# idaas-identity Part of **IDAAS** > 💡 **Path Selection**: This skill is one implementation path for [Manage application access permissions](../../intent/idaas-manage-access/SKILL.md). If you're unsure which path to take, check the routing skill first. # IDaaS Identity Management Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |-----------|------------------------|---------------|-------------| | Quick Start CIAM | Console > CIAM > Instance List > Purchase Instance | Alibaba Cloud account; AliyunYundunIdaasFullAccess permission for RAM users | Activate instance, create application, configure login methods, and manage user accounts via console. | | Manage RAM Users and Policies | Console > IDaaS > Identity Management | Alibaba Cloud account with administrator permissions; RAM user or RAM role with administrative privileges | Manage RAM users and configure RAM policies for access control in the console. | | Manage Groups | Console > IDaaS > Groups > Modify > Members (Accounts) | An IDaaS instance; The role or permission required to manage group members | Manage group members in the IDaaS console. | | Username and Password Authentication | Console > IDaaS > Identity Management > Account Authentication > Username and Password Authentication | An active IDaaS CIAM instance; SMS gateway configured in IDaaS (via Cloud Communication) | Register accounts with username and password in the console. | | Configure SMS Gateway | Console > CIAM > Advanced Settings > Gateway | None | Configure SMS gateway integration for notifications and authentication in the console. | | Manage Application Client Secret | Console > Identity & Access Management > Applications > Select Application > Security Settings > Client Secrets | An application must be created in IDaaS; User must have 'Manage Client Secrets' permission | Manage client secrets for applications in the console. | | Manage Application Authorization | Console > Identity Management > Application Authorization | User must have administrative privileges; Application must be registered in the IDaaS system | Manage application authorization for users and groups in the console. | | Manage Application Roles | Console > Identity & Access Management > Application Roles > Manage Roles | User must have administrative privileges in IDaaS; An application must already be created in the system | Manage application roles in the console. | | Configure SSO for Application | Console > Identity & Access Management > SSO Configuration > Applications | An active IDaaS account with admin privileges; A configured Identity Provider (IdP); The application to be integrated must support SAML 2.0 | Configure Single Sign-On (SSO) for applications in the console. | | Add Administrator | Console > Settings > Administrator Accounts > Create Administrator | An Alibaba Cloud RAM sub-account must exist; The RAM sub-account must have the AliyunYundunIdaasFullAccess permission in RAM; The sub-account UID must be bound to CIAM as an administrator | Add system administrators in the IDaaS console. | | Manage Third-Party Login Accounts | Console > Identity & Access Management > Third-Party Logon Accounts | Administrator privileges in the IDaaS console; A valid OAuth or OpenID Connect provider configured externally | Configure and manage user accounts from external identity providers in the console. | | Synchronize User Accounts | Console > IDaaS > Application Synchronization > Event Configuration | Application integration configured in IDaaS console; HTTPS endpoint ready to receive callbacks; Business data encryption option enabled if sensitive data is transmitted | Set up and manage address book events for user account synchronization. | | Integrate Account Provisioning | Console > Identity & Access Management > Account Provisioning > Integrate Account Provisioning | An active IDaaS instance is configured; Access to the target system's API or integration endpoint; Administrative privileges in both IDaaS and the target system | Guide for integrating account provisioning with external systems. | | Integrate Single Sign-On (SSO) | Console > Identity & Access Management > SSO Integration > Configure SSO | An active IDaaS account with administrative privileges; A configured Identity Provider (IdP) such as AD, Okta, or Ping Identity; Access to the Service Provider (SP) application metadata (e.g., SAML metadata XML file); Network connectivity between the IdP and IDaaS | Configure SSO for applications using the IDaaS console. | | Create an IDaaS SSO Application | Console > IDaaS > Instance List > Create Instance > Accounts and Orgs > Create Account > Application Management > Applications > Add Application | An Alibaba Cloud account; A RAM user whose username matches the IDaaS account username | Set up a new single sign-on application in the IDaaS console. | | Integrate IDaaS with Applications | API Debugging > Select API operation > Generate sample code | Access to Alibaba Cloud OpenAPI Portal; API credentials for IDaaS | Developer guide for integrating IDaaS into custom applications. | | Integrate IDaaS with Jushita | Console > IDaaS > Integration > Jushita Integration | Exclusive edition of IDaaS; Access to DingTalk group 33623553; Obtain the 'IDaaS-Jushita Integration Document' | Configure integration between IDaaS and Jushita systems. | | Create User with 2FA | Console > IDaaS > Jushita Integration | Download and install Postman; Have access to the Jushita instance public API domain name; Obtain API Key and API Secret from IDaaS console; Have a valid merchant name and ivsAppKey; Ensure the Jushita version is idaas-jst-xxx | Guide for creating users with two-factor authentication using Jushita APIs. | | Configure AD/LDAP Account Synchronization | Console > Accounts > Organizations and Groups | Log on to the IDaaS console as an IT administrator; AD/LDAP server must have a public IP address with port 389 open; Security group policy may need to allow access from IDaaS egress IP addresses; Ensure parent organization is exported before exporting sub-organizations; Check user license count before importing accounts | Set up synchronization of user accounts from AD/LDAP directories. | | Configure Legacy LDAP Authentication | Console > Authentication > Authentication Sources | Administrator account for IDaaS console; AD domain with public IP address and port 389 open; Security group policy allowing access from IDaaS egress IPs; IDaaS egress IP addresses obtained via ticket submission | Set up LDAP as an authentication source for legacy systems. | | Configure Identity Provider | Console > IDaaS > EIAM 1.X > Configure Identity Provider | An active IDaaS account with admin privileges; A configured SAML or OIDC identity provider | Set up identity providers for EIAM 1.X instances. | | Configure Group-to-Role SSO | Console > IDaaS > Applications > Create SAML Application > SAML 2.0 | You have activated IDaaS EIAM and created an instance.; You have access to the CAM console and the IDaaS EIAM portal.; You have a account with administrator permissions.; You have obtained your account ID. | Set up SSO mappings between IDaaS groups and cloud provider roles (e.g., CAM). | | Configure Automatic Role-Based SSO for User Groups | Console > IDaaS > Applications > Create SAML Application | IDaaS EIAM activated and instance created; Access to RAM console and IDaaS EIAM portal | Automatically assign cloud roles based on IDaaS user group membership (e.g., with RAM). | | Configure SSO for Alibaba Cloud DevOps | Console > IDaaS > Overview > Create Instance | An Alibaba Cloud account; An IDaaS instance already created; Access to the Alibaba Cloud IDaaS console; A supported identity provider configured (e.g., DingTalk, WeCom, AD) | Enable single sign-on for Alibaba Cloud DevOps using IDaaS. | | Configure SSO for DingTalk Enterprise | Console > Identity Management > IDaaS > Applications > Create Application | An IDaaS instance activated in the cloud | Enable login to DingTalk Enterprise using AD/LDAP/IDaaS accounts. | | Enable SSO from DingTalk Workbench | Console > IDaaS > Applications > Create Application | DingTalk identity provider already created; IDaaS application configured for SSO; User accounts mapped between DingTalk and IDaaS; Application account names match existing local accounts in target application | Allow users to access IDaaS applications directly from the DingTalk workbench. | | Configure SSO for Qoder | Console > IDaaS > Applications > Add Application > Application Marketplace > Search 'Qoder' > Create Application | An IDaaS EIAM instance is created; Administrator permissions for the Qoder organization; Domain ownership verification for the enterprise email domain in Qoder; Permission to modify DNS records for the Qoder enterprise email domain | Implement best practices for Qoder single sign-on with IDaaS. | | Configure SSO for Tongyi Lingma | Console > IDaaS > Applications > Create OIDC Application > General Tab > SSO Configuration | An Alibaba Cloud account or RAM user with AliyunRDCFullAccess policy attached; A created IDaaS instance; Enterprise Edition instance created in DevOps console; Network access configured (public or VPC) | Set up single sign-on for Tongyi Lingma applications. | | Sync to RAM via SCIM | RAM Console > OAuth Preview > Enterprise Applications > Create Application | Your Alibaba Cloud account or RAM user must have the required permissions to create OAuth applications.; Your Alibaba Cloud account or RAM user must have the required permissions to grant authorization to a server application. | Synchronize user accounts to Alibaba Cloud RAM using SCIM protocol. | | Synchronize AD Domain Data to DingTalk | Products & Services > Application Identity Service > Create Instance for free | An Active Directory (AD) domain with accessible server and administrator credentials; DingTalk Open Platform account with application creation permissions; Network access from IDaaS to AD and DingTalk endpoints; IP allowlist configuration on AD server for IDaaS outbound IPs | Sync Active Directory data directly to DingTalk. | | Synchronize Microsoft Entra ID Users or Groups Using SCIM | Console > IDaaS > EIAM Instance List > Open Console > Identity Provider > Application > Application Details | Administrative permission for both Alibaba Cloud IDaaS and Microsoft Entra ID; An existing Microsoft Entra ID tenant; An EIAM instance for Alibaba Cloud IDaaS | Provision users and groups from Microsoft Entra ID to IDaaS via SCIM. | | Sync Okta Users or Groups via SCIM | Console > IDaaS > EIAM Instance List > [Instance] > Open Console > Identity Provider > Application > [Application Name] > Account Synchronization | Administrator permissions for Alibaba Cloud IDaaS; Super Administrator permissions for Okta instance; Okta instance with SCIM 2.0 support enabled; EIAM instance created in Alibaba Cloud IDaaS | Provision users and groups from Okta to IDaaS using SCIM. | | Sync to CloudSSO via SCIM | Console > Settings > User Settings > SCIM-based User Synchronization Configuration | Alibaba Cloud account with access to CloudSSO console; IDaaS instance already set up; Access to IDaaS instance console | Synchronize accounts to Alibaba Cloud CloudSSO using SCIM. | | Provision External Accounts to RAM | Console > Application Identity Service > IDaaS Management Console | Delegate authentication feature enabled for AD; External identity provider (e.g., AD, DingTalk, WeCom, Lark) configured and accessible | Provision external identity provider accounts to Alibaba Cloud RAM. | | Configure Agent Identity Security | Console > Agent Security | API key created on Model Studio with permissions to call its models; Amap added in Model Studio's MCP Square; Function Compute activated; Agent identity security configured in IDaaS with Agent, Client, Model, SaaS, and MCP nodes set up | Set up security policies for agent identities in IDaaS. | | Configure Secretless Credential Solution | Console > IDaaS EIAM > Agent ID | An active Alibaba Cloud account; Access to the IDaaS EIAM console; ECS instance with RAM role attached or support for PKCS#7 identity; OpenClaw deployed on ECS, Simple Application Server, or Wuying Workspace | Implement secretless authentication for OpenClaw applications. | | Manage Account Fields | IDaaS console > EIAM > Manage > Account > Field Management > Basic Fields / Extended Fields | Access to the IDaaS console; Permission to manage account fields; For required fields: identity provider (IdP) field mapping configured | Create and manage custom fields for user accounts. | | Import and Export Account Data | Accounts > Accounts and Orgs | Organization paths must be consistent between IDaaS EIAM 1.0 and 2.0 versions; Access to the IDaaS console with appropriate permissions | Bulk import or export user account data using files. | | Group Management | Console > Identity & Access Management > Groups | Access to the IDaaS console with appropriate permissions; At least one account to add as a member | Create, modify, and delete groups; manage members and application authorizations. | | Manage Organizations | Console > Employee Identity and Access Management (EIAM) > Select Instance > Accounts > Accounts and Orgs | Administrator access to IDaaS console; Existing instance selected in EIAM page | Perform CRUD operations on organizational units. | | Synchronize Accounts | Console > IDaaS > Identity Management > Account Synchronization | An IDaaS instance must be created and configured; Access to the IDaaS console with appropriate permissions; Integration with at least one identity provider (IdP) or application system | General guide for synchronizing user accounts from various sources. | | Move an Account | Console > Identity & Access Management > Accounts > Move Account | Administrator access to your IDaaS instance; The account you want to move already created | Transfer a user account between organizational units. | | Account Lifecycle | Console > Identity & Access Management > Accounts | Administrator privileges to manage accounts | Manage user account states throughout their lifecycle (e.g., activation, deactivation). | | Account Details | Console > IDaaS > Accounts > Account Details | User must have appropriate permissions to view and manage accounts; Account must exist in the IDaaS system | View detailed information about a user account in the console. | | Configure Agent ID Guard | Console > IDaaS EIAM > Agent ID Guard | An IDaaS EIAM Enterprise Edition instance with the machine-to-machine (M2M) feature enabled; An identity provider configured with at least one valid account | Set up Agent ID Guard for enhanced identity protection. | | Configure SSO by Using IDaaS | Console > IDaaS > Applications > Create Application > Application Market > | An active IDaaS instance; Access to the platform; A configured IAM Identity Center; User accounts with appropriate permissions in IDaaS | Set up Single Sign-On integrated with IDaaS. | | Role-Based SSO | Console > IDaaS > Applications > Create Application > Search for role-based SSO | An active IDaaS instance; Access to the Console; account ID for the target account; Correct region access (China site or international site) | Configure role-based SSO for using IDaaS. | | Configure Single Sign-On for Cloud SSO | Console > IDaaS > Applications > Add Application | An active IDaaS instance; Access to the Alibaba Cloud IDaaS console; Access to the Cloud SSO console; A configured identity provider (IdP) | Set up SSO for Alibaba Cloud CloudSSO service. | | Alibaba Cloud User SSO | IDaaS Console > Manage > Applications > Add Application > Alibaba Cloud User SSO Template | An IDaaS instance must be created and configured; Access to the Alibaba Cloud console with sufficient permissions; Existing IDaaS users who need access to Alibaba Cloud; RAM users or roles to be mapped to IDaaS users | Configure user-based single sign-on for Alibaba Cloud services. | | Configure GitLab SSO with SAML | Console > IDaaS > Applications > Application Market | An active IDaaS account with administrative privileges; Access to the GitLab server configuration files; GitLab instance accessible via public or internal network | Set up SAML-based SSO for GitLab applications. | | Configure SSO and Account Provisioning | Console > IDaaS > Applications > Create Application > SSO Configuration | An active Alibaba Cloud IDaaS EIAM subscription with administrative access.; An active Volcengine Cloud Identity subscription with administrative access.; Usernames in IDaaS must match the corresponding usernames in Volcengine Cloud Identity. | Set up both SSO and account provisioning between IDaaS and other cloud providers (e.g., Volcengine, Huawei Cloud). | | Platform SSO | Applications > Add Application > Standard Protocol | An active IDaaS instance; Access to the console; Permissions to create workforce identity pools and assign IAM roles | Configure SSO for Platform using IDaaS. | | Google Workspace SSO | Console > IDaaS > Application > Add Application > Standard Protocol | A user's email claim in IDaaS must match their primary email address in Google Workspace; You must have administrator permissions for the Google Admin console | Set up SSO for Google Workspace applications. | | SSO | Console > IDaaS > Applications > Create Application > Application Market | An IDaaS instance must be created and accessible; Access to the IAM console; Enterprise user accounts configured in IDaaS | Configure SSO for services. | | Organization and IDaaS: SSO and Account Synchronization | Console > IDaaS > Applications > Create Application | Administrative permissions for your Alibaba Cloud IDaaS instance; Administrative permissions for Organization; The Organization service is enabled | Integrate Organization with IDaaS for SSO and user sync. | | Jenkins SSO | Console > IDaaS > Application > Add Application > Marketplace > Jenkins | An IDaaS instance with administrator access; A running Jenkins instance with administrator access; The root domain of your Jenkins installation (e.g., https://jenkins.example.com) | Set up single sign-on for Jenkins CI/CD platform. | | Jiandaoyun SSO | Console > Applications > Application Market > Search for Jiandaoyun > Create Application | Jiandaoyun Enterprise Edition license; IDaaS account with administrative privileges; Access to the Jiandaoyun management console | Configure SSO for Jiandaoyun applications. | | Jira or Confluence SSO | Console > Identity & Access Management > Applications > Add Application | HTTPS enabled on your Jira or Confluence server; An IDaaS instance with at least one user account whose username matches the Jira username | Set up SSO for Atlassian Jira and Confluence products. | | JumpServer SSO | EIAM > Applications > Add Application > Marketplace > JumpServer | JumpServer version 2.17.0 or later; An IDaaS instance with administrator access; Administrator access to JumpServer; A self-signed certificate (public-private key pair) | Configure SSO for JumpServer bastion host. | | Redash v9 Legacy SSO | Console > Applications > Application Marketplace | An IDaaS instance with administrator access; A running Redash v9 instance with administrator access; The Redash service address (URL) | Set up legacy SSO for Redash v9 applications. | | Salesforce SSO | Console > Application > Marketplace > Search for Salesforce | An active IDaaS instance with administrator access; A Salesforce account with administrator access | Configure SSO for Salesforce applications (both general and IDaaS console guides). | | Configure SonarQube SSO | Console > EIAM > Applications > Add Application | An IDaaS instance with administrator access; SonarQube 8.0 or later; SonarQube administrator credentials | Set up SSO for SonarQube code quality platform. | | Configure Splunk SSO | Console > EIAM > Applications > Add Application | An IDaaS instance with administrator access; A running Splunk Enterprise deployment with administrator access; The Splunk service URL (e.g., https://splunk.example.com) | Implement SSO for Splunk analytics platform. | | Configure Teambition SSO | Console > IDaaS > Applications > Add Application > App Market | Access to the IDaaS console; Admin access to Teambition; A valid IDaaS instance configured; Domain binding and verification in Teambition for SP-initiated SSO | Set up SSO for Teambition project management tool. | | Configure WordPress SSO | Applications > Add Application > Application Marketplace > WordPress | WordPress version 3.7 or later; miniOrange SAML SSO plugin installed; An active IDaaS instance with access permissions; Valid user accounts in IDaaS authorized to access WordPress | Implement SSO for WordPress websites. | | Zabbix SSO | EIAM > Applications > Add Application | A Zabbix 5.0 or later installation with administrator access; An IDaaS instance with administrator access | Configure SSO for Zabbix monitoring system. | | Configure SSO for eteams | Console > IDaaS > EIAM > Applications > Add Application > Marketplace > eteams | Administrator access to both the IDaaS console and eteams; An IDaaS instance with EIAM enabled; At least one IDaaS account whose email address matches an eteams account | Set up SSO for eteams collaboration platform. | | Configure Role-Based SSO | Console > Applications > Create Application > Application Market | An active IDaaS instance; A Baidu AI Cloud main account with administrative privileges; Access to the Baidu AI Cloud console | Set up role-based SSO for various cloud providers (Baidu AI Cloud, Tencent Cloud, Kingsoft Cloud). | | Application Onboarding | Console > Identity & Access Management > Applications > Onboard Application | An active IDaaS account; Administrative permissions to manage applications | Guide for onboarding new applications into IDaaS. | | Custom Applications | Console > Applications > Add Application | None | Add and configure custom applications in IDaaS. | | Create a Federated Credential | Console > IDaaS > Identity Provider > M2M > Create Application | An existing IDaaS instance; An existing federated credential provider (PCA, OIDC, or PKCS#7) | Set up federated credentials for cross-platform authentication. | | Application Marketplace | Console > IDaaS > Applications > Application Marketplace | Access to Alibaba Cloud IDaaS console; Valid credentials with appropriate permissions | Add pre-integrated applications from the IDaaS marketplace. | | Standard Protocols Supported by IDaaS | Console > Applications > Add Application > Standard Protocols | Application must support one of the standard SSO protocols: OIDC, SAML 2.0, or OAuth 2.0 | Add applications using standard protocols like SAML, OIDC, etc. | | Sync Data from an Application to IDaaS | Console > IDaaS > Applications > Create Application | You have activated Identity as a Service (IDaaS) and created an instance in EIAM Cloud Identity Service.; Your third-party identity system supports the SCIM protocol, and you have the required configuration information ready. | Provision users and groups from external applications to IDaaS via SCIM. | | Single Logout (SLO) | Console > IDaaS > Application Management > Application Details > Logon > SSO | Application must be OIDC-based; Application must be self-developed; Active IDaaS logon session exists for testing; Post-logout redirect URI must be pre-configured in the allowlist | Configure and initiate single logout across all SSO sessions. | | Developer APIs | Console > IDaaS > Applications > [Application Name] > IDaaS API Tab | Administrator access to the IDaaS console | Use developer APIs to manage employee lifecycle operations. | | Application Authorization | Console > Identity & Access Management > Applications > [Application Name] > Sign-In > Authorize | Administrator access to the IDaaS console | Grant or revoke application access for users or groups. | | Basic Settings | Applications > Manage > General | Administrator privileges in IDaaS; Application already created | Configure API access settings and rotate client secrets. | | Configure SSO | Console > IDaaS > Applications > Configure SSO | Activated the application in IDaaS | General SSO configuration settings for applications. | | OIDC SSO Configuration | Console > Identity & Access Management > Applications > Configure OIDC SSO | An application registered in IDaaS; Basic understanding of OIDC protocol; Access to the IDaaS console | Configure OIDC-based single sign-on in the IDaaS console. | | Configure SAML 2.0-based SSO | Console > Identity & Access Management > SSO Configuration > Add Application > Configure SAML 2.0 | An existing application with SSO support; Access to the application's SSO configuration page; Ability to download or access the IDaaS metadata file or URL; Downloadable signing certificate from IDaaS | Set up SAML 2.0 single sign-on for applications. | | SAML Attribute Statements Rules | Console > IDaaS > Identity & Access Management > SSO Configuration > Configure SAML Attributes | User identity data must be available in the IDaaS system; SSO configuration must be set up for the application; Access to the SAML Attribute Statements panel in the console | Configure attribute mapping rules for SAML assertions. | | Configure SAML Accounts | Console > IDaaS > Applications > SSO Settings > Configure Identity Mapping | An SAML application already configured in IDaaS; Administrative access to the IDaaS console; User accounts created in IDaaS | Map SAML identity provider attributes to IDaaS accounts. | | SCIM Provisioning from IDaaS | Console > IDaaS (EIAM) > Application Management > Account Synchronization | Application must support SCIM protocol; Outbound IP address of IDaaS (EIAM) must be added to application's allowlist; Authentication method (OAuth 2.0 or Bearer Token) must be configured in target application | Provision user accounts from IDaaS to external systems via SCIM. | | Account Synchronization - Event Callback | Console > IDaaS > Applications > Synchronize IDaaS Users on Application | Application must have a publicly accessible URL endpoint; Security allowlist must be configured for IDaaS outbound IPs; Public key must be obtained from IDaaS for signature verification | Set up event callbacks for account synchronization triggers. | | Connect an AD as an Inbound Identity Provider | Console > IDaaS > Identity Providers > Add Identity Provider > Select AD | An existing Active Directory environment; Administrative access to the AD server; Network connectivity between IDaaS and AD; A dedicated or shared network endpoint configured for secure communication | Connect Active Directory as an inbound identity source for IDaaS. | | Connect to an Outbound Active Directory | IDaaS Console > Identity Provider > Egress > Add Identity Provider | An IDaaS instance must be created and configured; The AD server must be accessible from the internet or via a private network; A dedicated or shared network endpoint must be configured if required; The AD administrator account with read permissions must be available | Configure IDaaS to push identities to an outbound Active Directory. | | Sync Accounts to DingTalk | Console > IDaaS > Quick Start or Identity Provider > Bind DingTalk > Outbound | An Alibaba Cloud IDaaS (EIAM) instance on Enterprise Edition or higher; Access to the DingTalk Open Platform with the CorpId for your organization; Access to the DingTalk Admin Console; The ability to create and configure applications in DingTalk Internal Enterprise Development | Bind IDaaS to DingTalk for account synchronization. | | Connect to OpenLDAP (Inbound) | Console > Identity Providers > Inbound > OpenLDAP > Add | An existing OpenLDAP server configured with proper access controls; Administrative credentials for the LDAP server (DN and password); Network connectivity between IDaaS and the LDAP server (via public or private network endpoint) | Connect OpenLDAP as an inbound identity provider to IDaaS. | | Bind IDaaS to OpenLDAP Outbound | IdPs > Outbound > Add Outbound > OpenLDAP | An IDaaS instance with console access; An OpenLDAP server with an administrator account that has at least read permission; The administrator account in Distinguished Name (DN) format — for example, cn=admin,ou=Technical Department,dc=example,dc=com; A dedicated network access endpoint if you want to access your LDAP server over an Alibaba Cloud VPC private network | Configure IDaaS to synchronize accounts to an outbound OpenLDAP server. | | Integrate Google Workspace with SAML IdP | Console > IDaaS > Identity Providers > SAML | Super administrator access to Google Workspace; Alibaba Cloud IDaaS EIAM instance activated; Access to the IDaaS management console | Bind Google Workspace as a SAML identity provider to IDaaS. | | Bind Microsoft Entra ID as a SAML Identity Provider | Console > Identity Management > Identity Providers > Create Identity Provider | Global Administrator or Application Administrator role in Microsoft Entra ID; An Alibaba Cloud IDaaS EIAM instance with access to its management console | Configure Microsoft Entra ID as a SAML identity provider for IDaaS. | | Account Lifecycle | Console > IDaaS > Account Management > Create Account | Administrator account access; Completion of preparations for calling management-side APIs | Manage the full lifecycle of user accounts including creation, enabling, disabling, archiving, and deletion. | | Accounts | Console > Identity & Access Management > Accounts | Administrator privileges; Valid email address for account registration | General account management operations in IDaaS. | | Create Accounts and Organizations | Console > IDaaS > Accounts > Create Account | An existing identity provider (DingTalk, AD, OpenLDAP, WeCom, OIDC) if using IdP import; API access credentials if using API import; Admin privileges to create accounts in the console | Create new user accounts and organizational units. | | Create an Application | Console > IDaaS > Applications > Create Application | An active IDaaS account with administrative privileges; A valid domain name registered in the system | Create a new application entry in IDaaS for SSO or API integration. | | Manage Applications | Console > IDaaS > Applications > Manage Applications | User must have administrative privileges in the IDaaS console; An identity provider (IdP) must be configured; A service provider (SP) must be registered | Perform management operations on existing applications in IDaaS. | | Manage Credentials | Application Identity Management Console > EIAM > Console > Asset Management > Credential | EIAM instance must be created; Required service-linked role must be in place | Manage authentication credentials for IDaaS applications and integrations. | | Branding | Console > IDaaS > Branding | An active IDaaS instance must be selected in the console; Access to the IDaaS console with appropriate permissions | Customize the branding elements of IDaaS user interfaces. | ## Step-by-Step Instructions ### Quick Start CIAM **Navigation**: Console > CIAM > Instance List > Purchase Instance **Prerequisites**: - An Alibaba Cloud account - (For RAM users) The AliyunYundunIdaasFullAccess permission granted by your account administrator 1. **Log on to the CIAM console and click Purchase Instance** - Element: **Purchase Instance** (button) — top-right corner 2. **Select Region and Specifications, then click Buy Now** - Element: **Buy Now** (button) — main content area 3. **Return to the console to verify the instance appears in your instance list** - Element: (none) 4. **Log on to the RAM console and confirm the target RAM user has the AliyunYundunIdaasFullAccess permission** - Element: (none) 5. **Log on to the CIAM console with your Alibaba Cloud account and click the instance ID to open its management console** - Element: (none) 6. **Go to Settings > Other Settings > Administrator account and click Add administrator** - Element: **Add administrator** (button) — main content area 7. **Fill in Account name, RAM sub-account, External ID, and Authorized role, then save** - Element: (none) 8. **In the instance management console, go to Application > Application Management and click Add an application** - Element: **Add an application** (button) — main content area 9. **Set Icon, Application Name, Application Type, and SSO Protocol** - Element: (none) - Notes: Image shown: application configuration form 10. **After creating an application, configure and maintain it** - Element: (none) - Notes: Images shown: application settings and configuration panels 11. **On the Application Management page, find the application and click Configure in the Actions column** - Element: **Configure** (button) — Actions column 12. **On the Application Settings page, click the Registration And Logon Settings tab** - Element: **Registration And Logon Settings** (tab) — top navigation - Notes: Image shown: login method configuration panel 13. **Set the Primary Logon Method to either Phone Code or Password-based Logon** - Element: (none) | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Account name | text_input | Yes | — | The username for the administrator account | | RAM sub-account | text_input | Yes | — | The RAM user's account ID | | External ID | text_input | Yes | — | A unique identifier used for cross-account trust | | Authorized role | dropdown | Yes | Administrator, Developer, Viewer | The role assigned to the RAM user in the IDaaS console | | Icon | text_input | No | — | Upload or select an icon for the application | | Application Name | text | Yes | — | The name of the customer-facing service protected by CIAM | | Application Type | dropdown | Yes | Website, Mobile App, Mini Program, Management Console | The type of application being created | | SSO Protocol | dropdown | Yes | SAML 2.0, OAuth 2.0, OpenID Connect | The single sign-on protocol used by the application | | Primary Logon Method | radio | Yes | Phone Code, Password-based Logon | The default login method displayed on the login page | ### Manage RAM Users and Policies **Navigation**: Console > IDaaS > Identity Management **Prerequisites**: - Alibaba Cloud account with administrator permissions - RAM user or RAM role with administrative privileges to create new RAM users 1. **Click Create RAM User** - Element: **Create RAM User** (button) — top-right corner of the RAM Users page 2. **Select access mode: Console Access or OpenAPI Call Access** - Element: **Access Mode** (dropdown) — main content area - Notes: Separate human users from programmatic users to prevent operational errors 3. **Enable MFA for console users** - Element: **Enable MFA** (checkbox) — Security Settings section - Notes: Recommended for enhanced security 4. **Assign minimum required permissions** - Element: **Permissions** (text_input) — Permissions tab - Notes: Follow the principle of least privilege 5. **Add RAM user to relevant RAM user groups** - Element: **Add to Group** (button) — User Details panel - Notes: Use groups to manage permissions in bulk | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | User Name | text_input | Yes | — | Unique identifier for the RAM user | | Access Mode | radio | Yes | Console Access, OpenAPI Call Access | Determines how the user accesses Alibaba Cloud resources | | Enable MFA | toggle | No | — | Enables multi-factor authentication for console sign-in | | Permissions | dropdown | Yes | Administrator, ReadOnly, Custom Policy | Specifies the level of access granted to the user | ### Manage Groups **Navigation**: Console > IDaaS > Groups > Modify > Members (Accounts) **Prerequisites**: - An IDaaS instance - The role or permission required to manage group members 1. **Go to the group menu and select the Modify tab** - Element: **Modify** (menu) — left navigation panel 2. **Select the Members (Accounts) tab** - Element: **Members (Accounts)** (tab) — main content area 3. **Add or remove members using the interface** - Element: **Add/Remove buttons or input fields** (button) — main content area - Notes: Supports batch addition or deletion of members ### Username and Password Authentication **Navigation**: Console > IDaaS > Identity Management > Account Authentication > Username and Password Authentication **Prerequisites**: - An active IDaaS CIAM instance - SMS gateway configured in IDaaS (via Cloud Communication) 1. **Navigate to the account password authentication settings page** - Element: **Username and Password Authentication** (link) — left navigation panel 2. **Review the registration and logon flow diagrams** - Element: **Registration Flow Diagram** (icon) — main content area - Notes: Image shows the service invocation sequence for registration. For API details, contact the IDaaS product team. 3. **View the logon flow diagram** - Element: **Logon Flow Diagram** (icon) — main content area - Notes: Image shows the logon process. For API documentation, contact the IDaaS product team. 4. **Configure brute-force attack protection** - Element: **Brute-force Attack Protection** (toggle) — Security Configurations section - Notes: Enabled by default; triggers CAPTCHA after 2 failed attempts within 3 minutes. 5. **Ensure phone number is required during registration** - Element: **Required Registration Information** (checkbox) — Security Configurations section - Notes: Verified phone number is mandatory by default. 6. **Enable two-factor authentication for specific applications** - Element: **Two-Factor Authentication** (dropdown) — Security Configurations section - Notes: Select 'Text Message CAPTCHA' to enable 2FA for selected apps. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Phone Number Verification | checkbox | Yes | — | Enables requirement for a verified phone number during account registration. | | Brute-Force Protection | toggle | No | Enabled, Disabled | Activates CAPTCHA challenge after multiple failed login attempts. | | Two-Factor Authentication Method | dropdown | No | None, Text Message CAPTCHA | Specifies the secondary authentication method for enhanced security. | ### Configure SMS Gateway **Navigation**: Console > CIAM > Advanced Settings > Gateway 1. **Log on to the IDaaS console and manage the desired IDaaS instance** - Element: **Manage** (button) — Actions column 2. **Navigate to the advanced settings section for gateways** - Element: **Advanced Settings** (menu) — left navigation pane 3. **Select the China Mobile tab for the SMS service provider** - Element: **China Mobile** (tab) — gateway configuration panel - Notes: Image shows the gateway configuration interface with form fields. 4. **Fill in the required parameters including API endpoint, API account, API password, and SMS signature** - Element: (none) - Notes: Fields include: Gateway name, API endpoint, API account, API password, SMS signature. Optional fields are also present. 5. **Click Save to apply the configuration** - Element: **Save** (button) — bottom of the form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Gateway name | text | Yes | — | A custom name for the gateway. | | Gateway number | text | No | — | An optional gateway number from your SMS service provider. | | API endpoint | text | Yes | — | The API endpoint from your SMS service provider. | | API account | text | Yes | — | The account ID from your SMS service provider. | | API password | text | Yes | — | The password for your API account. | | SMS signature | text | Yes | — | The SMS signature that is prefixed to every message. | | API extension field | text | No | — | Optional additional parameters required by your provider. | | Gateway description | text | No | — | An optional description for the gateway. | | Enable SMS gateway | checkbox | No | — | Enables or disables the gateway. | | Test SMS content | text | No | — | The content of the test message. | | Send test message | text | No | — | The destination phone number for the test message. | ### Manage Application Client Secret **Navigation**: Console > Identity & Access Management > Applications > Select Application > Security Settings > Client Secrets **Prerequisites**: - An application must be created in IDaaS - User must have 'Manage Client Secrets' permission 1. **Click the 'Create Client Secret' button** - Element: **** (button) — Security Settings tab 2. **Enter a description for the secret and click 'Confirm'** - Element: **** (button) — Create Secret dialog - Notes: The secret value will be displayed only once. Save it securely. 3. **To rotate the secret, click the 'Rotate' button next to the existing secret** - Element: **** (button) — Client Secrets list 4. **To revoke a secret, select it and click 'Revoke'** - Element: **** (button) — Client Secrets list - Notes: Revoked secrets cannot be used for authentication. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | text_input | No | — | A brief description to identify the purpose of the client secret | ### Manage Application Authorization **Navigation**: Console > Identity Management > Application Authorization **Prerequisites**: - User must have administrative privileges - Application must be registered in the IDaaS system 1. **Navigate to the Application Authorization section** - Element: **Application Authorization** (link) — left navigation panel 2. **Select the application for which you want to manage authorization** - Element: **Select Application** (dropdown) — main content area - Notes: Applications are listed alphabetically by name. 3. **Click the 'Edit Permissions' button to modify access rights** - Element: **Edit Permissions** (button) — top-right corner - Notes: Only administrators can perform this action. 4. **Assign roles to users or groups** - Element: **Assign Roles** (button) — right sidebar - Notes: Roles include Admin, Editor, Viewer. Use the search bar to find specific users or groups. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Role Assignment | dropdown | Yes | Admin, Editor, Viewer | Select the role to assign to the selected user or group. | | User/Group Search | text_input | Yes | — | Enter the name of the user or group to assign a role to. | ### Manage Application Roles **Navigation**: Console > Identity & Access Management > Application Roles > Manage Roles **Prerequisites**: - User must have administrative privileges in IDaaS - An application must already be created in the system 1. **Navigate to the Application Roles section** - Element: **Application Roles** (menu) — left navigation panel 2. **Click the Create Role button to start creating a new role** - Element: **Create Role** (button) — top-right corner of the main content area - Notes: The button is only visible if the user has the necessary permissions. 3. **Enter the role name and description in the form fields** - Element: **Role Name** (text_input) — main form area - Notes: The role name must be unique within the tenant. 4. **Select permissions from the available list using checkboxes** - Element: **Permissions** (checkbox) — permissions section of the form - Notes: Multiple permissions can be selected. Each permission corresponds to a specific action on an application. 5. **Click Save to finalize the role creation** - Element: **Save** (button) — bottom of the form - Notes: After saving, the role appears in the role list. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Role Name | text | Yes | — | The unique identifier for the role. Must not contain special characters. | | Description | text | No | — | A brief explanation of the role's purpose or scope. | | Permissions | checkbox | Yes | Read application data, Write application data, Delete application data, Manage role assignments | Select one or more permissions that define what actions the role can perform. | ### Configure SSO for Application **Navigation**: Console > Identity & Access Management > SSO Configuration > Applications **Prerequisites**: - An active IDaaS account with admin privileges - A configured Identity Provider (IdP) - The application to be integrated must support SAML 2.0 1. **Navigate to the SSO Configuration section in the IDaaS console** - Element: **SSO Configuration** (menu) — left navigation panel 2. **Click on 'Applications' to view the list of managed applications** - Element: **Applications** (tab) — top navigation bar 3. **Click the 'Add Application' button to start the configuration wizard** - Element: **Add Application** (button) — top-right corner - Notes: This opens a modal dialog with configuration options. 4. **Select the application type from the dropdown menu** - Element: **Application Type** (dropdown) — main content area - Notes: Options include: Custom SAML, Salesforce, Microsoft Azure, Google Workspace, etc. 5. **Enter the application name and description** - Element: **Application Name** (text_input) — form fields section - Notes: The name must be unique within the tenant. 6. **Upload the application's metadata file or manually enter the SAML configuration details** - Element: **Upload Metadata File** (button) — form fields section - Notes: Alternatively, use the 'Manual Configuration' option to input the IdP entity ID, ACS URL, and certificate. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The display name for the application in the user portal. | | Application Type | dropdown | Yes | Custom SAML, Salesforce, Microsoft Azure, Google Workspace | Specifies the pre-configured template for the application's SAML settings. | | Description | text | No | — | Optional field to provide additional context about the application. | | Entity ID | text | Yes | — | The unique identifier for the service provider (SP) in the SAML protocol. | | ACS URL | text | Yes | — | The URL where the IdP should send the SAML response. | | Certificate | text | Yes | — | The public X.509 certificate used to verify SAML assertions. | ### Add Administrator **Navigation**: Console > Settings > Administrator Accounts > Create Administrator **Prerequisites**: - An Alibaba Cloud RAM sub-account must exist - The RAM sub-account must have the AliyunYundunIdaasFullAccess permission in RAM - The sub-account UID must be bound to CIAM as an administrator 1. **Sign in to the IDaaS console** - Element: **IDaaS console** (link) — top navigation bar 2. **Click Settings in the left-side navigation pane** - Element: **Settings** (menu) — left navigation panel 3. **Click the Administrator Accounts section** - Element: **Administrator Accounts** (tab) — main content area 4. **Click the Create Administrator button** - Element: **Create Administrator** (button) — top-right corner - Notes: This button is labeled as 'New' in some regions. 5. **Select an authorized role from the dropdown** - Element: **authorized role** (dropdown) — form field - Notes: The available roles are shown in a screenshot; six roles are defined with different permissions. ### Manage Third-Party Login Accounts **Navigation**: Console > Identity & Access Management > Third-Party Logon Accounts **Prerequisites**: - Administrator privileges in the IDaaS console - A valid OAuth or OpenID Connect provider configured externally 1. **Click on 'Third-Party Logon Accounts' in the left navigation panel** - Element: **Third-Party Logon Accounts** (menu) — left navigation panel 2. **Click the 'Add Identity Provider' button to start configuring a new third-party login** - Element: **Add Identity Provider** (button) — top-right corner - Notes: The button is only visible if the user has administrative permissions. 3. **Select the type of identity provider from the dropdown menu** - Element: **Provider Type** (dropdown) — main content area - Notes: Options include: Google, Microsoft AD, Facebook, Custom OAuth, Custom OpenID Connect 4. **Enter the client ID and client secret provided by the third-party provider** - Element: **Client ID** (text_input) — form fields section - Notes: These credentials are obtained from the third-party provider's developer portal. 5. **Configure the redirect URI and scopes as required by the provider** - Element: **Redirect URI** (text_input) — form fields section - Notes: Ensure the redirect URI matches exactly what is registered with the identity provider. 6. **Click 'Save' to complete the configuration** - Element: **Save** (button) — bottom of the form - Notes: After saving, the identity provider will appear in the list of managed third-party logon accounts. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Provider Type | dropdown | Yes | Google, Microsoft AD, Facebook, Custom OAuth, Custom OpenID Connect | Select the type of third-party identity provider to integrate. | | Client ID | text | Yes | — | The unique identifier assigned by the third-party provider for your application. | | Client Secret | text | Yes | — | The confidential key used to authenticate your application with the identity provider. | | Redirect URI | text | Yes | — | The URL where the identity provider redirects after authentication. | | Scopes | text | No | — | Permissions requested from the user during login. Default is openid, profile, email. | ### Synchronize User Accounts **Navigation**: Console > IDaaS > Application Synchronization > Event Configuration **Prerequisites**: - Application integration configured in IDaaS console - HTTPS endpoint ready to receive callbacks - Business data encryption option enabled if sensitive data is transmitted 1. **Click the Test connection button** - Element: **Test connection** (button) — top-right corner of the event configuration panel - Notes: This triggers a test event to validate connectivity, signature verification, and encryption settings. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Event type | dropdown | Yes | Test event, Incremental event, Full event | Select the type of event to configure for synchronization. | | Callback URL | text_input | Yes | — | Enter the HTTPS endpoint URL where IDaaS will send event notifications. | | Business data encryption | checkbox | No | — | Enable this option to encrypt sensitive data during transmission. | ### Integrate Account Provisioning **Navigation**: Console > Identity & Access Management > Account Provisioning > Integrate Account Provisioning **Prerequisites**: - An active IDaaS instance is configured - Access to the target system's API or integration endpoint - Administrative privileges in both IDaaS and the target system 1. **Navigate to the Account Provisioning section in the IDaaS console** - Element: **Account Provisioning** (menu) — left navigation panel 2. **Click the 'Integrate Account Provisioning' button to start the setup wizard** - Element: **Integrate Account Provisioning** (button) — main content area - Notes: This opens a guided configuration flow for setting up integration with external systems. 3. **Select the target system from the dropdown list of supported integrations** - Element: **Target System** (dropdown) — form field section - Notes: Available options include Active Directory, Salesforce, SAP, and custom APIs. 4. **Enter the API endpoint URL and authentication credentials for the target system** - Element: **API Endpoint URL** (text_input) — form field section - Notes: Ensure the endpoint is accessible from the IDaaS environment. Use HTTPS for secure connections. 5. **Test the connection by clicking the 'Test Connection' button** - Element: **Test Connection** (button) — bottom of form - Notes: A success message confirms connectivity; otherwise, review the error details and correct configuration. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Target System | dropdown | Yes | Active Directory, Salesforce, SAP, Custom API | Choose the system where user accounts will be provisioned. | | API Endpoint URL | text | Yes | — | The full URL of the target system's account creation API endpoint. | | Authentication Method | dropdown | Yes | API Key, OAuth 2.0, Basic Auth | Select the method used to authenticate with the target system. | | API Key | text | No | — | Enter the API key if using API Key authentication. | ### Integrate Single Sign-On (SSO) **Navigation**: Console > Identity & Access Management > SSO Integration > Configure SSO **Prerequisites**: - An active IDaaS account with administrative privileges - A configured Identity Provider (IdP) such as AD, Okta, or Ping Identity - Access to the Service Provider (SP) application metadata (e.g., SAML metadata XML file) - Network connectivity between the IdP and IDaaS 1. **Navigate to the SSO Integration section in the IDaaS console** - Element: **SSO Integration** (menu) — left navigation panel 2. **Click the 'Add New SSO Configuration' button to start the setup wizard** - Element: **Add New SSO Configuration** (button) — main content area - Notes: This button is only visible to users with admin roles 3. **Select the identity provider type from the dropdown menu** - Element: **Identity Provider Type** (dropdown) — form field group - Notes: Options include: AD, Okta, Ping Identity, Custom SAML, Custom OIDC 4. **Upload the SP metadata file or paste the SAML metadata XML content** - Element: **Upload Metadata File** (file_input) — main content area - Notes: The file must be in .xml format and contain valid SAML metadata 5. **Review and confirm the configuration details before saving** - Element: **Confirm and Save** (button) — bottom of form - Notes: A preview of the SSO settings will be displayed for verification | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Identity Provider Type | dropdown | Yes | AD, Okta, Ping Identity, Custom SAML, Custom OIDC | Choose the type of identity provider you are integrating with. | | Metadata Source | radio | Yes | Upload File, Paste XML Content | Specify how you will provide the service provider metadata. | | Upload Metadata File | file_input | No | — | Upload the SAML metadata XML file from your service provider. | | Paste XML Content | text_input | No | — | Paste the raw SAML metadata XML content here if you cannot upload a file. | ### Create an IDaaS SSO Application **Navigation**: Console > IDaaS > Instance List > Create Instance > Accounts and Orgs > Create Account > Application Management > Applications > Add Application **Prerequisites**: - An Alibaba Cloud account - A RAM user whose username matches the IDaaS account username 1. **Go to the Alibaba Cloud IDaaS console and open the EIAM 2.0 instance list page** - Element: **Alibaba Cloud IDaaS console** (link) — top of the page 2. **Click Create Instance and agree to the terms** - Element: **Create Instance** (button) — main content area 3. **After creation, click the instance ID or Access Console to open the IDaaS Management Console** - Element: **Access Console** (button) — lower-right corner 4. **Click Trial version to start a 15-day trial** - Element: **Trial version** (button) — lower-right corner - Notes: Each instance supports one trial 5. **In the navigation pane, go to Accounts and Orgs and click Create Account** - Element: **Create Account** (button) — navigation pane 6. **Fill out the form to add your first account** - Element: (none) - Notes: Image shows the account creation form 7. **After account creation, get the instance logon page URL from the Quick Start page** - Element: **Quick Start** (tab) — top of the page 8. **Go to Application Management > Applications > Add Application** - Element: **Add Application** (button) — navigation pane 9. **Find the Alibaba Cloud User SSO template and click Add Application** - Element: **Add Application** (button) — application marketplace 10. **Enter an Application Name and click Add Immediately** - Element: **Add Immediately** (button) — bottom of the form - Notes: Image shows the configuration page after adding 11. **On the SSO configuration panel, download the metadata file** - Element: **Download** (button) — bottom of the page - Notes: Contains all SSO configuration details for RAM 12. **On the Application authorization tab, click Authorize and select accounts to authorize** - Element: **Authorize** (button) — Application authorization tab 13. **Go to the RAM SSO configuration page and switch to the User-based SSO tab** - Element: **User-based SSO** (tab) — top of the page 14. **Click Edit and set the SSO status to Enabled** - Element: **Edit** (button) — top of the page 15. **Upload the metadata file downloaded from IDaaS** - Element: (none) - Notes: Image shows the upload interface 16. **Click OK to save the configuration** - Element: **OK** (button) — bottom of the form 17. **Open the user portal URL in a browser and log on with the created account** - Element: (none) - Notes: Get the URL from the Quick Start page or User Portal column 18. **Click the Alibaba Cloud User SSO application to initiate SSO** - Element: **Alibaba Cloud User SSO** (button) — user portal dashboard | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The name of the SSO application to be created | ### Integrate IDaaS with Applications **Navigation**: API Debugging > Select API operation > Generate sample code **Prerequisites**: - Access to Alibaba Cloud OpenAPI Portal - API credentials for IDaaS 1. **Navigate to the Alibaba Cloud OpenAPI Portal** - Element: **Alibaba Cloud OpenAPI Portal** (link) — top navigation bar 2. **Select an API operation from the left-side navigation pane** - Element: **API operation** (menu) — left-side navigation panel 3. **Choose a programming language and click Download Project** - Element: **Download Project** (button) — right-side pane - Notes: Available languages: Java, Python, Go, PHP, C#, C++, TypeScript 4. **Go to the API Debugging tab and enter parameters** - Element: **API Debugging** (tab) — main panel - Notes: Enter request parameters and execute the call directly in the browser 5. **View the response on the Response tab** - Element: **Response** (tab) — main panel - Notes: For data-modifying operations, verify changes directly in the IDaaS instance ### Integrate IDaaS with Jushita **Navigation**: Console > IDaaS > Integration > Jushita Integration **Prerequisites**: - Exclusive edition of IDaaS - Access to DingTalk group 33623553 - Obtain the 'IDaaS-Jushita Integration Document' 1. **Search for group 33623553 in DingTalk** - Element: **group 33623553** (link) — DingTalk search bar - Notes: Join the product technical support group to contact the Alibaba Cloud IDaaS team. 2. **Contact the Alibaba Cloud IDaaS team to obtain the integration document** - Element: **contact the Alibaba Cloud IDaaS team** (button) — within the DingTalk group chat - Notes: The document contains the purchase link and integration instructions. 3. **Use the purchase link provided in the document** - Element: **purchase link** (link) — in the integration document - Notes: Direct purchases from the Alibaba Cloud website are not supported. ### Create User with 2FA **Navigation**: Console > IDaaS > Jushita Integration **Prerequisites**: - Download and install Postman - Have access to the Jushita instance public API domain name - Obtain API Key and API Secret from IDaaS console - Have a valid merchant name and ivsAppKey - Ensure the Jushita version is idaas-jst-xxx 1. **Download the Postman collection file** - Element: **Jushita.postman_collection.json** (link) — top of the page 2. **Import the downloaded file into Postman** - Element: **Import** (button) — top-left corner of Postman - Notes: Use the 'Import' button in the top-left corner of Postman v9.15.4 3. **Create a new environment in Postman** - Element: **Environment** (dropdown) — top-right corner - Notes: After importing, switch to the newly created environment 4. **Execute the 'Initialize variables' request** - Element: **Initialize variables** (request) — left navigation panel - Notes: Enter any URL; purpose is to run the script 5. **Retrieve the host value from the instance public API domain name** - Element: **Instance Public API Domain Name** (text_input) — IDaaS console - Notes: Ensure the Jushita version is idaas-jst-xxx 6. **Extract clientId and clientSecret from the API Key and API Secret fields** - Element: **API Key** (text_input) — IDaaS console - Notes: API Key = clientId, API Secret = clientSecret 7. **Set user information (username, password, phoneNumber) for account creation** - Element: **User Information** (text_input) — Postman request body - Notes: Ensure password meets policy constraints 8. **Obtain merchantName from the console or via API** - Element: **Shopkeeper** (text_input) — IDaaS console - Notes: If API returns different value, use API result 9. **Retrieve ivsAppKey from the App Key field** - Element: **App Key** (text_input) — IDaaS console - Notes: Incorrect value will cause scoring failure 10. **Execute 'Get the AccessToken' request** - Element: **Get the AccessToken** (request) — left navigation panel - Notes: This token is required for subsequent API calls 11. **Query organizations and add the last one to environment variables** - Element: **Organization / query** (request) — left navigation panel - Notes: This organization must be used when creating a user 12. **Create a new user using the retrieved organization** - Element: **User / New** (request) — left navigation panel - Notes: Enable two-factor authentication in the IDaaS console after user creation 13. **Log in to trigger signature calculation and password encryption** - Element: **Log on** (request) — left navigation panel - Notes: The `fid` environment variable is automatically added if 2FA is enabled 14. **Send a text message 2FA verification code using the `fid`** - Element: **Text message 2FA - Send verification code** (request) — left navigation panel - Notes: The `fid` is updated after sending 15. **Verify the received 2FA code using the updated `fid`** - Element: **Text message 2FA - Verify verification code** (request) — left navigation panel - Notes: Pass the code received on mobile phone 16. **Log in again to retrieve the binding QR code** - Element: **Log on** (request) — left navigation panel - Notes: Same as previous login step 17. **Convert base64QRCode to image using a Base64 converter** - Element: **data:image/png;base64,** (text_input) — browser - Notes: Prefix the base64 string with this format to display the QR code 18. **Scan the QR code using Google Authenticator or another authenticator app** - Element: **Google Authenticator** (link) — mobile device - Notes: Use the app to scan and obtain the OTP Code 19. **Bind the OTP code by entering it in the 'OTP - Bind' request** - Element: **OTP - Bind** (request) — left navigation panel - Notes: If `fid` expires, log in again and repeat the process 20. **Verify OTP code during login using the authenticator app** - Element: **OTP - Verify** (request) — left navigation panel - Notes: Enter the current OTP Code from the authenticator app | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | host | text | Yes | — | The Instance Public API Domain Name from the IDaaS console | | clientId | text | Yes | — | API Key from the IDaaS console | | clientSecret | text | Yes | — | API Secret from the IDaaS console | | username | text | Yes | — | Username for the new account | | password | text | Yes | — | Password for the new account; must meet policy constraints | | phoneNumber | text | Yes | — | Phone number for 2FA verification | | merchantName | text | Yes | Shopkeeper | Merchant name used for scoring; can be obtained via API | | ivsAppKey | text | Yes | — | App Key from the IDaaS console; incorrect value causes scoring failure | | code | text | Yes | — | Verification code received via SMS or email | | otpCode | text | Yes | — | One-time password generated by the authenticator app | ### Configure AD/LDAP Account Synchronization **Navigation**: Console > Accounts > Organizations and Groups **Prerequisites**: - Log on to the IDaaS console as an IT administrator - AD/LDAP server must have a public IP address with port 389 open - Security group policy may need to allow access from IDaaS egress IP addresses - Ensure parent organization is exported before exporting sub-organizations - Check user license count before importing accounts 1. **Log on to the IDaaS console as an IT administrator** - Element: **Log on to the IDaaS console** (link) — login page 2. **Navigate to the Organizations and Groups section** - Element: **Accounts > Organizations and Groups** (menu) — left-side navigation pane 3. **Click Configure LDAP to create a new LDAP configuration** - Element: **Configure LDAP** (button) — main content area 4. **Fill in LDAP server parameters including Server Address and Port, Base DN, Administrator Account and Password, and select Type (Windows AD/OpenLDAP)** - Element: **Server Address and Port** (text_input) — LDAP configuration form - Notes: Use SSL Connection if required. Ensure special characters in password are properly escaped. 5. **Enable synchronization from IDaaS to LDAP or from this system to LDAP based on requirements** - Element: **Sync from LDAP to this system** (checkbox) — LDAP configuration form - Notes: Enabling this allows manual synchronization from LDAP to IDaaS. 6. **Click Test Connection to verify connectivity to the AD/LDAP server** - Element: **Test Connection** (button) — bottom of form - Notes: If test fails, check network connectivity or credentials. 7. **Import organizations from AD** - Element: **Import > LDAP > Organization** (menu) — Organizations and Groups page - Notes: Select the LDAP configuration and confirm preview before importing. 8. **Confirm import by clicking Confirm Import** - Element: **Confirm Import** (button) — preview dialog 9. **Import accounts from AD** - Element: **Import > LDAP > Accounts** (menu) — Organizations and Groups page - Notes: Select the LDAP configuration and confirm preview before importing. 10. **Export organizations to AD** - Element: **Export > LDAP > Organization** (menu) — Organizations and Groups page - Notes: Ensure parent organization is already exported to avoid failure. 11. **Select the LDAP configuration and organizations to export** - Element: **OK** (button) — export dialog - Notes: The message 'Export successful' appears upon completion. 12. **Export accounts to AD** - Element: **Export > LDAP > Accounts** (menu) — Organizations and Groups page - Notes: Can also use Single Export tab for specific accounts. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Service Name | text | Yes | — | A name to identify the LDAP configuration. | | Server Address and Port | text | Yes | — | The hostname or IP address and port number of the AD/LDAP server. | | Base DN | text | Yes | — | The base distinguished name for searching users and groups in the directory. | | Use SSL Connection | checkbox | No | — | Enables secure connection using SSL/TLS. | | Administrator Account and Password | password | Yes | — | Credentials for connecting to the AD/LDAP server with administrative privileges. | | Type | dropdown | Yes | Windows AD, OpenLDAP | Specifies the type of LDAP server being configured. | | Organizational Unit (OU) Node | text | No | — | Specifies the OU in AD/LDAP to import data into. If blank, data is imported into root directory. | | Sync from LDAP to this system | checkbox | No | — | Enables manual synchronization of data from LDAP to IDaaS. | | Sync from this system to LDAP | checkbox | No | — | Enables automatic synchronization of changes in IDaaS to LDAP. | | Default password | text | No | — | Sets the default password for accounts synchronized from AD/LDAP to IDaaS. | | Display name | text | No | — | Specifies the display name for the account in IDaaS. | ### Configure Legacy LDAP Authentication **Navigation**: Console > Authentication > Authentication Sources **Prerequisites**: - Administrator account for IDaaS console - AD domain with public IP address and port 389 open - Security group policy allowing access from IDaaS egress IPs - IDaaS egress IP addresses obtained via ticket submission 1. **Log on to the Alibaba Cloud Security IDaaS console using an administrator account** - Element: **Log on to the Alibaba Cloud Security IDaaS console** (link) — top-right corner of login page 2. **Navigate to the authentication sources page** - Element: **Authentication > Authentication Sources** (menu) — left navigation panel 3. **Click Add Authentication Source and select LDAP Authentication Source** - Element: **Add Authentication Source** (button) — upper-right corner of the page - Notes: After clicking, a dialog box appears for configuring the LDAP source parameters. 4. **Set LDAP URL, LDAP Base, LDAP UserDn, LDAP Password, and Filter Condition** - Element: **LDAP URL, LDAP Base, LDAP UserDn, LDAP Password, Filter Condition** (text_input) — dialog box for LDAP configuration - Notes: Ensure values match those from your AD. Filter Condition example: (UID=$username$). 5. **Create an account in AD if not already present** - Element: **Create an account in AD** (text_input) — AD management interface - Notes: If accounts already exist in AD, this step can be skipped. 6. **Go to Organizations and Groups page and create an LDAP configuration** - Element: **Organizations and Groups** (link) — left navigation panel - Notes: After configuration, pull account data from AD to IDaaS. 7. **Pull account data from AD to IDaaS** - Element: **Pull account data** (button) — LDAP configuration page - Notes: Synchronization must complete before authentication works. 8. **Click the LDAP authentication source icon on the logon page** - Element: **LDAP authentication source icon** (button) — third-party authentication logon section - Notes: User is redirected to the LDAP account logon page. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | LDAP URL | text | Yes | — | The IP address and port number of the AD domain (e.g., ldap://192.168.1.10:389) | | LDAP Base | text | Yes | — | The base DN for searching users in AD (e.g., DC=example,DC=com) | | LDAP UserDn | text | Yes | — | The DN of the user account used to bind to the LDAP server | | LDAP Password | password | Yes | — | The password for the LDAP UserDn account | | Filter Condition | text | Yes | (UID=$username$) | LDAP filter expression to locate user by username (e.g., (UID=$username$)) | ### Configure Identity Provider **Navigation**: Console > IDaaS > EIAM 1.X > Configure Identity Provider **Prerequisites**: - An active IDaaS account with admin privileges - A configured SAML or OIDC identity provider 1. **Click on the 'Configure Identity Provider' button** - Element: **Configure Identity Provider** (button) — main content area - Notes: Ensure the identity provider is already registered in the system before proceeding. 2. **Select the identity provider type from the dropdown menu** - Element: **Provider Type** (dropdown) — left navigation panel - Notes: Options include SAML and OIDC. Choose based on your identity provider setup. 3. **Enter the metadata URL or upload the metadata file** - Element: **Metadata URL** (text_input) — form fields section - Notes: If uploading a file, use the 'Upload Metadata' button below the input field. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Provider Name | text | Yes | — | A unique name to identify this identity provider in the system. | | Enable SSO | toggle | No | — | Enables Single Sign-On functionality for users authenticated via this provider. | ### Configure Group-to-Role SSO **Navigation**: Console > IDaaS > Applications > Create SAML Application > SAML 2.0 **Prerequisites**: - You have activated IDaaS EIAM and created an instance. - You have access to the CAM console and the IDaaS EIAM portal. - You have a account with administrator permissions. - You have obtained your account ID. 1. **Sign in to the IDaaS console and select your IDaaS instance.** - Element: **Open Console** (button) — Actions column 2. **Navigate to Applications > Create Application > SAML 2.0.** - Element: **SAML 2.0** (menu) — left navigation panel 3. **Enter an application name and click Create.** - Element: **+** (button) — top-right corner 4. **Paste the federation metadata URL into the Metadata field and click Resolve.** - Element: **Resolve** (button) — main content area 5. **Download the SAML metadata file from IDaaS EIAM.** - Element: **Download** (button) — main content area 6. **Sign in to the CAM console and navigate to Identity Providers > Create Identity Provider.** - Element: **Create Identity Provider** (button) — main content area 7. **Select SAML as the provider type and enter a name like 'idaas-saml-standard'.** - Element: **SAML** (dropdown) — provider type selection 8. **Upload the downloaded SAML metadata file and click Next.** - Element: **Next** (button) — bottom of form 9. **Navigate to Roles > Create Role and select Identity Provider as the type.** - Element: **Create Role** (button) — main content area 10. **Choose the identity provider you created and check 'Allow Current Role To Access Console'.** - Element: **Allow Current Role To Access Console** (checkbox) — form fields 11. **Select a role policy, configure tags, and click Next.** - Element: **Next** (button) — bottom of form 12. **Enter a role name such as 'role1' and click Complete.** - Element: **Complete** (button) — bottom of form 13. **Go to Users > Create User and create a user like 'emp001'.** - Element: **Create User** (button) — main content area 14. **Navigate to Groups > Create Group and enter a group name like 'group01'.** - Element: **Create Group** (button) — main content area 15. **Set the group's external ID to match the role name in (e.g., 'role1').** - Element: **External ID** (text_input) — form fields - Notes: Must match the role name in CAM exactly. 16. **Add the user 'emp001' to the group 'group01'.** - Element: **Add User** (button) — group details 17. **On the SAML application details page, go to Authorization > Authorize Group and assign access to 'group01'.** - Element: **Authorize Group** (link) — main content area 18. **Click 'Show Advanced Configuration' and add two attribute mappings for Role and RoleSessionName.** - Element: **Show Advanced Configuration** (button) — main content area | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The name of the SAML application to be created. | | Provider Type | dropdown | Yes | SAML | The type of identity provider to create. | | Identity Provider Name | text | Yes | — | A unique name for the identity provider, e.g., 'idaas-saml-standard'. | | Role Name | text | Yes | — | The name of the role to be created in CAM. | | External ID | text | Yes | — | Must match the role name in CAM exactly. | | Allow Current Role To Access Console | checkbox | No | — | Enables the role to access the console. | ### Configure Automatic Role-Based SSO for User Groups **Navigation**: Console > IDaaS > Applications > Create SAML Application **Prerequisites**: - IDaaS EIAM activated and instance created - Access to RAM console and IDaaS EIAM portal 1. **Log on to the IDaaS console and select your IDaaS EIAM instance** - Element: **Open Console** (button) — left navigation panel 2. **Choose SAML 2.0 application creation from the menu** - Element: **Applications > Add SAML 2.0 Application > Standard** (menu) — left navigation panel - Notes: Screenshot shows the application creation interface. 3. **Enter an application name and click Create** - Element: **+** (button) — top-right corner 4. **Go to the RAM console and navigate to Identity Providers** - Element: **Integrations > Identity Providers** (menu) — left navigation panel 5. **Click the SAML tab and then Create Identity Provider** - Element: **Create Identity Provider** (button) — main content area 6. **Upload the metadata file from IDaaS EIAM** - Element: **Upload Metadata Document** (button) — main content area - Notes: The file was downloaded from the SAML application in IDaaS. 7. **Navigate to Roles in the RAM console** - Element: **Member Management > Roles** (menu) — left navigation panel 8. **Click Create Role and switch to editor mode** - Element: **Toggle Editor** (button) — upper-right corner - Notes: Screenshot shows the editor interface. 9. **Select the SAML identity provider and enter the role name** - Element: **Confirm** (button) — bottom of form - Notes: Role names must exactly match those in the user group configuration. 10. **Create a user in IDaaS EIAM** - Element: **Create User** (button) — left navigation panel - Notes: User named emp001 is created. 11. **Create a user group and assign a role** - Element: **Create Group** (button) — left navigation panel - Notes: Group name: group01, Role: role1 (must match RAM role). 12. **Add the user to the user group** - Element: **Add User** (button) — group details page - Notes: User emp001 added to both group01 and group02. 13. **Grant access to the SAML application for the user and groups** - Element: **Access > Grant Access** (menu) — application details page 14. **Configure advanced SAML attributes for role mapping** - Element: **Show Advanced Configuration** (button) — application details page - Notes: Attribute key: https://www.aliyun.com/SAML-Role/Attributes/Role, Value: SamlArray(...) expression. 15. **Verify SSO by logging in as emp001 and selecting a role** - Element: **Sign In** (button) — SAML application page - Notes: User is redirected to Alibaba Cloud Console and selects role1 or role2. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | Name of the SAML 2.0 application being created. | | Identity Provider Name | text | Yes | — | Unique name for the SAML identity provider in RAM. | | Role Name | text | Yes | — | Name of the RAM role to be assigned via SAML assertion. | | Group Name | text | Yes | — | Name of the user group in IDaaS EIAM. | | Role Mapping | text | Yes | — | Maps the user group to a specific RAM role via SAML attribute. | ### Configure SSO for Alibaba Cloud DevOps **Navigation**: Console > IDaaS > Overview > Create Instance **Prerequisites**: - An Alibaba Cloud account - An IDaaS instance already created - Access to the Alibaba Cloud IDaaS console - A supported identity provider configured (e.g., DingTalk, WeCom, AD) 1. **Navigate to the IDaaS console and create a new instance** - Element: **Create Instance** (button) — top-right corner of the overview page 2. **Attach an identity provider such as DingTalk, WeCom, or AD** - Element: **Attach DingTalk - Inbound** (link) — left navigation panel under 'Identity Providers' - Notes: Follow the specific guide for each identity provider. For example, attaching WeCom requires configuring OAuth2 settings. 3. **Configure SSO for Alibaba Cloud DevOps by enabling user-based SSO for RAM users** - Element: **Enable User-Based SSO for RAM Users** (checkbox) — main content area under 'SSO Configuration' - Notes: Note: Only one identity provider can be used per Alibaba Cloud account for user-based SSO. Changing this setting may disrupt existing access. 4. **Set up data synchronization from IDaaS to RAM using SCIM** - Element: **Synchronize accounts to Alibaba Cloud RAM by using SCIM** (link) — main content area under 'Data Synchronization' - Notes: This step is required to create users in RAM before they can be synchronized to Alibaba Cloud DevOps. 5. **Synchronize RAM users to Alibaba Cloud DevOps** - Element: **Add a RAM user** (link) — main content area under 'User Management' - Notes: Automatic synchronization is recommended. Manual addition is also possible but less efficient. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Account ID | text | Yes | — | The Alibaba Cloud account ID used to establish trust between Alibaba Cloud and IDaaS. | | Attribute for application account name | dropdown | Yes | Email, Username, Employee ID | The attribute used as the primary key to map IDaaS users to RAM users during SSO. | | Authorization Scope | dropdown | No | All Users, Specific Groups | Defines which IDaaS users can access the Alibaba Cloud DevOps application. | | Application Username | dropdown | Yes | IDaaS Username, Application Username | Determines how the username is mapped during SSO. Choose based on whether IDaaS and RAM usernames match. | ### Configure SSO for DingTalk Enterprise **Navigation**: Console > Identity Management > IDaaS > Applications > Create Application **Prerequisites**: - An IDaaS instance activated in the cloud 1. **Navigate to the IDaaS console and select 'Attach AD' or 'Attach OpenLDAP' based on your identity source** - Element: **Attach AD** (link) — left navigation panel 2. **Configure outbound sync settings for DingTalk Enterprise** - Element: **Attach DingTalk - Outbound** (link) — main content area 3. **Create a new application for DingTalk Enterprise in IDaaS** - Element: **DingTalk Enterprise SSO** (link) — Applications section 4. **Set the logon method in the IDaaS instance logon settings** - Element: **Logon Method** (dropdown) — General Configuration tab - Notes: Choose between AD/LDAP account and password, IDaaS account and password, or text message verification code. 5. **Verify the configuration by logging in via the DingTalk PC client** - Element: **Log On With Enterprise Account** (button) — top-right corner of the login screen - Notes: The mobile app does not display the logon method option. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | DingTalk version | dropdown | Yes | DingTalk Enterprise | Selects the correct integration profile for dedicated DingTalk. | | userid field | dropdown | Yes | userId, username, userPrincipalName, sAMAccountName, uid, mail | Determines what credential users enter to log on. Must match the selected logon method. | ### Enable SSO from DingTalk Workbench **Navigation**: Console > IDaaS > Applications > Create Application **Prerequisites**: - DingTalk identity provider already created - IDaaS application configured for SSO - User accounts mapped between DingTalk and IDaaS - Application account names match existing local accounts in target application 1. **Create a DingTalk identity provider** - Element: **Bind DingTalk - Inbound** (link) — main content area 2. **Create an IDaaS application and configure SSO** - Element: **Alibaba Cloud user-based SSO** (link) — main content area 3. **Grant access to the IDaaS application** - Element: **SSO tab** (tab) — top navigation panel - Notes: Alternatively, use the Authorization tab to grant access to specific users or organizations. 4. **Construct the application logon URL** - Element: **IDaaS user portal URL** (text_input) — instance list page - Notes: Obtain the IDaaS user portal URL from the instance list or within the IDaaS instance. 5. **Create a DingTalk application on the Open Platform** - Element: **Application Development** (menu) — left navigation panel 6. **Paste the constructed URL into the application homepage field** - Element: **Application Homepage** (text_input) — Development & Management section - Notes: The PC homepage field is optional. If provided, users can open the app from the DingTalk PC client's workbench. 7. **Publish the application after testing** - Element: **Publish** (button) — top-right corner 8. **Set permission scope for the application** - Element: **Some Employees** (radio) — permissions configuration panel - Notes: Can grant permissions to specific users, organizations, or roles when selected. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The name of the application as it appears in DingTalk. | | Permission Scope | dropdown | Yes | All Employees, Some Employees, Administrators Only | Defines who can access the application. | ### Configure SSO for Qoder **Navigation**: Console > IDaaS > Applications > Add Application > Application Marketplace > Search 'Qoder' > Create Application **Prerequisites**: - An IDaaS EIAM instance is created - Administrator permissions for the Qoder organization - Domain ownership verification for the enterprise email domain in Qoder - Permission to modify DNS records for the Qoder enterprise email domain 1. **Log on to Qoder, click your personal account in the upper-right corner of the console, and go to Organization Settings -> Security & Identity.** - Element: **Organization Settings -> Security & Identity** (link) — upper-right corner of the console 2. **Find the Domain Verification section, click Add on the right, enter your enterprise email domain (e.g., example.com), and click Continue.** - Element: **Add** (button) — right side of the Domain Verification section 3. **Follow the instructions to add a TXT record to your DNS configuration.** - Element: (none) - Notes: The dialog box provides DNS configuration instructions. 4. **Click Verify and wait for the verification to pass.** - Element: **Verify** (button) — dialog box 5. **Log on to Qoder, click your personal account in the upper-right corner of the console, and go to Organization Settings.** - Element: **Organization Settings** (link) — upper-right corner of the console 6. **Find and copy the Organization ID from the organization basic information.** - Element: **Organization ID** (text_input) — organization basic information section 7. **Log on to the IDaaS control panel, find the target IDaaS instance, and click Open Console in the Actions column.** - Element: **Open Console** (button) — Actions column 8. **Navigate to Developer Apps > Applications > Create App > Application Market.** - Element: **Developer Apps > Applications > Create App > Application Market** (menu) — left navigation panel 9. **Search for 'Qoder' in the Application Market to find the Qoder template.** - Element: **Application Market** (search_field) — top of the application list 10. **Click Create App to add the Qoder template.** - Element: **Create App** (button) — application list 11. **Enter a name for the application and click + to create it.** - Element: **+** (button) — bottom of the form 12. **Navigate to Developer Apps > Applications, select the Qoder application, and click to open the application details page.** - Element: **Qoder application** (link) — applications list 13. **Click to switch to the Login Access page and enter the Qoder Organization ID.** - Element: **Login Access** (tab) — top navigation 14. **Go to User Management, click Add User, find the account to add, and click Save.** - Element: **Add User** (button) — User Management section 15. **Go to Authentication, select Resource Server Scope Type, click Create, select the user, group, or organizational unit that needs to use Qoder SSO, and click Save.** - Element: **Create** (button) — Authentication section 16. **Navigate to Developer Apps > Applications, select the Qoder application, go to Login Access > SSO Configuration, and view the IdP metadata.** - Element: **SSO Configuration** (tab) — top navigation 17. **Log on to Qoder, go to Organization Settings -> Security & Identity, and complete the SAML IdP metadata configuration based on the IDaaS metadata.** - Element: **Organization Settings -> Security & Identity** (link) — upper-right corner of the console - Notes: Recommended: enter the IdP SSO URL directly for automatic parameter fetching. 18. **Configure user attribute mappings in Qoder: map email to user.email and name to user.username.** - Element: **email** (text_input) — attribute mapping table 19. **On the Qoder SAML configuration page, click Test SSO.** - Element: **Test SSO** (button) — SAML configuration page 20. **After confirming the test passes, turn on the toggle next to Test SSO.** - Element: **toggle next to Test SSO** (toggle) — SAML configuration page 21. **Use your IDaaS user account to log on to the Alibaba Cloud IDaaS Application Portal, find the Qoder application, and click to initiate SSO login.** - Element: **Qoder application** (link) — IDaaS Application Portal - Notes: The user's email must match the verified enterprise email domain in Qoder. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Organization ID | text | Yes | — | The unique identifier for the Qoder organization, copied from Qoder's Organization Settings. | | Name | text | Yes | — | The display name for the application in IDaaS. | | Email | text | Yes | — | The email address of the user being added to the Qoder application. | | User Attribute Mapping | dropdown | Yes | user.email, user.username | Maps IDaaS attributes to Qoder fields during SSO login. | ### Configure SSO for Tongyi Lingma **Navigation**: Console > IDaaS > Applications > Create OIDC Application > General Tab > SSO Configuration **Prerequisites**: - An Alibaba Cloud account or RAM user with AliyunRDCFullAccess policy attached - A created IDaaS instance - Enterprise Edition instance created in DevOps console - Network access configured (public or VPC) 1. **Log on to the IDaaS console** - Element: **IDaaS console** (link) — top navigation panel 2. **Navigate to Applications > Create OIDC Application > Standard** - Element: **Create OIDC Application** (menu) — left navigation pane 3. **Obtain Client ID and Client Secret from the General tab** - Element: **Client ID** (text_input) — General tab - Notes: Copy these values for use in Step 3 4. **Go to SSO Configuration tab and enable SSO** - Element: **SSO Configuration** (tab) — top navigation 5. **Enter Login Redirect URI from Step 3** - Element: **Login Redirect URI** (text_input) — SSO Configuration tab - Notes: Must match the webhook address from Step 3 6. **Select Authorization Scope as 'All'** - Element: **All** (radio) — Authorization Scope section 7. **Obtain Issuer URL from Application Settings** - Element: **Issuer** (text_input) — Application Settings section - Notes: Copy this URL for use in Step 3 8. **Click Save** - Element: **Save** (button) — bottom of page 9. **Log on to the DevOps console and click Enterprise Edition tab** - Element: **Enterprise Edition** (tab) — top navigation 10. **Click New Instance and configure parameters** - Element: **New Instance** (button) — center of page - Notes: Include Region, Instance Name, Instance Identifier, Number of Licenses, Purchase Duration, Root Account Password 11. **After purchase, view instance details and check network status** - Element: **Name/Enterprise ID** (link) — instance list 12. **Click Go to Modify in Access Network Configuration** - Element: **Go to Modify** (button) — Access Network Configuration section 13. **Select Use Public Network Access or Use VPC Access** - Element: **Use Public Network Access** (radio) — Network Configuration tab - Notes: If public access is selected, set IP address whitelist with up to 20 entries 14. **Click Update** - Element: **Update** (button) — bottom of Network Configuration tab 15. **Click Enter Enterprise in Actions column** - Element: **Enter Enterprise** (button) — Actions column 16. **Enter account and password to log on to Tongyi Lingma** - Element: **Logon** (button) — bottom of login form 17. **On Third-party Integration page, click Add Configuration in OIDC section** - Element: **Add Configuration** (button) — OIDC section 18. **Paste Login Webhook Address into Login Redirect URI field** - Element: **Login Webhook Address** (text_input) — OIDC client configuration 19. **Enter Client ID from IDaaS** - Element: **Client ID** (text_input) — OIDC client configuration 20. **Enter Client Secret from IDaaS** - Element: **Client Secret** (text_input) — OIDC client configuration 21. **Enter Issuer URL from IDaaS** - Element: **Issuer** (text_input) — OIDC client configuration 22. **Click Next Step** - Element: **Next Step** (button) — bottom of form 23. **Set Unique Account Identifier and select Account Binding Method** - Element: **Unique Account Identifier** (text_input) — Account Binding section - Notes: Choose one of: mailbox, logon account, phone number, employee ID 24. **Map required user attributes (Name, Logon Account, Mailbox)** - Element: **Map User Attributes** (text_input) — Attribute Mapping section - Notes: Ensure logon account and binding attribute are unique 25. **Click Next Step** - Element: **Next Step** (button) — bottom of form 26. **Turn on Single Sign-on switch** - Element: **Single Sign-on** (toggle) — Service Enablement section 27. **Modify OIDC Display Name and Icon** - Element: **Display Name** (text_input) — Advanced Settings 28. **Select Allow creating a Tongyi Lingma account at logon if needed** - Element: **Allow creating a Tongyi Lingma account at logon** (checkbox) — Advanced Settings 29. **Click Save Configuration** - Element: **Save Configuration** (button) — bottom of page 30. **Verify SSO by clicking OIDC button on login page** - Element: **OIDC** (button) — login page - Notes: Users with bound accounts can now log in via OIDC | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Region | dropdown | Yes | — | Select a region for the instance. | | Purchase Method | radio | Yes | Purchase a new instance | Select to purchase a new instance. | | Instance Name | text | Yes | — | The name of the Enterprise Edition instance. The name can contain Chinese characters, letters, digits, and hyphens (-). | | Instance Identifier | text | Yes | — | An endpoint for public or VPC access is automatically generated based on the instance identifier. To ensure security, public and VPC access are disabled by default. | | Specification | dropdown | No | Enterprise Edition | The default value is Enterprise Edition, which cannot be changed. | | Number of Licenses | number | Yes | — | The minimum is 100. You can add more licenses as needed. | | Purchase Duration | dropdown | Yes | 1 month, 3 months, 6 months, 1 year, 2 years, 3 years | Select a subscription duration. | | Root account password | text | Yes | — | The password for the initial root account to log on to the Enterprise Edition instance. You can change this password later on the instance details page. | | Login Webhook Address | text | Yes | — | The address used for redirect after authentication. | | Client ID | text | Yes | — | The client identifier