
-
Search for and click the application name
role-sso-test. -
On the Profile Editor page, in the Attributes section, click Add Attribute.
-
In the Add Attribute dialog box, configure the attribute information.
-
Data type: Select string.
-
Display name: Enter the name to display in the UI. In this example, enter
approle. -
Variable name: Enter the variable name to be referenced in mappings. In this example, enter
approle. Note this value for later use. -
Description: Enter a description for the attribute. This parameter is optional.
-
Enum: Select Define enumerated list of values.
NoteUsing an Enum restricts attribute values to a predefined list. You can skip this option for greater flexibility.
-
Attribute members: Enter the list of enumerated values. The Value must match the name of a RAM role you created, for example,
adminorreader. -
Attribute Length: This setting is not required for this example because an enumeration is used. If you do not use an enumeration, set the attribute length as needed.
-
Attribute required: Select Yes.
-
Scope: Deselect User personal.
-
-
Click Save.
-
-
Configure the attribute statements.
-
In the navigation pane, choose Applications > Applications.
-
Click the application name
role-sso-test. -
On the General tab, in the SAML Settings section, click Edit.
-
On the Configure SAML page, in the Attribute Statements (optional) section, configure two statements. For the first statement, set Name to
https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName, Name format to Unspecified, and Value touser.email. For the second statement, set Name tohttps://www.aliyun.com/SAML-Role/Attributes/Role, Name format to Unspecified, and Value to a RAM role ARN expression that starts withacs:ram::<account_id>.-
Configure the first statement:
-
Name: Enter
https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName. -
Value: Select user.email.
-
-
Configure the second statement:
-
Name: Enter
https://www.aliyun.com/SAML-Role/Attributes/Role. -
Value: Set the value to
String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle). This expression replaces the$approleplaceholder with the value of theapproleattribute from the user's application profile to generate the final SAML attribute value. In this expression,approleis the attribute you defined in the profile, andokta-provideris the identity provider you created in Step 3: Create a SAML IdP in Alibaba Cloud. Replace<account_id>with your Alibaba Cloud account ID. Example:String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).
-
-
-
Step 6: Create a user and assign the application
-
Create a user.
-
In the navigation pane, choose .
-
Click Add person.
-
On the Add Person page, fill in the basic information, set Primary email to the user's email address such as
username@example.com, and then click Save. -
In the user list, find the user
username@example.comand click Activate in the Status column. Follow the on-screen instructions to activate the user.
-
-
Assign the application.
You can assign the application in one of two ways:
-
Assign the application to a single user.
-
In the navigation pane, choose .
-
Click the application name
role-sso-test. On the Assignments tab, choose . -
Click Assign next to the target user
username@example.com. -
For approle, select
admin. -
Click Save and Go Back.
-
Click Done.
-
-
Add the user to a group and assign the application to the group.
-
In the navigation pane, choose , and then click Add Group to create a group.
-
Click the group name, click Manage People, and then add the user to the group.
-
In the navigation pane, choose .
-
Click the application name
role-sso-test. On the Assignments tab, click . -
Click Assign next to the target group.
-
For approle, select
admin. -
Click Save and Go Back.
-
Click Done.
NoteIf a user belongs to multiple groups, only one attribute value is used. Okta uses the value from the first group assigned to the user on the application's Assignments tab. Changes to group membership can affect the value of
approle. For more information, see the Okta documentation. -
-
Verify the configuration
-
In the navigation pane, choose .
-
Click the application name
role-sso-test. On the General tab, in the App Embed Link area, copy the URL in Embed Link.
-
Open a new browser window, paste the URL, and sign in as
username@example.com.A successful sign-in redirects you to the page specified by
Default RelayStateor the Alibaba Cloud Management Console homepage. After you are redirected to the console, a welcome message appears. Click your avatar in the upper-right corner. The drop-down panel shows your current sign-in identity as admin/ with an orange role label. This indicates that you have successfully signed in to the console by assuming a RAM role.
(Optional) Configure multiple roles for a user
If you need to map a user to multiple Alibaba Cloud roles, you must use a Group Attribute Statement and configure it based on group names. Follow these steps:
-
Create multiple groups. Each group name must follow the format required by the Role attribute in the SAML assertion. For example, you can create a group named
acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider. Similarly, create a group for the reader role with the nameacs:ram::177242285274****:role/reader,acs:ram::177242285274****:saml-provider/okta-provider. -
Add the user
username@example.comto these groups. In the application's SAML Settings, delete the attribute statement for the Role and then add a Group Attribute Statement. In the new statement, set Name to
https://www.aliyun.com/SAML-Role/Attributes/Role. The Filter must be configured to retrieve the group name mentioned above, for example: Start with acs:ram.-
After you complete these steps, the user is prompted to select a role the next time they sign in to Alibaba Cloud. The sign-in page offers the reader and admin roles. The user selects a role and clicks Sign In to complete the sign-in.
For more information about Okta, see the Okta documentation.