A SAML response for user-based SSO must include specific assertion elements for Alibaba Cloud to verify user identity.
Background
In a SAML 2.0-based SSO flow, after a user signs in to the identity provider (IdP), the IdP generates an authentication response that contains a SAML assertion by using the HTTP-POST binding. The browser or application automatically forwards this response to Alibaba Cloud, which uses the SAML assertion to verify the user's identity. The assertion must include the elements that Alibaba Cloud requires. Otherwise, the SSO fails.
SAML response
Your IdP must send a SAML response to Alibaba Cloud that meets the following requirements. All elements are required for SSO to succeed.
<saml2p:Response>
<saml2:Issuer>...</saml2:Issuer>
<saml2p:Status>
...
</saml2p:Status>
<saml2:Assertion>
<saml2:Issuer>...</saml2:Issuer>
<ds:Signature>
...
</ds:Signature>
<saml2:Subject>
<saml2:NameID>${NameID}</saml2:NameID>
<saml2:SubjectConfirmation>
...
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions>
<saml2:AudienceRestriction>
<saml2:Audience>${Audience}</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement>
...
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
SAML assertion elements
-
General elements of the SAML 2.0 protocol
The SAML 2.0 specification provides the full protocol details.
Element
Description
IssuerThe value of
Issuermust match theEntityIDin the metadata file that you uploaded in the Alibaba Cloud user-based SSO settings.SignatureThe SAML assertion must be signed to prevent tampering. The
Signatureelement and its children must contain the signature value, signing algorithm, and related information.SubjectThe
Subjectelement must contain the following elements:-
Exactly one
NameIDelement, which identifies a RAM user in your Alibaba Cloud account. The NameID element and NameID examples sections below describe the format requirements. -
Exactly one
SubjectConfirmationelement that contains aSubjectConfirmationDataelement. TheSubjectConfirmationDataelement must have the following attributes:-
NotOnOrAfter: The validity period of the SAML assertion. -
Recipient: Alibaba Cloud checks this value to verify that it is the intended recipient. The value must behttps://signin.aliyun.com/saml/SSO.
Example
Subjectelement:<Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Alice@example.onaliyun.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2019-01-01T00:01:00.000Z" Recipient="https://signin.aliyun.com/saml/SSO"/> </SubjectConfirmation> </Subject> -
ConditionsThe
Conditionselement must contain anAudienceRestrictionelement, with one or moreAudienceelements. At least oneAudienceelement must have the valuehttps://signin.aliyun.com/${accountId}/saml/SSO, where${accountId}is the Alibaba Cloud account ID.Example
Conditionselement:<Conditions> <AudienceRestriction> <Audience>https://signin.aliyun.com/${accountId}/saml/SSO</Audience> </AudienceRestriction> </Conditions> -
-
NameID element
Alibaba Cloud uses the User Principal Name (UPN) to locate RAM users. The SAML assertion from your IdP must contain the user's UPN in the
NameIDelement to enable user-based SSO.In your IdP, map the field that corresponds to the RAM user's UPN to the
NameIDelement.The
NameIDvalue must use one of the following formats:-
Use the Domain Alias as the suffix for the
NameIDelement in the format<username>@<domain_alias>. In this format,<username>is the username of a RAM user and<domain_alias>is the custom logon suffix. Create and verify a custom logon suffix. -
Use the Auxiliary Domain Name as the suffix for the
NameIDelement in the format<username>@<auxiliary_domain>. In this format,<username>is the username of a RAM user and<auxiliary_domain>is the auxiliary logon suffix. Configure SAML for the Alibaba Cloud SP for user-based SSO.NoteIf you configure both a domain alias and an auxiliary domain, the auxiliary domain is ignored. In this case, you can use only the domain alias for the
NameIDelement. -
Use the Default Domain as the suffix for the
NameIDelement. The format is<username>@<default_domain>, where<username>is the username of the RAM user and<default_domain>is the default logon suffix. Manage the logon domain name for a RAM user.NoteThe default logon suffix remains valid for
NameIDeven if you set a custom or auxiliary logon suffix.
-
-
NameID examples
The RAM username is
Alice, and the default logon suffix isexample.onaliyun.com.-
If the custom logon suffix is set to
example.com, theNameIDvalue isAlice@example.onaliyun.comorAlice@example.com. -
If a custom logon suffix is not set and the auxiliary logon suffix is set to
example.net, theNameIDvalue can beAlice@example.onaliyun.comorAlice@example.net. -
If you set the custom logon suffix to
example.comand then set the auxiliary logon suffix toexample.net, theNameIDvalue isAlice@example.onaliyun.comorAlice@example.com. The auxiliary logon suffix does not take effect in this case.
-