Log on to Alibaba Cloud Using Internal Enterprise Accounts with RAM Single Sign-On
By the Open API Team
Alibaba Cloud Resource Access Management (RAM) is an identity and access control service that enables you to centrally manage your users and securely control their access to your resources through permission levels. With RAM, you can easily create and manage users, including employees and apps developed by your enterprise. You can control the access permissions of these users for cloud resources, allowing for collaborative work while protecting your account from any unsolicited access.
The ability to protect cloud resources and mitigate risks are necessary to ensure successful enterprise cloud migration. In various cloud-native app scenarios, RAM provides customers with diversified access control mechanisms and enables enterprises to implement the principle of least privilege across full-stack systems such as DevOps, computing environment, apps, and data access. These benefits reduce the exposure to attack of cloud resources and effectively control the information security risks involved in enterprise cloud migration.
RAM has provided identity security and access management services to over 100,000 enterprise customers. Based on the Attribute Based Access Control (ABAC) security model, RAM provides customers with fine-grained access control over cloud resources and supports the following cloud-native app scenarios:
- User management and resource authorization
- Resource authorization across cloud accounts
- Resource authorization across cloud services
- Temporary access authorization for mobile apps
- Dynamic identity management and resource authorization for apps deployed on the cloud
Recently, the RAM Single Sign-On (SSO) function was released to support a new scenario: logging on to Alibaba Cloud using internal enterprise accounts.
SSO Scenario Overview
Let’s assume that your enterprise has deployed a local domain account system, such as Microsoft AD or AD FS. To meet the enterprise’s security management and compliance requirements, all employees must pass a unified identity verification of the enterprise domain account system before they can perform any operations on resources, including cloud resources. In this case, employees are prohibited from using independent user accounts and passwords to directly operate on cloud resources. To meet the security and compliance requirements, a similar security capability is required from the cloud service provider.
Alibaba Cloud RAM supports the Security Assertion Markup Language 2.0 (SAML 2.0) standard for identity federation, which is widely used by enterprise-level identity providers (IdPs). By activating the RAM user federated Single Sign-On (SSO) service under the cloud account, you can use internal enterprise accounts to log on to Alibaba Cloud.
Basic Concepts of SAML Federated SSO
In scenarios where Alibaba Cloud services are integrated with an enterprise identity system, Alibaba Cloud serves as the SP while the enterprise identity system serves as the IdP. Figure 1 shows how employees of an enterprise log on to the Alibaba Cloud console through their own enterprise identity system.
Figure 1. Basic process of using internal enterprise accounts to log on to the Alibaba Cloud console
After the administrator configures SAML federated SSO, enterprise employees can log on to the Alibaba Cloud console by using the method shown in Figure 1.
- An enterprise employee logs on to Alibaba Cloud through a browser, and Alibaba Cloud returns a SAML authentication request to the browser.
- The browser forwards the request to the enterprise IdP.
- The enterprise IdP prompts the RAM user to log on and returns a SAML response to the browser after the logon is successful.
- The browser forwards the SAML response to Alibaba Cloud.
- With the SAML Mutual Trust configuration, Alibaba Cloud verifies the digital signature of the SAML response and the authenticity of the SAML Assertion, and then matches the RAM user’s identity according to the user name configured in SAML Assertion.
- After the logon service is verified, Alibaba Cloud returns the logon session and the URL of the Alibaba Cloud console to the browser.
- The browser redirects to the Alibaba Cloud console.
Note: In step 1, the employee does not have to log on from the Alibaba Cloud console. Instead, the employee can click the link on the enterprise’s own IdP logon page to send a SAML verification request to the enterprise IdP in order to access the Alibaba Cloud console.
For more information about the working principles and configuration method of SAML federated SSO, visit the official RAM documentation page for SSO Federation Logon.
SSO Management of a Single Cloud Account
For this scenario, let’s assume that your enterprise has only one cloud account, which has resources including VMs, networks, databases, and storage resources. Meanwhile, this account is used to manage RAM users and their permissions. Figure 2 shows the proposed SSO model.
Figure 2. Single-account management and SSO model for on-cloud enterprises
Recommendations: Use this account as an SP for identity federation with the enterprise’s local IdP, and use RAM to control user access to cloud resources.
SSO Management of Multiple Cloud Accounts
In this scenario, assume that your enterprise has two cloud accounts, which are referred to as workload accounts. Both accounts host resources, such as VMs, networks, databases, and storage resources. Figure 3 shows the proposed SSO model.
Figure 3. Multi-account management and SSO model for on-cloud enterprises
Recommendations: Create an independent cloud account, which is referred to as the identity account. Under this account, you can only create RAM users. Use this account as an SP for identity federation with the enterprise’s local IdP. Then, use the cross-account access function provided by Alibaba Cloud RAM to authorize the employees to access the resources under A1 and A2.
To learn more about Alibaba Cloud Resource Access Management, visit https://www.alibabacloud.com/product/ram