Log on to Alibaba Cloud Using Internal Enterprise Accounts with RAM Single Sign-On

By the Open API Team

Alibaba Cloud Resource Access Management (RAM) is an identity and access control service that enables you to centrally manage your users and securely control their access to your resources through permission levels. With RAM, you can easily create and manage users, including employees and apps developed by your enterprise. You can control the access permissions of these users for cloud resources, allowing for collaborative work while protecting your account from any unsolicited access.

The ability to protect cloud resources and mitigate risks are necessary to ensure successful enterprise cloud migration. In various cloud-native app scenarios, RAM provides customers with diversified access control mechanisms and enables enterprises to implement the principle of least privilege across full-stack systems such as DevOps, computing environment, apps, and data access. These benefits reduce the exposure to attack of cloud resources and effectively control the information security risks involved in enterprise cloud migration.

RAM has provided identity security and access management services to over 100,000 enterprise customers. Based on the Attribute Based Access Control (ABAC) security model, RAM provides customers with fine-grained access control over cloud resources and supports the following cloud-native app scenarios:

  1. User management and resource authorization
  2. Resource authorization across cloud accounts
  3. Resource authorization across cloud services
  4. Temporary access authorization for mobile apps
  5. Dynamic identity management and resource authorization for apps deployed on the cloud

Recently, the RAM Single Sign-On (SSO) function was released to support a new scenario: logging on to Alibaba Cloud using internal enterprise accounts.

SSO Scenario Overview

Alibaba Cloud RAM supports the Security Assertion Markup Language 2.0 (SAML 2.0) standard for identity federation, which is widely used by enterprise-level identity providers (IdPs). By activating the RAM user federated Single Sign-On (SSO) service under the cloud account, you can use internal enterprise accounts to log on to Alibaba Cloud.

Basic Concepts of SAML Federated SSO

Figure 1. Basic process of using internal enterprise accounts to log on to the Alibaba Cloud console

After the administrator configures SAML federated SSO, enterprise employees can log on to the Alibaba Cloud console by using the method shown in Figure 1.

  1. An enterprise employee logs on to Alibaba Cloud through a browser, and Alibaba Cloud returns a SAML authentication request to the browser.
  2. The browser forwards the request to the enterprise IdP.
  3. The enterprise IdP prompts the RAM user to log on and returns a SAML response to the browser after the logon is successful.
  4. The browser forwards the SAML response to Alibaba Cloud.
  5. With the SAML Mutual Trust configuration, Alibaba Cloud verifies the digital signature of the SAML response and the authenticity of the SAML Assertion, and then matches the RAM user’s identity according to the user name configured in SAML Assertion.
  6. After the logon service is verified, Alibaba Cloud returns the logon session and the URL of the Alibaba Cloud console to the browser.
  7. The browser redirects to the Alibaba Cloud console.

Note: In step 1, the employee does not have to log on from the Alibaba Cloud console. Instead, the employee can click the link on the enterprise’s own IdP logon page to send a SAML verification request to the enterprise IdP in order to access the Alibaba Cloud console.

For more information about the working principles and configuration method of SAML federated SSO, visit the official RAM documentation page for SSO Federation Logon.

SSO Management of a Single Cloud Account

Figure 2. Single-account management and SSO model for on-cloud enterprises

Recommendations: Use this account as an SP for identity federation with the enterprise’s local IdP, and use RAM to control user access to cloud resources.

SSO Management of Multiple Cloud Accounts

Figure 3. Multi-account management and SSO model for on-cloud enterprises

Recommendations: Create an independent cloud account, which is referred to as the identity account. Under this account, you can only create RAM users. Use this account as an SP for identity federation with the enterprise’s local IdP. Then, use the cross-account access function provided by Alibaba Cloud RAM to authorize the employees to access the resources under A1 and A2.

To learn more about Alibaba Cloud Resource Access Management, visit https://www.alibabacloud.com/product/ram


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.