In the article Compliance and safety: integration of Ali cloud and corporate identity system , we introduced the integrated Ali cloud and corporate identity system, you can configure the cloud account under the sub account through the corporate identity system landing. The configuration point is
- The enterprise SAML IdP configuration trusted in Ali cloud directory
- In IdP configuration Ali cloud trusted SAML SP
The second point configuration method in different identity in different systems. In this paper, Windows Server 2012 R2 as an example, describes how to configure Microsoft AD as single sign IdP Ali cloud.
Pre conditions
This paper assumes that the user makes correct and reasonable configuration of Microsoft AD in Windows Server 2012 R2 Server Role the following configuration
- DNS server: DNS server for authentication requests to the correct Federation Service
- Active Directory domain services (AD DS): domain service to create a domain user and domain device object, query and modify functions
- Active Directory Federation Service (AD FS):Federation Service provides the configuration of the relying party United identity authentication function, and the configuration of the relying party to provide single sign on authentication.
According to the configuration of the Active Directory question, the user can refer to the official Microsoft search for relevant documents or the three party blog.
Sample configuration
The sample used in the relevant configuration is as follows
- The default directory name for cloud account
Junpu.onaliyun.com - The cloud account contains the user junpu.chen, the complete User Principal Name (UPN) junpu.chen@junpu.onaliyun.com
- Microsoft AD AD FS self service name is
Adserver.testdomain.com. - Since the Microsoft AD domain
Testdomain.comNETBIOS, calledTestdomain. - The user junpu.chen in AD UPN
Junpu.chen@testdomain.comWithin the domain, can also use the landingTestdomain\junpu.chen
Configure external SAML trusted IdP in Ali cloud directory
Enter the following address in the browser.
Https://adserver.testdomain.com/FederationMetadata/2007-06/FederationMetadata.xmlThe metadata stored in the local XML file download, and in accordance with the Compliance and safety: integration of Ali cloud and corporate identity system In this process, will download a good IdP document metadata configuration to Ali cloud directory.
After the completion of this step, Ali cloud has a one-way trust on the directory AD in the example of FS. If the user in Ali cloud user login page to enter junpu.chen@junpu.onaliyun.com, Ali cloud will be issued SAML certification request to the ADFS , but ADFS does not trust Ali cloud now, so ADFS will offer the following error
In the AD FS configuration for trusted SP Ali cloud
In the Microsoft ADFS in the context of SAML SP called Relying Party (the relying party trust party), this is because the ADFS supports OAuth/OIDC/WS-Federation, and single sign on consumption of these three protocols are called Relying Party AD FS, so in SAML protocol support did not use SAML specific terminology Service Provider, but by Relying Party to specify a single sign on the consumer side in different protocols.
Create the clouds as a trusted SP step ADFS as follows
The first step: in server manager tool Open the menu AD FS management
The second step: add AD FS management tools Trust trust (Relying Party Trust)
Step third: set the SAML metadata aliyun for the newly created trust party
Ali cloud in SAML metadata Https://signin.aliyun.com/saml/metadata.xml We can trust, direct configuration metadata URL, or after Ali cloud SAML metadata download, trusted configuration XML file download.
After completing the configuration of the trust side, Ali cloud and AD FS is generated trust, Ali cloud will Junpu.onaliyun.com The directory of the user authentication request is forwarded to AD FS Adserver.testdomain.com AD, FS will accept from Ali cloud authentication request and forwarding authentication response to Ali cloud.
The need for property needs to be issued in reliance configuration SAML assertions.
As Ali cloud SP configuration SAML assertion attribute
In order to let Ali cloud can use SAML in response to the cloud location subdirectory in the user, we need the value of NameID field SAML assertions for the cloud user's UPN directory of neutron.
Active Directory UPN configuration SAML NameID assertions
Here, Microsoft used Claim (statement) is a term that refers to the generation of SAML attribute assertions. This is because the other AD protocol supported by FS (OAuth, WS-Fed) are used to express the Token field in Claim.
The first step: to edit claim rules trust party
So-called Statement rules That means Claims Rule That is, the SAML statement asserted (attribute) is how to generate from the user attributes of Active in Directory.
The second step: add Issued by the conversion rules
So-called Issued by the conversion rules That means Issuance Transformation Rule That is how the user attribute refers to a known, after conversion, issued by the SAML attribute in the assertion. Because we want to users in AD UPN issued by NameID, so the need to add a new rule
The rules of the template Transfer incoming statement
Here, as in our example cloud account in the domain name for UPN Junpu.onaliyun.com In AD, the domain name UPN Testdomain.com Obviously, if User Principal Name directly to the AD mapping in NameID will let Ali cloud not matching to the correct user account number.
We provide two ways to fill the gap.
A path: verify the AD domain name in Ali cloud directory
If the domain name Testdomain.com Is a registered in the public domain name in the DNS, then the user can verify their ownership of the domain name in Ali cloud directory. Enter the enterprise console Staff directory > Domain settings > Create domain alias .
After verification, the default domain aliyun directory Junpu.onaliyun.com Is there a domain nameTestdomain.com . Junpu.chen UPN for junpu.chen@testdomain.com users.
Verify the domain name after the cloud directory can be consistent with self AD DS in domain name: UPN and AD users use cloud users in the UPN sub directory Testdomain.com This domain name.
The setup is complete, we return to the above statement conversion rule editing, mapping UPN to NameID (ID).
Route two: the domain switching in AD User Principal Name issued NameID
If the domain name Testdomain.com The domain name is the enterprise intranet, so Ali cloud will be unable to verify ownership of the domain name. You can only use the cloud directory Onaliyun.com Under the sub domain. In this case, in the AD FS to Ali cloud issued SAML assertions must be from the domain name suffix UPN Testdomain.com Replace Junpu.onaliyun.com (assuming the name correspondence)
Last
In this example, self AD Testdomain.com This domain name is the network domain name, after mapping through the path of the two attributes of claims, access to Ali cloud from the self AD network, in the sub account login input Junpu.chen@junpu.onaliyun.com
Ali cloud authentication requests to adserver.testdomain.com
Input AD username Junpu.chen@testdomain.com And the password is completed after landing back to Ali cloud console
Common problem
The enterprise AD configuration may be different, so you may want to edit a slightly different rule statement. But the ultimate goal is to make the SAML response back to the Ali cloud directory can be identified sub account UPN.
Here are some of the common problems
- If there is no declaration of configuration rules, cause the lack of NameID field SAML assertions
Unable to resolve external identity authentication information issued by the provider.Unable to: understand SAML response- If the NameID SAML asserts that the domain name and directory cloud is not consistent
The external aliyun directory of your single point login configuration is invalid, please con
