SAML response for user-based SSO

更新时间:
复制 MD 格式

A SAML response for user-based SSO must include specific assertion elements for Alibaba Cloud to verify user identity.

Background

In a SAML 2.0-based SSO flow, after a user signs in to the identity provider (IdP), the IdP generates an authentication response that contains a SAML assertion by using the HTTP-POST binding. The browser or application automatically forwards this response to Alibaba Cloud, which uses the SAML assertion to verify the user's identity. The assertion must include the elements that Alibaba Cloud requires. Otherwise, the SSO fails.

SAML response

Your IdP must send a SAML response to Alibaba Cloud that meets the following requirements. All elements are required for SSO to succeed.

<saml2p:Response>
    <saml2:Issuer>...</saml2:Issuer>
    <saml2p:Status>
        ...
    </saml2p:Status>
    <saml2:Assertion>
        <saml2:Issuer>...</saml2:Issuer>
        <ds:Signature>
            ...
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID>${NameID}</saml2:NameID>
            <saml2:SubjectConfirmation>
                ...
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions>
            <saml2:AudienceRestriction>
                <saml2:Audience>${Audience}</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement>
            ...
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

SAML assertion elements

  • General elements of the SAML 2.0 protocol

    The SAML 2.0 specification provides the full protocol details.

    Element

    Description

    Issuer

    The value of Issuer must match the EntityID in the metadata file that you uploaded in the Alibaba Cloud user-based SSO settings.

    Signature

    The SAML assertion must be signed to prevent tampering. The Signature element and its children must contain the signature value, signing algorithm, and related information.

    Subject

    The Subject element must contain the following elements:

    • Exactly one NameID element, which identifies a RAM user in your Alibaba Cloud account. The NameID element and NameID examples sections below describe the format requirements.

    • Exactly one SubjectConfirmation element that contains a SubjectConfirmationData element. The SubjectConfirmationData element must have the following attributes:

      • NotOnOrAfter: The validity period of the SAML assertion.

      • Recipient: Alibaba Cloud checks this value to verify that it is the intended recipient. The value must be https://signin.aliyun.com/saml/SSO.

      Example Subject element:

      <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@example.onaliyun.com</NameID>        
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">   
          <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin.aliyun.com/saml/SSO"/>    
        </SubjectConfirmation>
      </Subject>

    Conditions

    The Conditions element must contain an AudienceRestriction element, with one or more Audience elements. At least one Audience element must have the value https://signin.aliyun.com/${accountId}/saml/SSO, where ${accountId} is the Alibaba Cloud account ID.

    Example Conditions element:

    <Conditions>
      <AudienceRestriction>
        <Audience>https://signin.aliyun.com/${accountId}/saml/SSO</Audience>
      </AudienceRestriction>
    </Conditions>          
  • NameID element

    Alibaba Cloud uses the User Principal Name (UPN) to locate RAM users. The SAML assertion from your IdP must contain the user's UPN in the NameID element to enable user-based SSO.

    In your IdP, map the field that corresponds to the RAM user's UPN to the NameID element.

    The NameID value must use one of the following formats:

    • Use the Domain Alias as the suffix for the NameID element in the format <username>@<domain_alias>. In this format, <username> is the username of a RAM user and <domain_alias> is the custom logon suffix. Create and verify a custom logon suffix.

    • Use the Auxiliary Domain Name as the suffix for the NameID element in the format <username>@<auxiliary_domain>. In this format, <username> is the username of a RAM user and <auxiliary_domain> is the auxiliary logon suffix. Configure SAML for the Alibaba Cloud SP for user-based SSO.

      Note

      If you configure both a domain alias and an auxiliary domain, the auxiliary domain is ignored. In this case, you can use only the domain alias for the NameID element.

    • Use the Default Domain as the suffix for the NameID element. The format is <username>@<default_domain>, where <username> is the username of the RAM user and <default_domain> is the default logon suffix. Manage the logon domain name for a RAM user.

      Note

      The default logon suffix remains valid for NameID even if you set a custom or auxiliary logon suffix.

  • NameID examples

    The RAM username is Alice, and the default logon suffix is example.onaliyun.com.

    • If the custom logon suffix is set to example.com, the NameID value is Alice@example.onaliyun.com or Alice@example.com.

    • If a custom logon suffix is not set and the auxiliary logon suffix is set to example.net, the NameID value can be Alice@example.onaliyun.com or Alice@example.net.

    • If you set the custom logon suffix to example.com and then set the auxiliary logon suffix to example.net, the NameID value is Alice@example.onaliyun.com or Alice@example.com. The auxiliary logon suffix does not take effect in this case.

Related documents

How to view a SAML response in your browser