Configure role-based SSO with OneLogin

更新时间:
复制 MD 格式

This topic walks through the end-to-end configuration of role-based SSO between OneLogin and Alibaba Cloud, so that OneLogin users can access Alibaba Cloud without separate Alibaba Cloud accounts.

Background

An enterprise has an Alibaba Cloud account, a OneLogin administrator, and multiple OneLogin users. The goal is to let OneLogin users sign in to Alibaba Cloud through role-based SSO with their existing OneLogin accounts, without creating separate Alibaba Cloud accounts.

For background on OneLogin, see the OneLogin documentation.

Step 1: Create an application in OneLogin

  1. Sign in to OneLogin as an administrator.

  2. Next to your account profile picture, click Administration.

  3. In the top navigation bar, choose Applications > Applications.

  4. On the Applications page, click Add App.

  5. On the Find Applications page, search for SAML Test Connector (Advanced).

  6. On the Add SAML Test Connector (Advanced) page, configure the application basics and click Save.

    This example sets Display Name to LoginToAliyun and keeps the defaults for other parameters.

  7. On the Info page, hover over More Actions and click SAML Metadata to download the IdP metadata file.

Step 2: Create an IdP in Alibaba Cloud

  1. Sign in to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Integrations > SSO.

  3. On the Role-based SSO tab, click the SAML tab, and then click Create IdP.

  4. On the Create IdP page, enter an IdP Name (for example, OneLogin) and a Note.

  5. In the Metadata File section, click Upload Metadata File and upload the IdP metadata file that you obtained in Step 1: Create an application in OneLogin.

  6. Click Create IdP.

Record the ARN of the IdP for later use.

Step 3: Create a RAM role in Alibaba Cloud

  1. In the left-side navigation pane of the RAM console, choose Identities > Roles.

  2. On the Roles page, click Create Role.

  3. In the upper-right corner of the Create Role page, click Switch to Policy Editor.

  4. Specify the SAML identity provider in the policy editor.

    The editor supports a visual mode and a script mode. This example uses the visual editor. For Principal, select the IdP created in Step 2: Create an IdP in Alibaba Cloud. For IdP Type, select SAML.

  5. In the editor, add a condition with the key saml:recipient and set its value to https://signin.aliyun.com/saml-role/sso.

  6. In the Create Role dialog box, enter a Role Name, such as Reader-OneLogin, and then click OK.

Record the ARN of the RAM role for later use.

Step 4: Configure the OneLogin application

  1. Sign in to OneLogin as an administrator.

  2. Create a custom user field.

    1. In the top navigation bar, choose Users > Users.

    2. On the Users page, hover over More Actions and click Custom User Fields.

    3. On the Custom User Fields page, click New User Field.

    4. In the New User Field dialog box, set Name and Shortname, then click Save.

      This example sets Name to AliyunRoles for SSO and Shortname to AliyunRoles.

  3. Configure the application.

    1. In the top navigation bar, choose Applications > Applications.

    2. On the Applications page, click the application (LoginToAliyun) that you created in Step 1: Create an application in OneLogin.

    3. In the left-side navigation pane, click Configuration.

    4. On the Configuration page, set the following parameters and click Save.

      • RelayState: The Alibaba Cloud page URL to redirect users to after sign-on.

        Note

        For security reasons, the URL for RelayState must belong to an Alibaba-owned domain, such as *.aliyun.com, *.hichina.com, *.yunos.com, *.taobao.com, *.tmall.com, *.alibabacloud.com, or *.alipay.com. Non-Alibaba-owned domains are invalid. If left empty, users are redirected to the Alibaba Cloud console homepage.

      • Audience (EntityID): urn:alibaba:cloudcomputing.

      • Recipient: https://signin.aliyun.com/saml-role/sso.

      • ACS (Consumer) URL: https://signin.aliyun.com/saml-role/sso.

    5. In the left-side navigation pane, click Parameters.

    6. On the Parameters page, click the plus icon (Add) to add the first custom attribute.

      1. In the New Field dialog box, set Field name to https://www.aliyun.com/SAML-Role/Attributes/Role, select the Include in SAML assertion and Multi-value parameter checkboxes, and then click Save.

      2. In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/Role dialog box, go to the Default if no value selected section. Select Aliyun Roles for SSO (Custom) from the first drop-down list and Semicolon Delimited input (Multi-value output) from the second drop-down list. Then, click Save.

    7. On the Parameters page, click the plus icon (Add) to add the second custom attribute.

      1. In the New Field dialog box, set Field name to https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName, select the Include in SAML assertion checkbox, and then click Save.

      2. In the Edit Field https://www.aliyun.com/SAML-Role/Attributes/RoleSessionName dialog box, select Email from the Value drop-down list, and then click Save.

        Note

        You can also set Value to another attribute, such as Username or userPrincipalName.

    8. In the upper-right corner of the Parameters page, click Save.

Step 5: Create a user and assign the application in OneLogin

  1. Sign in to OneLogin as an administrator.

  2. In the top navigation bar, choose Users > Users.

  3. Create a OneLogin user.

    Note

    If you already have a OneLogin user, you can skip this step.

    1. On the Users page, click New User.

    2. On the New User page, set the First name (for example, Jack), Last name (for example, Lee), Username (for example, jacklee), and Email (for example, jacklee@example.com), and then click Save User.

    3. On the User Info page, hover over More Actions, click Change Password, set a password for the user, and click Update.

      The user needs this password to sign in to OneLogin.

  4. On the User Info page, in the Custom Fields section, configure the value for the Aliyun Roles for SSO attribute.

    The value of Aliyun Roles for SSO consists of the RAM role ARN and the IdP ARN, separated by a comma (,), in the format: acs:ram::<account_id>:role/RoleName,acs:ram::<account_id>:saml-provider/ProviderName. Get the RAM role ARN from Step 3: Create a RAM role in Alibaba Cloud and the IdP ARN from Step 2: Create an IdP in Alibaba Cloud. Replace <account_id> with your Alibaba Cloud account ID.

    Note

    To let a user assume multiple RAM roles, specify multiple role-and-provider pairs separated by semicolons (;). Example: acs:ram::125022144354****:role/reader-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::125022144354****:role/administrator-onelogin,acs:ram::125022144354****:saml-provider/OneLogin;acs:ram::158622887609****:role/finance,acs:ram::158622887609****:saml-provider/OneLogin2.

  5. Assign the application to the user.

    1. On the Applications page, click the plus icon (Add).

    2. Select the application (LoginToAliyun) that you created in Step 1: Create an application in OneLogin, and then click Continue.

    3. In the dialog box that appears, click Save.

  6. On the Users page, click Save User.

  7. Repeat steps 4 to 6 to configure the Aliyun Roles for SSO attribute and assign the application for other OneLogin users.

Verify the configuration

  1. Sign in to OneLogin as the user (jacklee) that you created in Step 5: Create user and assign application in OneLogin.

  2. Click the application (LoginToAliyun).

    If you are redirected to the page specified by RelayState (or the Alibaba Cloud console homepage by default), the SSO configuration is successful.

    Note

    If you configured multiple roles for the user in Step 5: Create user and assign application in OneLogin, you must select a role before you can access Alibaba Cloud.