Example: Configure role-based SSO with Okta

更新时间:
复制 MD 格式

This topic shows how to configure role-based single sign-on (SSO) between Okta, as an enterprise identity provider (IdP), and Alibaba Cloud.

Procedure

The goal of this configuration is to create an attribute named approle in an Okta application. This attribute maps users to a specific Resource Access Management (RAM) role in Alibaba Cloud. Follow the procedure in the following figure to configure both Alibaba Cloud and Okta.

流程图

Step 1: Create a SAML SSO application in Okta

  1. Log on to the Okta portal.

  2. In the upper-right corner of the page, click your account icon, and then click Your Org.

  3. In the navigation pane, choose Applications > Applications.

  4. On the Applications page, click Create App Integration.

  5. In the Create a new app integration dialog box, select SAML 2.0, and then click Next.

  6. Set the application name to role-sso-test, and then click Next.

  7. Configure the SAML settings, and then click Next.

    • Single sign-on URL: https://signin.aliyun.com/saml-role/sso.

    • Audience URI (SP Entity ID): urn:alibaba:cloudcomputing.

    • Default RelayState: Specify the Alibaba Cloud page to which users are redirected after a successful sign-in.

      Note

      For security, you can enter only URLs of Alibaba-owned domains as the value of Default RelayState, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, and *.alipay.com. If you enter an invalid URL, the configuration does not take effect. If you leave this parameter empty, users are redirected to the homepage of the Alibaba Cloud Management Console by default.

    • Name ID format: Select EmailAddress.

    • Application username: Select Email.

    • Update application username on: Keep the default value.

  8. On the Feedback page, select an application type, and then click Finish.

Step 2: Get SAML IdP metadata from Okta

  1. On the details page of the role-sso-test application, click the Sign On tab.

  2. In the SAML 2.0 section, copy the Metadata URL and save the IdP metadata to a local file.

Step 3: Create a SAML IdP in Alibaba Cloud

  1. Log on to the RAM console as a RAM administrator.

  2. In the navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the SAML tab and then click Create IdP.

  4. On the Create IdP page, enter an IdP Name such as okta-provider and a Note.

  5. In the Metadata File section, click Upload Metadata File and upload the IdP metadata you obtained in Step 2: Get SAML IdP metadata from Okta.

  6. Click Create IdP.

Step 4: Create a RAM role in Alibaba Cloud

  1. In the navigation pane of the RAM console, choose Identities > Roles.

  2. On the Roles page, click Create Role.

  3. In the upper-right corner of the Create Role panel, click Switch to Policy Editor.

  4. Specify the SAML identity provider in the editor.

    The editor supports a visual editor and a script editor. You can use either one. For example, in the visual editor, you must specify the identity provider that you created in Step 3: Create a SAML identity provider in Alibaba Cloud in the Principal field, and select SAML for IdP Type.

  5. In the editor, set the Condition saml:recipient to https://signin.aliyun.com/saml-role/sso.

  6. In the Create Role dialog box, enter a Role Name such as admin and then click OK.

Step 5: Configure the application profile in Okta

  1. Edit the profile to add a new attribute.

    1. In the navigation pane, choose Directory > Profile Editor.

    2. Search for and click the application name role-sso-test.

    3. On the Profile Editor page, in the Attributes section, click Add Attribute.

    4. In the Add Attribute dialog box, configure the attribute information.

      • Data type: Select string.

      • Display name: Enter the name to display in the UI. In this example, enter approle.

      • Variable name: Enter the variable name to be referenced in mappings. In this example, enter approle. Note this value for later use.

      • Description: Enter a description for the attribute. This parameter is optional.

      • Enum: Select Define enumerated list of values.

        Note

        Using an Enum restricts attribute values to a predefined list. You can skip this option for greater flexibility.

      • Attribute members: Enter the list of enumerated values. The Value must match the name of a RAM role you created, for example, admin or reader.

      • Attribute Length: This setting is not required for this example because an enumeration is used. If you do not use an enumeration, set the attribute length as needed.

      • Attribute required: Select Yes.

      • Scope: Deselect User personal.

    5. Click Save.

  2. Configure the attribute statements.

    1. In the navigation pane, choose Applications > Applications.

    2. Click the application name role-sso-test.

    3. On the General tab, in the SAML Settings section, click Edit.

    4. On the Configure SAML page, in the Attribute Statements (optional) section, configure two statements. For the first statement, set Name to https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName, Name format to Unspecified, and Value to user.email. For the second statement, set Name to https://www.aliyun.com/SAML-Role/Attributes/Role, Name format to Unspecified, and Value to a RAM role ARN expression that starts with acs:ram::<account_id>.

      • Configure the first statement:

        • Name: Enter https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName.

        • Value: Select user.email.

      • Configure the second statement:

        • Name: Enter https://www.aliyun.com/SAML-Role/Attributes/Role.

        • Value: Set the value to String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle). This expression replaces the $approle placeholder with the value of the approle attribute from the user's application profile to generate the final SAML attribute value. In this expression, approle is the attribute you defined in the profile, and okta-provider is the identity provider you created in Step 3: Create a SAML IdP in Alibaba Cloud. Replace <account_id> with your Alibaba Cloud account ID. Example: String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle).

Step 6: Create a user and assign the application

  1. Create a user.

    1. In the navigation pane, choose Directory > People.

    2. Click Add person.

    3. On the Add Person page, fill in the basic information, set Primary email to the user's email address such as username@example.com, and then click Save.

    4. In the user list, find the user username@example.com and click Activate in the Status column. Follow the on-screen instructions to activate the user.

  2. Assign the application.

    You can assign the application in one of two ways:

    • Assign the application to a single user.

      1. In the navigation pane, choose Applications > Applications.

      2. Click the application name role-sso-test. On the Assignments tab, choose Assign > Assign to People.

      3. Click Assign next to the target user username@example.com.

      4. For approle, select admin.

      5. Click Save and Go Back.

      6. Click Done.

    • Add the user to a group and assign the application to the group.

      1. In the navigation pane, choose Directory > Groups, and then click Add Group to create a group.

      2. Click the group name, click Manage People, and then add the user to the group.

      3. In the navigation pane, choose Applications > Applications.

      4. Click the application name role-sso-test. On the Assignments tab, click Assign > Assign to Groups.

      5. Click Assign next to the target group.

      6. For approle, select admin.

      7. Click Save and Go Back.

      8. Click Done.

      Note

      If a user belongs to multiple groups, only one attribute value is used. Okta uses the value from the first group assigned to the user on the application's Assignments tab. Changes to group membership can affect the value of approle. For more information, see the Okta documentation.

Verify the configuration

  1. In the navigation pane, choose Applications > Applications.

  2. Click the application name role-sso-test.

  3. On the General tab, in the App Embed Link area, copy the URL in Embed Link.

  4. Open a new browser window, paste the URL, and sign in as username@example.com.

    A successful sign-in redirects you to the page specified by Default RelayState or the Alibaba Cloud Management Console homepage. After you are redirected to the console, a welcome message appears. Click your avatar in the upper-right corner. The drop-down panel shows your current sign-in identity as admin/ with an orange role label. This indicates that you have successfully signed in to the console by assuming a RAM role.

(Optional) Configure multiple roles for a user

If you need to map a user to multiple Alibaba Cloud roles, you must use a Group Attribute Statement and configure it based on group names. Follow these steps:

  1. Create multiple groups. Each group name must follow the format required by the Role attribute in the SAML assertion. For example, you can create a group named acs:ram::177242285274****:role/admin,acs:ram::177242285274****:saml-provider/okta-provider. Similarly, create a group for the reader role with the name acs:ram::177242285274****:role/reader,acs:ram::177242285274****:saml-provider/okta-provider.

  2. Add the user username@example.com to these groups.

  3. In the application's SAML Settings, delete the attribute statement for the Role and then add a Group Attribute Statement. In the new statement, set Name to https://www.aliyun.com/SAML-Role/Attributes/Role. The Filter must be configured to retrieve the group name mentioned above, for example: Start with acs:ram.

  4. After you complete these steps, the user is prompted to select a role the next time they sign in to Alibaba Cloud. The sign-in page offers the reader and admin roles. The user selects a role and clicks Sign In to complete the sign-in.

For more information about Okta, see the Okta documentation.