SAML Integration between Windows Active Directory and Alibaba Cloud

By Cheng Hong, Solutions Architect, and Vikram Godse, Solutions Architect (updates to work with International Portal)

Many of our customers using Windows Active Directory (AD) as corporate directory has the requirement of enabling single sign-on (SSO) between their company domain and Alibaba Cloud. This will allow users sign into the Alibaba Cloud Management Console using their company domain account.

Currently we only support user mapping and due to which we have a 1:1 mapping of AD users to Resource Access Management (RAM) Users who would like to use Single Sign-On. Mapping RAM Roles to AD Groups is still in development and will be available April 2019, according to information available at the time of writing this document.

This document will show you how to enable federation between Alibaba Cloud and Windows ADFS through Security Assertion Markup Language (SAML) integration.

Step 1: Install AD, ADFS, DNS Server on ECS (Windows Server 2012)

Install AD, ADFS and DNS on windows server, this server will use as company domain server.

In the server manager dashboard, select “Add roles and features”

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Select “Role-based or feature-based installation”

Image for post
Image for post

Select the features to install.

Image for post
Image for post

Select current server, then click “Next”.

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Confirm installation selections and click “Install”.

Image for post
Image for post

After installation completed, click “Close”.

Image for post
Image for post

Step 2: Configure AD DS

Return to server manager and click “AD DS”, click the Action listed to complete the configuration.

Image for post
Image for post

Select “Add a new forest” and set the root domain as “alibabalondon.tech”. An important point to note here is that the domain specified here does not have to be a real registered domain, if you are doing this configuration for testing or demo purposes. This domain is used to extract the “metadata xml file” from ADFS. You can create a “hostname” record that points the domain to the public IP address of the AD/ADFS Server on the client computer.

Image for post
Image for post

Enter the DSRM password.

Image for post
Image for post

Enter the NetBIOS domain name.

Image for post
Image for post

Click “Next”.

Review all the selections and click “Next”.

Image for post
Image for post

Click “Install” to begin the installation.

Image for post
Image for post

After installed, the server will restart automatically.

Step 3: Create Domain User

Create user: ssodemo@alibabalondon.tech

Image for post
Image for post
Image for post
Image for post

Step 4: (Optional) Install IIS

IIS is not required for AD integration. Installing IIS is to generate self-signed certification for ADFS, if you have other ways to generate the certification this step can be skipped.

Image for post
Image for post
Image for post
Image for post

Create the SSL certification for ADFS configuration.

Image for post
Image for post

Step 5: Configure ADFS

Return to server manager and click “AD DFS”, click the Action listed to complete the configuration.

Image for post
Image for post
Image for post
Image for post

Select “Create the first federation server in a federation server farm”, then click “Next”.

Image for post
Image for post

Connect to AD DS.

Image for post
Image for post

Select the SSL certification generated in previous step. Enter a name for “Federation Service Display Name”.

Image for post
Image for post

Enter the account and password.

Image for post
Image for post

Select “Create a database on this server using Windows Internal Database”

Image for post
Image for post

Review all the selections and click “Next”.

Image for post
Image for post

Click “Configure” to begin the configuration.

Image for post
Image for post
Image for post
Image for post

Step 6: Add Alibaba Cloud as Relying Party Trust in AD FS

Open the AD FS Management.

Image for post
Image for post
Image for post
Image for post

In the Add Relying Party Trust Wizard, click “Start”.

Image for post
Image for post

Select “Import data about the relying party published online or on a local network”.

Enter the SAML Service Provider Meta-Data URL that is available in the RAM Console “Settings”, “Advanced Settings”

Image for post
Image for post

Click “Next”.

Image for post
Image for post

Enter the “Display name”, then click “Next”.

Image for post
Image for post

Step 7: Configuring Claim Rules for Alibaba Cloud Relying Party

Image for post
Image for post

Open “Edit Claim Rules” dialog box, click “Add Rule” and add the rule settings as below.

Image for post
Image for post

Pls note that the e-mail suffix mentioned here is the “Default Domain” that you can access from the RAM Console “Settings”

Image for post
Image for post

Step 8: Configuring SSO in Alibaba Management Console

Download the metadata file from the windows AD server:
https://addemo.addemoali.com/FederationMetadata/2007-06/FederationMetadata.xml

As mentioned before if this domain is not a valid registered domain, you can create a host file entry on the client computer to map the Domain (addemo.addemoali.com) to the IP address of AD/ADFS Server. It will not work with the IP address in the URL.

Go to RAM Console “Settings”, “Advanced Settings” , “SSO Settings”, “Enable SSO” and then “Upload” Metadata file

Image for post
Image for post
Image for post
Image for post

Create user ssodemo@ukca.onaliyun.com in Alibaba Cloud,

Image for post
Image for post

the “ukaca.onaliyun.com” is an alias that you can set to the RAM Login URL from the RAM Console as follows

Image for post
Image for post
Image for post
Image for post

Step 9: Test Configuration

Login the Cloud console https://signin-intl.aliyun.com/ukca.onaliyun.com/login.htm

This is the RAM Login URL that is available from the RAM Console

Image for post
Image for post
Image for post
Image for post

When you click on the “Logon with Organization Account”, you will be redirected to the AD FS Login Page.

Enter the AD user (ssodemo@alibabalondon.tech) and password.

Image for post
Image for post

You have successfully logged in.

Image for post
Image for post

Conclusion

This feature enables federated single sign on (SSO) which allows users can log into Alibaba Cloud Management Console with their corporate credentials. The feature currently allows 1:1 mapping of Alibaba Cloud Resource Access Management (RAM) users to AD users. The mapping or RAM roles to AD groups is currently in development and will be delivered by end April 2019.

Reference:https://www.alibabacloud.com/blog/saml-integration-between-windows-active-directory-and-alibaba-cloud_594516?spm=a2c65.12602446.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store