Log on to Alibaba Cloud Using Internal Enterprise Accounts with RAM Single Sign-On

  1. User management and resource authorization
  2. Resource authorization across cloud accounts
  3. Resource authorization across cloud services
  4. Temporary access authorization for mobile apps
  5. Dynamic identity management and resource authorization for apps deployed on the cloud

SSO Scenario Overview

Let’s assume that your enterprise has deployed a local domain account system, such as Microsoft AD or AD FS. To meet the enterprise’s security management and compliance requirements, all employees must pass a unified identity verification of the enterprise domain account system before they can perform any operations on resources, including cloud resources. In this case, employees are prohibited from using independent user accounts and passwords to directly operate on cloud resources. To meet the security and compliance requirements, a similar security capability is required from the cloud service provider.

Basic Concepts of SAML Federated SSO

In scenarios where Alibaba Cloud services are integrated with an enterprise identity system, Alibaba Cloud serves as the SP while the enterprise identity system serves as the IdP. Figure 1 shows how employees of an enterprise log on to the Alibaba Cloud console through their own enterprise identity system.

  1. An enterprise employee logs on to Alibaba Cloud through a browser, and Alibaba Cloud returns a SAML authentication request to the browser.
  2. The browser forwards the request to the enterprise IdP.
  3. The enterprise IdP prompts the RAM user to log on and returns a SAML response to the browser after the logon is successful.
  4. The browser forwards the SAML response to Alibaba Cloud.
  5. With the SAML Mutual Trust configuration, Alibaba Cloud verifies the digital signature of the SAML response and the authenticity of the SAML Assertion, and then matches the RAM user’s identity according to the user name configured in SAML Assertion.
  6. After the logon service is verified, Alibaba Cloud returns the logon session and the URL of the Alibaba Cloud console to the browser.
  7. The browser redirects to the Alibaba Cloud console.

SSO Management of a Single Cloud Account

For this scenario, let’s assume that your enterprise has only one cloud account, which has resources including VMs, networks, databases, and storage resources. Meanwhile, this account is used to manage RAM users and their permissions. Figure 2 shows the proposed SSO model.

SSO Management of Multiple Cloud Accounts

In this scenario, assume that your enterprise has two cloud accounts, which are referred to as workload accounts. Both accounts host resources, such as VMs, networks, databases, and storage resources. Figure 3 shows the proposed SSO model.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud


Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com