Alibaba Cloud Console and Zhuyun IDaaS Authentication Integration (User-Based)
# Description
This document explains how to implement IDaaS login to the Alibaba Cloud Console (based on Alibaba Cloud Console users).
Reference documentation: SAML Configuration for Alibaba Cloud SP during User SSO (opens new window)
# Prerequisites
The administrator has an Alibaba Cloud account.
The administrator has access permissions to the IDaaS Enterprise Center.
# Authentication Configuration
# Alibaba Cloud System Configuration
After User SSO is enabled, RAM account logins will redirect to the Identity Provider login page. Except for the primary account, it will not be possible to log in using RAM account passwords.
Log in to the Alibaba Cloud 【Console】- 【RAM Access Control】- 【SSO Management】- 【User SSO】 as an administrator.
Edit the SSO login settings, upload the IDP metadata provided by IDaaS (saved as an XML format file). To download IDaaS's IDP metadata, please visit https://{your_domain}/api/v1/saml2/idp/metadata.
Copy the SAML Service Provider Metadata URL, open the link, copy the webpage content, and save it as an sp.xml file.
# IDaaS Configuration
Log in to the IDaaS Enterprise Center 【Resources】 --> 【Applications】 --> 【Pre-integrated Applications】 --> Search for Alibaba Cloud.
Import the sp.xml file saved in the previous step.
Click on the application icon 【Authentication Configuration】 --> 【Mapping Configuration】 --> Add Mapping, and add one mapping.
Switch to the "Authorization Management - Application Accounts" tab to add an account. The account name must be consistent with the sub-user name within Alibaba Cloud.
# Login Verification
Two login methods are as follows:
Authorized users log in to the IDaaS User Center, click the Alibaba Cloud logo, and single sign-on to the Alibaba Cloud system.
Access Alibaba Cloud, select RAM account login, enter the account, click Enterprise Account Login, redirect to the IDaaS login interface, enter credentials, and log in to Alibaba Cloud.
