# idaas-access Part of **IDAAS** # IDaaS Access Control Console Guide ## Operations Overview | Operation | Console Entry | Prerequisites | Description | |------|-----------|---------|------| | Configure Access Control | Console > Identity & Access Management > Access Control > Configure Access Control | None | Set up fine-grained access policies using RBAC, ABAC, or group-based models | | Delete Service-Linked Role for IDaaS Read | Console > RAM > Roles > Service-Linked Roles | All IDaaS EIAM instances released; RAM role management permissions | Remove the AliyunServiceRoleForEiamIDaaSRead after decommissioning IDaaS | | Configure M2M Applications | Console > IDaaS > Application > Add Application | EIAM instance created and activated | Create machine-to-machine applications with OAuth 2.0 client credentials | | Configure AK-free Access with Alibaba Cloud RAM | Console > RAM > Identity Providers > OIDC > Create OIDC Provider | Configured M2M application | Set up OIDC identity provider to enable AK-free access via STS tokens | | Configure API Gateway M2M Authentication | Console > API Gateway > Manage APIs > API Groups > Create Group | M2M application server and client configured in IDaaS | Secure APIs using JWT authentication and parametric access control plugins | | SSO from WeCom Workbench | Console > IDaaS > Application > Add Application | Activated IDaaS EIAM; WeCom admin account; SAML/OAuth 2.0 app | Enable employees to launch IDaaS apps directly from WeCom without re-login | | SSO from Lark Console | Console > IDaaS > Application Management > Applications > Add Application | Activated IDaaS EIAM; Lark enterprise admin account; SAML/OAuth 2.0 app | Allow users to access IDaaS applications via Lark Workbench with SSO | | Enable Grafana SSO with IDaaS | Console > IDaaS EIAM > Application > Add Application - OIDC Protocol | Docker installed; Grafana deployed; network access to IDaaS | Integrate Grafana with IDaaS for user and role-based single sign-on | | Configure SSO for Alibaba Cloud SASE | Console > IDaaS > Applications > Add Application > Alibaba Cloud - SASE template | Access to IDaaS and SASE consoles; Enterprise ID from SASE | Set up SAML-based SSO between IDaaS and Alibaba Cloud SASE | | Alibaba Cloud Role SSO | Applications > Create Application > Application Market | IDaaS instance ready; RAM console access; Alibaba Cloud account ID | Enable users to assume RAM roles via IDaaS without individual RAM accounts | ## Operation Steps ### Configure Access Control **Navigation**: Console > Identity & Access Management > Access Control > Configure Access Control 1. Navigate to the **Configure Access Control** page via the console menu - Element: **Configure Access Control** (link) — under Identity & Access Management section 2. Select an authorization model based on your security requirements - Element: **Role-Based Authorization** (radio) — available option - Element: **Group-Based Authorization** (radio) — available option - Element: **Attribute-Based Authorization** (radio) — available option 3. Assign fine-grained permissions using the authorization matrix - Element: **Authorization Matrix** (table_row) — interactive grid for permission assignment 4. Apply the principle of least privilege by reviewing assigned scopes - Notes: Real-time permission tracking is enabled by default **Form Fields**: None ### Delete Service-Linked Role for IDaaS Read **Navigation**: Console > RAM > Roles > Service-Linked Roles **Prerequisites**: - All IDaaS EIAM instances must be released - User must have permissions to manage RAM roles 1. Navigate to the Service-Linked Roles section in RAM console - Element: **Service-Linked Roles** (link) — location description: left navigation panel 2. Search for the role named AliyunServiceRoleForEiamIDaaSRead - Element: **Search bar** (text_input) — location description: top of the roles list 3. Click on the role name to view details - Element: **AliyunServiceRoleForEiamIDaaSRead** (link) — location description: roles list 4. Click the Delete button - Element: **Delete** (button) — location description: top-right corner of the role details page - Notes: Only available if no instances are active and the role is not in use **Form Fields**: None ### Configure M2M Applications **Navigation**: Console > IDaaS > Application > Add Application **Prerequisites**: - An EIAM instance must be created (free or paid) - The service must be activated before use 1. Log on to the IDaaS console - Element: **IDaaS console** (link) — location description: top navigation panel 2. Select and open your IDaaS instance - Element: **Application** (menu) — location description: left navigation panel 3. Click Add - Element: **Add** (button) — location description: main content area 4. Enter an application name in the Application Name field - Element: **Application Name** (text_input) — location description: dialog box 5. Click Create Client Credential - Element: **Create Client Credential** (button) — location description: Certificate tab 6. Configure network access restrictions - Element: **Network Zones Type** (dropdown) — location description: Network Configuration section - Notes: Choose between 'All' (any IP) or 'Part' (specific IPs/IP ranges) 7. Enable Server Permission Control - Element: **Enable Permission Control** (toggle) — location description: Resource Server Status section - Notes: Must add an audience identifier after first enablement 8. Add a new permission - Element: **Add Permission** (button) — location description: Permission Management section 9. Enter permission details: display name and unique identifier - Element: **ResourceServerScopeName** (text_input) — location description: Add Permission form - Notes: Use format: resource:operation:condition (e.g., user:read:all) | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text_input | Yes | — | Custom name used to distinguish different M2M applications in the management interface | | Audience Identifier | text_input | Yes | — | Corresponds to the aud claim; specifies the service that holds the protected resources | | ResourceServerScopeName | text_input | Yes | — | Display name for the permission (e.g., 'User Read Permission') | | ResourceServerScopeValue | text_input | Yes | — | Unique identifier for the permission using resource:operation:condition format (e.g., user:read:all) | | Network Zones Type | dropdown | No | All, Part | Restricts access sources of the M2M application | ### Configure AK-free Access with Alibaba Cloud RAM **Navigation**: Console > RAM > Identity Providers > OIDC > Create OIDC Provider **Prerequisites**: - A configured M2M application 1. Log on to the RAM console as a RAM administrator - Element: **Log on to the RAM console** (link) — location description: top navigation 2. Navigate to the Identity Providers section - Element: **Integrations > Provider Title** (menu) — location description: left-side navigation pane 3. Click on the OIDC tab and then click Create OIDC Provider - Element: **OIDC** (tab) — location description: top navigation 4. Configure the identity provider with required parameters - Element: **Create OIDC Provider** (button) — location description: page bottom - Notes: Enter unique name, issuer URL, client ID, fingerprint, and description. Use 'Get Fingerprint' to auto-calculate. 5. Go to Roles and create a new role with identity provider trust - Element: **Roles** (link) — location description: left-side navigation pane 6. Select Identity Provider and add it to the role's trust policy - Element: **Add Principal** (dialog) — location description: center panel - Notes: Select the created OIDC provider and confirm. 7. Add conditions such as oidc:sub based on requirements - Element: **Add Condition** (button) — location description: bottom of editor - Notes: Use condition keys: oidc:iss, oidc:aud, oidc:sub. Enter client ID value from M2M app. 8. Name the role and complete creation - Element: **OK** (button) — location description: bottom of dialog - Notes: Enter a descriptive role name. 9. Grant permissions to the role - Element: **Attach Permissions** (button) — location description: main content area | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Provider Name | text_input | Yes | — | Unique name within your Alibaba Cloud account; must conform to RAM naming conventions. | | Issuer URL | text_input | Yes | — | The unique identifier assigned to the M2M application by the external identity provider (IdP). Used to verify token source in OAuth 2.0 protocols. | | Fingerprint | text_input | No | — | Certificate fingerprint for security validation. Can be auto-generated or manually entered after verification. | | Client ID | text_input | Yes | — | Unique identifier generated when registering the application with an external IdP. Must match the audience claim in the OIDC token. | | Earliest Issue Time Limit | number_input | No | — | Prevents tokens issued before this time from being exchanged for STS credentials. Range: 1–168 hours. | | Description | text_input | No | — | Optional description of the identity provider. | ### Configure API Gateway M2M Authentication **Navigation**: Console > API Gateway > Manage APIs > API Groups > Create Group **Prerequisites**: - An M2M application server and M2M client configured in IDaaS 1. Log on to the API Gateway console - Element: **API Gateway console** (link) — location description: top navigation 2. Choose Manage APIs > API Groups - Element: **Manage APIs** (menu) — location description: left navigation pane 3. Click Create Group - Element: **Create Group** (button) — location description: top-right corner 4. In the Backend Services menu, click Create Backend Service - Element: **Create Backend Service** (button) — location description: main content area 5. In the backend service, click Create API - Element: **Create API** (button) — location description: main content area 6. Set Security Authentication to No Authentication - Element: **No Authentication** (dropdown) — location description: Request Basic Settings section - Notes: This is required because the tutorial uses API Gateway plugins instead of built-in authentication. 7. Enter the Request Path and select the HTTP Method - Element: **Request Path** (text_input) — location description: Request Basic Settings section 8. Enter the actual backend request path - Element: **Backend Request Path** (text_input) — location description: main content area 9. Select the response ContentType and complete the API creation - Element: **ContentType** (dropdown) — location description: main content area 10. Publish and debug the API in the staging environment - Element: **Publish** (button) — location description: top-right corner - Notes: Send a test request to confirm the API is working before adding authentication. 11. In the IDaaS console, open your M2M application and grant the required permission scopes to the M2M client - Element: **M2M application** (link) — location description: IDaaS console - Notes: Grant the user:read:one permission scope to the client. 12. In the API Gateway console, go to Plugins and click Create Plugin - Element: **Plugins** (menu) — location description: left navigation pane 13. Set Plugin Type to JWT Authentication - Element: **JWT Authentication** (dropdown) — location description: Plugin List page 14. Get the public key from the M2M server's Public Key Endpoint and replace the jwk section in the plugin script - Element: **Public Key Endpoint** (link) — location description: Application Settings - Notes: Open the URL in a browser to view the public key and copy the JWK information. 15. Create a Parametric Access Control plugin - Element: **Create Plugin** (button) — location description: Plugin List page 16. Set Plugin Type to Parametric Access Control - Element: **Parametric Access Control** (dropdown) — location description: Plugin List page 17. Replace the clientId and scope values in the condition with your own M2M client's application ID and required permission scope - Element: **condition** (text_input) — location description: script editor - Notes: Use values from the IDaaS console: Application Settings for client_id, and authorized applications section for scope. 18. Bind both plugins to the API by clicking Bind API in the Actions column - Element: **Bind API** (button) — location description: Actions column - Notes: Select the API operation to protect. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Request Path | text_input | Yes | — | The path used to invoke the API. The gateway maps this to the backend request path. | | HTTP Method | dropdown | Yes | GET, POST, PUT, DELETE, PATCH | The HTTP method used to call the API. | | ContentType | dropdown | Yes | application/json, text/plain, application/xml | The content type of the API response. | | Security Authentication | dropdown | Yes | No Authentication, API Key, OAuth 2.0, JWT | Authentication method for the API. Set to 'No Authentication' for this tutorial. | | parameter | text_input | Yes | — | The request parameter that carries the JWT. Must match the API parameter. | | parameterLocation | dropdown | No | query, header | Where the gateway reads the JWT from. Required in pass-through mode. | | bypassEmptyToken | checkbox | No | true, false | Whether to allow requests with no JWT to pass. Set to false in production. | | preventJtiReplay | checkbox | No | true, false | Whether to enable anti-replay checks for the jti claim. Set to true in production. | ### SSO from WeCom Workbench **Navigation**: Console > IDaaS > Application > Add Application **Prerequisites**: - An activated Alibaba Cloud IDaaS EIAM service - A WeCom account with administrator permissions - A target application that supports SAML 2.0 or OAuth 2.0 1. Log on to the IDaaS console and select your IDaaS instance - Element: **Manage** (button) — location description: Operation column 2. Go to Application > Add Application and search for Alibaba Cloud SASE - Element: **Add Application** (button) — location description: Application section 3. On the General tab, note the application ID - Element: **General** (tab) — location description: Top navigation - Notes: Screenshot shows the application ID field 4. Go to Login Access > Single Sign-on and configure SSO settings - Element: **Single Sign-on** (tab) — location description: Login Access section 5. Click Save to apply changes - Element: **Save** (button) — location description: Bottom of form 6. Log on to the WeCom admin console and go to Application Management > Applications > Self-built - Element: **Self-built** (tab) — location description: Applications section 7. Fill in application details including logo, name, description, and visibility - Element: **Create Application** (button) — location description: Bottom of form - Notes: Screenshots show upload area and input fields 8. Click Settings to open the Set Workbench Application Homepage page - Element: **Settings** (link) — location description: Application details page 9. Select Web and click Configure Mobile And Desktop Separately - Element: **Configure Mobile And Desktop Separately** (button) — location description: Homepage configuration section 10. Enter the homepage URL using the format: https://{IDaaS User Portal Address}/login/go/{IDaaS Application ID} - Element: **Homepage URL** (text_input) — location description: Web configuration form 11. Select the option to always enter the homepage in the WeChat plugin - Element: **Always enter the homepage in the WeChat plugin** (checkbox) — location description: WeChat plugin settings 12. Click OK to save the settings - Element: **OK** (button) — location description: Bottom of dialog - Notes: Screenshot shows confirmation dialog | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Logo | text_input | No | — | Upload a 750×750 px JPG or PNG image under 1 MB | | Application Name | text_input | Yes | — | Name displayed to users in WeCom | | Application Description | text_input | No | — | Brief description of the application's purpose | | Visibility | dropdown | Yes | All members, Specific departments, Specific members | Departments or members who can access the application | ### SSO from Lark Console **Navigation**: Console > IDaaS > Application Management > Applications > Add Application **Prerequisites**: - Alibaba Cloud IDaaS EIAM is activated - A Lark enterprise account with administrator permissions - A target application that supports SAML 2.0 or OAuth 2.0 1. Log on to the IDaaS console and click Manage in the Operation column - Element: **Manage** (link) — location description: Operation column 2. Go to Application Management > Applications > Add Application and search for and add Alibaba Cloud User - based SSO - Element: **Add Application** (button) — location description: Applications page 3. Copy the ID from the General tab - Element: **ID** (text_input) — location description: General tab - Notes: This ID will be used in Step 2 to construct the Lark app's homepage URL. 4. Click the Sign-In > SSO tab and configure SSO settings - Element: **SSO** (tab) — location description: Sign-In section 5. Download the IdP Metadata file and upload it in the RAM console under Integrations > SSO > User-based SSO > Metadata File - Element: **IdP Metadata** (button) — location description: Application Settings 6. Log in to the Lark Open Platform and go to Developer Console > Custom App > Create Custom App - Element: **Create Custom App** (button) — location description: Custom App page 7. Enter the app name, description, and icon, then click Create - Element: **Create** (button) — location description: App creation form 8. On the app details page, click Add Features > By Feature, then click Add next to Web App - Element: **Web App** (button) — location description: Add Features section 9. Set the desktop and mobile homepage URLs using the format: https:///login/go/ - Element: **Web App** (text_input) — location description: Web App configuration - Notes: The is found in 'Access the IDaaS portal'. The is the ID copied from the General tab in Step 1. 10. Enable required address book permissions - Element: **Permission management** (section) — location description: Permissions section - Notes: For details, see 'Enable permissions' guide. 11. After modifying the Lark application configuration, click Create Version to publish the new version - Element: **Create Version** (button) — location description: Lark console - Notes: Changes only take effect after publishing a new version. 12. In the Lark console, click the app you created - Element: **App** (link) — location description: Lark console - Notes: If not visible, search by name and click Add to Favorites. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | App Name | text_input | Yes | — | The name of the custom app being created on the Lark Open Platform. | | Description | text_input | No | — | A brief description of the app. | | Icon | text_input | No | — | Upload an icon for the app. | | Desktop Homepage URL | text_input | Yes | — | The URL where the app will open on desktop. Must follow the format: https:///login/go/ | | Mobile Homepage URL | text_input | Yes | — | The URL where the app will open on mobile. Must follow the same format as desktop URL. | ### Enable Grafana SSO with IDaaS **Navigation**: Console > IDaaS EIAM > Application > Add Application - OIDC Protocol **Prerequisites**: - Docker installed on the host machine - Grafana image pulled and available - Network access from Grafana server to IDaaS endpoints - User accounts created in IDaaS with appropriate roles 1. Log in to the Alibaba Cloud IDaaS EIAM console - Element: **Alibaba Cloud IDaaS EIAM console** (link) — location description: top navigation bar 2. Navigate to Application section - Element: **Application** (menu) — location description: left-side navigation pane 3. Click Create Application - OIDC Protocol - Element: **Create Application - OIDC Protocol** (button) — location description: OIDC card 4. Enter application name and click Create - Element: **Create** (button) — location description: Add Application - OIDC Protocol dialog box 5. Set redirect URI in SSO configuration - Element: **Redirect** (text_input) — location description: SSO tab - Notes: Replace with actual Grafana service address 6. Expand Advanced Configuration and select required scopes - Element: **Show Advanced Configuration** (button) — location description: bottom of the page 7. Grant permissions to users in the Authorization section - Element: **Authorize** (button) — location description: Authorization section 8. Copy client_id, client_secret, authorization endpoint, token endpoint, and user info endpoint - Element: **View Credentials** (button) — location description: Login Method tab - Notes: These values must be securely stored 9. Modify grafana.ini file to configure generic OAuth - Element: **grafana.ini** (text_input) — location description: configuration file - Notes: Replace placeholders with actual values from IDaaS 10. Restart Grafana container - Element: **docker restart grafana** (text_input) — location description: terminal | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text_input | Yes | — | Name of the OIDC application in IDaaS | | Redirect URI | text_input | Yes | — | Public URL of the Grafana instance used for OAuth callback | | Scopes | dropdown | Yes | openid, profile, email, phone | Permissions requested during authentication | | Role Mapping Expression | text_input | No | — | JMESPath expression to map IDaaS roles to Grafana roles | ### Configure SSO for Alibaba Cloud SASE **Navigation**: Console > IDaaS > Applications > Add Application > Alibaba Cloud - SASE template **Prerequisites**: - Access to the IDaaS console - Access to the Alibaba Cloud SASE console - SAML metadata file from IDaaS - Enterprise ID from SASE console 1. Log on to the IDaaS console - Element: **IDaaS console** (link) — location description: top navigation 2. Open the IDaaS instance - Element: **Open Console** (button) — location description: Actions column in instance list - Notes: Screenshot shows the instance list with 'Open Console' button 3. Navigate to Applications > Add Application - Element: **Applications > Add Application** (menu) — location description: left-side navigation pane 4. Search for and select the Alibaba Cloud - SASE template - Element: **Alibaba Cloud - SASE** (text_input) — location description: search bar in App Market tab 5. Click Add Application - Element: **Add Application** (button) — location description: after selecting the template 6. Confirm the application name - Element: **Application Name** (text_input) — location description: form field 7. Set SSO configuration for all users temporarily - Element: **All Users** (dropdown) — location description: Authorization Type setting - Notes: For testing purposes only 8. Download the SAML metadata file - Element: **SAML metadata file** (button) — location description: Application Settings section 9. Log on to the Alibaba Cloud SASE console - Element: **Alibaba Cloud SASE console** (link) — location description: top navigation 10. Go to identity authentication and management - Element: **identity authentication and management** (menu) — location description: left-side navigation pane 11. Click Add IdP - Element: **Add IdP** (button) — location description: main content area 12. Set IdP name to IDaaS and enter a custom name - Element: **IDaaS** (dropdown) — location description: IdP type field 13. Upload the SAML metadata file - Element: **SAML metadata file** (file_upload) — location description: upload form - Notes: Turn off the 'Read department group' option 14. Click OK to save IdP configuration - Element: **OK** (button) — location description: bottom of form 15. Enable the new IdP - Element: **Enable** (button) — location description: IdP list 16. Open the SASE client and enter the enterprise ID - Element: **Enterprise ID** (text_input) — location description: SASE client login screen - Notes: Enterprise ID can be found in SASE console settings 17. Log in via IDaaS login page in built-in browser - Element: **IDaaS logon page** (link) — location description: built-in browser window - Notes: Authentication methods depend on IDaaS configuration 18. Use SASE after successful login - Element: **SASE dashboard** (link) — location description: main interface - Notes: Screenshot shows SASE client after login | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | IdP Type | dropdown | Yes | IDaaS | Select the identity provider type. | | Custom Name | text_input | Yes | — | Enter a custom name for the IdP. | | SAML Metadata File | file_upload | Yes | — | Upload the SAML metadata file from IDaaS. | | Read Department Group | checkbox | No | — | Whether to read department group information from the IdP. | | Authorization Type | dropdown | Yes | All Users, Specific Users | Specify which users are authorized to access the application. | ### Alibaba Cloud Role SSO **Navigation**: Applications > Create Application > Application Market **Prerequisites**: - An IDaaS instance must be created and configured - Access to the RAM console - The target Alibaba Cloud account ID is known - Users or groups in IDaaS have been set up for SSO 1. Log on to the IDaaS console - Element: **IDaaS console** (link) — location description: top navigation 2. Select an IDaaS instance and click Open Console - Element: **Open Console** (button) — location description: Actions column in instance list 3. Go to Applications > Create Application > Application Market, search for Alibaba Cloud role SSO template, and click Create - Element: **Create** (button) — location description: Application Market page 4. Confirm application name and click Add - Element: **Add** (button) — location description: confirmation dialog - Notes: Default application name is 'Alibaba Cloud role SSO' 5. On the Sign-in & Access tab, turn on SSO Configuration switch and enter Alibaba Cloud account ID, IdP name, Application account, and Authorization scope - Element: **SSO Configuration** (switch) — location description: Sign-in & Access > Single Sign-On tab 6. Download IdP metadata file from the Application Settings section - Element: **Download** (button) — location description: Application Settings section - Notes: This file will be used to establish trust from Alibaba Cloud to IDaaS 7. On the Application Accounts tab, click Add Application User - Element: **Add Application User** (button) — location description: Application Accounts tab 8. Select accounts that will use Alibaba Cloud role SSO and add application accounts with names matching Alibaba Cloud role names - Element: (form_field) — location description: Application Accounts form - Notes: One IDaaS account can map to multiple roles by adding multiple application accounts 9. Log on to the RAM console - Element: **RAM console** (link) — location description: top navigation 10. In the left navigation pane, choose Integrations > Identity Providers - Element: **Integrations** (menu) — location description: left navigation panel 11. On the SAML tab, click Create Identity Provider - Element: **Create Identity Provider** (button) — location description: SAML tab 12. Enter identity provider name identical to the one in IDaaS, upload the IdP metadata file, and click Create - Element: **Create** (button) — location description: Create Identity Provider dialog 13. In the left navigation pane, choose Members > Roles - Element: **Members** (menu) — location description: left navigation panel 14. Click Create Role on the Roles page - Element: **Create Role** (button) — location description: Roles page 15. Switch to Policy Editor and select the identity provider created in Step 3 - Element: **Switch To Policy Editor** (button) — location description: upper-right corner of the panel 16. Enter a role name identical to the application account name and click Confirm - Element: **Confirm** (button) — location description: dialog box - Notes: Role name must match application account name configured in IDaaS 17. Attach required permission policies to the RAM role via the Permissions tab - Element: **Add Permissions** (button) — location description: Permissions tab - Notes: After attaching policies, they appear in the policy list; remove with 'Remove Permissions' 18. Log on to the IDaaS application portal using an account with permissions for the Alibaba Cloud role SSO application - Element: (form_field) — location description: login page 19. Click the Alibaba Cloud role SSO icon to initiate single sign-on - Element: **Alibaba Cloud role SSO icon** (icon) — location description: application portal dashboard 20. If multiple application accounts exist, select one for SSO - Element: (dropdown) — location description: selection dialog - Notes: User selects which Alibaba Cloud role to assume 21. Click Confirm to sign in to Alibaba Cloud as the selected role - Element: **Confirm** (button) — location description: confirmation dialog | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Alibaba Cloud account ID | text_input | Yes | — | The ID of the target Alibaba Cloud account for SSO. Found on the console home page by clicking the profile avatar or navigating to Account Center. | | IdP name | text_input | Yes | — | The name of the identity provider to be created in RAM. Must use only letters, numbers, or characters '.', '-', '_'. Cannot start or end with a special character. | | Application account | text_input | Yes | — | The RAM role identifier for each account. The application account name must exactly match the Alibaba Cloud role name. | | Authorization scope | dropdown | No | Manual Authorization, All Users | Determines whether permission assignment is required. Selecting 'All Users' skips the assignment step for testing. | | Name | text_input | Yes | — | The name of the RAM role. Must be identical to the application account name configured in IDaaS. | ## FAQ Q: Where can I find the Application ID needed for SSO integrations like WeCom or Lark? A: The Application ID is displayed on the General tab of your application configuration page in the IDaaS console after creating the application. Q: What happens if I leave the Network Zones Type as 'All' for my M2M application? A: Setting Network Zones Type to 'All' allows the M2M application to be accessed from any IP address, which may pose security risks. It's recommended to restrict to specific IPs ('Part') in production environments. Q: Can I modify the redirect URI for an OIDC application after creation? A: Yes, you can update the redirect URI by navigating to the SSO tab of your OIDC application in the IDaaS console and editing the Redirect field. Q: What permissions do I need to delete the service-linked role AliyunServiceRoleForEiamIDaaSRead? A: You need permissions to manage RAM roles (such as ram:DeleteServiceLinkedRole) and all IDaaS EIAM instances must be released before deletion is allowed. Q: How do I troubleshoot failed SSO connections between IDaaS and Alibaba Cloud SASE? A: Verify that the SAML metadata file was correctly uploaded to SASE, the Enterprise ID matches what's configured in SASE, and that the IDaaS application is properly authorized for the users attempting to log in. ## Pricing & Billing ### Billing Model Access control features are included at no additional cost with IDaaS service plans. M2M applications require an EIAM instance (free or paid). ### Free Tier - Access control configuration: Included with all IDaaS subscriptions - Service-linked roles: No cost associated - OIDC identity providers: No explicit cost mentioned; part of RAM and IDaaS free tier - Two M2M applications per free trial ### Quota Limits - Access control: No usage limits for configuration - Service-linked roles: No usage limits - OIDC identity providers: Up to 50 client IDs per provider - M2M applications: 2 applications per free trial ### Billing Notes - Access control features are included at no additional cost with IDaaS service plans - Service-linked roles are free to create and use; deletion requires instance release first - STS credentials used with OIDC are temporary and billed based on usage, but OIDC setup itself has no direct cost - M2M application feature requires creating an EIAM instance (free or paid)