# idaas-instance Part of **IDAAS** # IDaaS Instance and Network Management Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |----------|------------------------|---------------|-------------| | Migrate Legacy 1.x Instances | Console > IDaaS > Legacy Instance Management | Existing legacy 1.x instance, access to IDaaS console, contact info for Free Edition upgrade | Upgrade or migrate from legacy IDaaS 1.x to newer versions before service discontinuation | | Get STS Tokens in ACK | IDaaS Console > Application Management > M2M Application | ACK cluster v1.22+, IDaaS EIAM Enterprise instance with M2M extension enabled | Configure M2M applications to obtain STS tokens in ACK using OIDC federation | | Obtain STS Tokens in ECS Without Static Credentials | Console > IDaaS > Identity Provider > M2M Applications > Create M2M Client Application | IDaaS instance with ≥2 M2M quotas, ECS can reach IDaaS endpoint, admin permissions | Set up PKCS#7-based federated identity to get STS tokens in ECS securely | | Alibaba Cloud Elastic Desktop Service SSO | Console > IDaaS > Applications > Create Application > Application Market > Search for EDS Template > Add Application | Active IDaaS instance, admin access to both consoles, known Workspace ID | Configure SAML-based SSO between IDaaS and Elastic Desktop Service | | Bastionhost SSO | Console > Identity & Access Management > Applications > Manage Applications | Active EIAM instance, admin access to IDaaS console, existing Bastionhost instance | Enable SSO and user synchronization from IDaaS to Bastionhost | | Manage Cloud Identities with IDaaS | Console > Asset Management > Cloud Identity | IDaaS Enterprise Edition with M2M extension, User Portal address, no conflicting RAM IdP | Integrate Alibaba Cloud accounts into IDaaS for centralized identity and role management | | Custom Domains | Console > IDaaS > Custom Domains | Dedicated domain, DNS management permissions, ICP filing (if in Chinese mainland), Trial/Enterprise instance | Replace system-generated URLs with your own branded domain | ## Step-by-Step Instructions ### Migrate Legacy 1.x Instances **Navigation**: Console > IDaaS > Legacy Instance Management **Prerequisites**: - Existing legacy 1.x instance - Access to the IDaaS console - Contact information for the IDaaS team (for Free Edition upgrade) 1. Review the feature comparison between IDaaS versions - Element: **feature comparison** (link) — main content area - Notes: Click the link to open the comparison in a new tab. 2. Activate the new version for free (Free Edition only) - Element: **activate the new version for free** (link) — main content area - Notes: Only visible if you have a Free Edition instance. 3. Renew your legacy instance - Element: **Renew in the console** (button) — table row for 'Renew your legacy instance' 4. Upgrade your legacy instance - Element: **Upgrade in the console** (button) — table row for 'Upgrade your legacy instance' 5. Discontinue service and request refund - Element: **Submit a ticket** (button) — table row for 'Discontinue your service' - Notes: The IDaaS team will coordinate with after-sales support to process a prorated refund. ### Get STS Tokens in ACK **Navigation**: IDaaS Console > Application Management > M2M Application **Prerequisites**: - An ACK managed cluster, version 1.22 or later - An IDaaS EIAM Enterprise instance with the M2M extension enabled 1. Log on to the IDaaS console - Element: **Console** (link) — Actions column of your IDaaS instance 2. Navigate to Application Management - Element: **Application Management** (menu) — Top navigation panel 3. Create the M2M client application - Element: **Add Application** (button) — Top of the M2M Application page - Notes: Enter "M2M_Client" as the Application Name. 4. Enable custom permissions for the client - Element: **Custom Permissions** (checkbox) — Client Permission Management tab 5. Create the M2M server application - Element: **Add Application** (button) — Top of the M2M Application page - Notes: Enter "M2M_Server" as the Application Name. 6. Switch to Server Permission Control - Element: **Server Permission Control** (tab) — Top navigation panel 7. Enable server permissions and set identifier - Element: **Server Permission Control** (switch) — Server Permission Control section - Notes: Set **ResourceServer Identifier** to `api://ram.aliyun.com` 8. Create a permission scope - Element: **Create Scope** (button) — Permission Management section - Notes: Set Scope Name = `RAM_STS_Token`, Scope Value = `ram:sts` 9. Authorize the client application - Element: **M2M_Client** (checkbox) — Authorized Applications list 10. Assign the scope to the client - Element: **RAM_STS_Token** (checkbox) — Permission list 11. Save the configuration - Element: **Save** (button) — Bottom of the form | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The display name for the M2M application | | ResourceServer Identifier | text | Yes | — | The unique audience identifier; must be `api://ram.aliyun.com` | | Scope Name | text | Yes | — | A display label for the permission scope | | Scope Value | text | Yes | — | The permission identifier used in OAuth scope parameter | ### Obtain STS Tokens in ECS Without Static Credentials **Navigation**: Console > IDaaS > Identity Provider > M2M Applications > Create M2M Client Application **Prerequisites**: - IDaaS instance with at least 2 M2M application quotas available - ECS instance must be able to access IDaaS public endpoint: https://.aliyunidaas.com - Account permissions: Alibaba Cloud account or RAM administrator 1. Log on to the IDaaS console and select region - Element: **IDaaS console** (link) — top navigation bar 2. Open your EIAM instance console - Element: **Open Console** (button) — Actions column 3. Add a federated credential provider - Element: **Add** (button) — Federated Credential section 4. Configure PKCS#7 credential - Element: **PKCS#7** (dropdown) — Federated Credential configuration panel - Notes: Set Name = `test-ecs-credential-source`, Trust Source = `Alibaba Cloud`. Click **Get Certificate** to auto-fill fields. 5. Create M2M Client app - Element: **Create App** (button) — top-right corner 6. Enable M2M Client mode - Element: **M2M Client Status** (toggle) — Authentication tab - Notes: Set Application Name = `M2M Client` 7. Select PKCS#7 login method - Element: **PKCS#7** (radio) — Login Method tab 8. Set verification condition mode - Element: **Verification Condition Mode** (dropdown) — Federated Credential configuration - Notes: Choose `PKCS#7 Instance Mode` 9. Enter ECS instance ID - Element: **Instance ID** (text_input) — Federated Credential configuration - Notes: You can click the icon to enter multiple instance IDs 10. Create M2M Server app - Element: **Create App** (button) — top-right corner 11. Enable Resource Server mode - Element: **Resource Server Status** (toggle) — Resource Server tab - Notes: Set Application Name = `M2M Server` 12. Set Resource Server Identifier - Element: **Resource Server Identifier** (text_input) — Resource Server configuration - Notes: Use format `cloud:idaas:sts:alibabacloud:` (replace ``) 13. Add permission scope - Element: **Add Permission** (button) — Permissions list - Notes: Name = `assume-role`, Value = `role:assume` 14. Enable M2M Client feature on server - Element: **M2M Client** (toggle) — Authentication section - Notes: Select the `assume-role` scope in Permissions list 15. Go to RAM console > OIDC Configuration - Element: **OIDC Configuration** (link) — left-side navigation pane 16. Create OIDC Provider - Element: **Create OIDC Provider** (button) — top-right corner - Notes: Name = `test-oidc-provider`, Issuer URL = from M2M Server app details 17. Enter M2M Server Client ID - Element: **Client ID** (text_input) — OIDC Provider configuration 18. Create RAM role - Element: **Create Role** (button) — top-right corner (in RAM Roles page) 19. Switch to Policy Editor - Element: **Switch to Policy Editor** (button) — top-right corner 20. Set Principal to OIDC - Element: **Add principal** (button) — Principal configuration - Notes: Select the OIDC provider created earlier 21. Add trust condition - Element: **Add condition** (button) — Condition section - Notes: Key = `oidc:sub`, Operator = `StringEquals`, Value = M2M Client application’s client_id 22. Confirm role creation - Element: **Confirm** (button) — bottom of page 23. Attach permission policy - Element: **Add Permission** (button) — Authorization menu - Notes: Assign policy like `AliyunOSSReadOnlyAccess` | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Application Name | text | Yes | — | The name of the M2M application being created | | Name | text | Yes | — | Custom name for the federated credential provider | | Trust Source | dropdown | Yes | Alibaba Cloud | The trust source for verifying the PKCS#7 signature | | Verification Condition Mode | dropdown | Yes | PKCS#7 Instance Mode | Specifies that the credential is tied to a specific ECS instance | | Instance ID | text | Yes | — | The ID of the ECS instance that will use this credential | | Resource Server Identifier | text | Yes | — | The identifier for the resource server (OIDC audience) | | Scope Name | text | Yes | — | Custom name for the OAuth scope | | Scope Value | text | Yes | — | Custom identifier for the scope | | Client ID | text | Yes | — | The client ID of the M2M server application | | Issuer URL | text | Yes | — | The issuer URL of the OIDC provider | | Fingerprint | text | No | — | Automatically calculated after entering the issuer URL | | Role Name | text | Yes | — | The name of the RAM role to be created | | Policy | dropdown | Yes | AliyunOSSReadOnlyAccess | The permission policy to attach to the role | ### Alibaba Cloud Elastic Desktop Service SSO **Navigation**: Console > IDaaS > Applications > Create Application > Application Market > Search for EDS Template > Add Application **Prerequisites**: - An active IDaaS instance - Administrator access to both IDaaS and Elastic Desktop Service consoles - A workspace in Elastic Desktop Service with a known Workspace ID 1. Log on to the IDaaS console - Element: **IDaaS console** (link) — top navigation bar 2. Open your IDaaS instance - Element: **Open Console** (button) — Actions area below instance list 3. Navigate to Application Market - Element: **Advanced > Create Application > Application Market** (menu) — left-side navigation panel - Notes: Search for "Elastic Desktop Service" application template 4. Add the EDS application - Element: **Add application** (button) — application template details page 5. Confirm application creation - Element: **Add** (button) — confirmation dialog 6. Proceed to SSO configuration - Notes: You are automatically redirected to the SSO configuration page 7. Copy Workspace ID from Elastic Desktop console - Element: **Network and storage > Workspaces** (menu) — left-side navigation pane 8. Enter Workspace ID in IDaaS - Element: **Workspace ID** (text_input) — SSO configuration form 9. Save SSO settings - Element: **Save** (button) — bottom of SSO configuration form - Notes: Keep default "All users" for Authorization scope 10. Download SAML metadata file - Element: **SAML metadata file** (link) — Application Configuration Information section - Notes: Save the file locally 11. Log on to Elastic Desktop Service console - Element: **Alibaba Cloud Elastic Desktop Service console** (link) — top navigation bar 12. Select your workspace - Element: **Workspaces** (tab) — left-side navigation pane 13. Go to Other settings - Element: **Other** (tab) — workspace details page 14. Upload metadata file - Element: **Upload** (button) — SSO settings section 15. Verify SSO via client - Element: **Workspace ID** (text_input) — client login screen - Notes: Enter the same Workspace ID 16. Authenticate via IDaaS - Notes: Sign in using your IDaaS credentials in the built-in browser; account must exist in Elastic Desktop Service | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Workspace ID | text | Yes | — | The unique identifier of the workspace in Elastic Desktop Service used for SSO integration | | Authorization scope | dropdown | No | All users, Specific users | Defines which IDaaS accounts can access the application. Default is 'All users' | ### Bastionhost SSO **Navigation**: Console > Identity & Access Management > Applications > Manage Applications **Prerequisites**: - An active EIAM instance in IDaaS - Administrative access to the IDaaS console - Bastionhost instance already created 1. Navigate to Applications - Element: **Applications** (menu) — left navigation panel 2. View application list - Element: **Manage Applications** (link) — main content area 3. Select Bastionhost template - Element: **Alibaba Cloud - Bastionhost** (link) — application list - Notes: The template is pre-configured for Bastionhost SSO 4. Start configuration - Element: **Configure** (button) — top-right corner ### Manage Cloud Identities with IDaaS **Navigation**: Console > Asset Management > Cloud Identity **Prerequisites**: - An IDaaS instance running Enterprise Edition with the M2M extension enabled - The User Portal address for your IDaaS instance - Confirmed that no existing identity provider in RAM uses the same name or issuer URL 1. Open your IDaaS instance console - Element: **Console** (button) — Actions column 2. Add Alibaba Cloud account - Element: **Add Alibaba Cloud Account** (button) — main content area 3. Enter identity provider name - Element: **Identity Provider Name** (text_input) — form fields - Notes: Must not conflict with any existing RAM identity provider 4. Proceed to next step - Element: **Next** (button) — bottom of form 5. Configure RAM resources manually - Element: **Create a custom policy** (link) — RAM console - Notes: Follow linked instructions to create policy, role, and attach them 6. Validate configuration - Element: **Start Detection** (button) — bottom of form - Notes: Fix any issues and re-run detection if needed 7. Complete account addition - Element: **Next** (button) — bottom of form 8. View system roles - Element: **Cloud Role Management** (button) — Actions column | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Identity Provider Name | text | Yes | — | Enter a name for the identity provider. The name and issuer URL must not conflict with any existing identity provider in RAM | | Account Type | dropdown | Yes | Current account, Other account | Select whether you are adding the current account or another Alibaba Cloud account | | Cloud Account Type | dropdown | Yes | Alibaba Cloud Account Type | Select the type of cloud account to add | | Alibaba Cloud Account UID | text | Yes | — | Enter the UID of the root account you want to add | ### Custom Domains **Navigation**: Console > IDaaS > Custom Domains **Prerequisites**: - A dedicated domain for IDaaS EIAM (first-level or second-level recommended) - Permissions to manage DNS records for the domain - ICP filing number if hosted in Chinese mainland - Permissions to manage the proxy service for the domain - Trial or upgraded instance (Enterprise Edition required) 1. Go to Custom Domains page - Element: **Custom Domains** (link) — left navigation panel 2. Add a new custom domain - Element: **Add Custom Domain** (button) — top-right corner 3. Enter domain name - Element: **Domain input field** (text_input) — main content area - Notes: Must be globally unique, ≤128 chars, no paths or parameters 4. Configure DNS record - Element: **Add DNS Record** (button) — DNS provider console - Notes: Use Alibaba Cloud DNS or DNS; required for ownership verification 5. Enter ICP filing number (if applicable) - Element: **ICP Filing Number input field** (text_input) — main content area - Notes: Mandatory for Chinese mainland regions 6. Create the domain entry - Element: **Create** (button) — bottom of form - Notes: Proxy configuration is still required to activate 7. Configure DCDN accelerated domain - Element: **Domain Names** (tab) — DCDN console - Notes: Set accelerated domain = your custom domain; origin type = Origin Domain 8. Enable HTTPS - Element: **HTTPS settings** (menu) — domain details page 9. Enable back-to-origin HOST - Element: **Enable Back-to-Origin Host** (checkbox) — origin configuration section - Notes: Set Domain Type to Origin Domain to auto-select initial domain 10. Add security headers - Element: **Custom Back-to-Origin HTTP Header** (button) — origin configuration section - Notes: Add IP, Host, and Token headers to prevent spoofing 11. Test connection - Element: **Test Connection** (button) — test section - Notes: Result is reference-only due to possible access policies 12. Set default domain - Element: **Modify Default Domain** (button) — domain status section - Notes: Choose between initial and custom domain 13. Enable automatic redirection - Element: **Enable Automatic Redirection** (checkbox) — settings section - Notes: Redirects users from initial domain to default domain 14. Delete custom domain (if needed) - Element: **Delete** (button) — domain list - Notes: Check last used time first; remove DNS and proxy configs afterward | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Domain | text | Yes | — | Enter your custom domain (e.g., login.example.com). Must be globally unique and not contain paths or parameters | | ICP Filing Number | text | No | — | Required for instances hosted in Chinese mainland regions using custom domains | ## FAQ Q: Where can I find the option to migrate my legacy IDaaS 1.x instance? A: Navigate to Console > IDaaS > Legacy Instance Management. The page displays options to renew, upgrade, or discontinue your legacy instance. Q: Can I modify the Resource Server Identifier after creating an M2M server application? A: No, the Resource Server Identifier is immutable after creation. You must delete and recreate the application if you need to change it. Q: What happens if I don’t configure the RAM role correctly when setting up cloud identity? A: The "Start Detection" step will fail. Review the error message, correct the RAM policy/role configuration, and re-run detection. Q: Is it possible to use multiple custom domains for one IDaaS instance? A: Yes, you can add multiple custom domains, but each must be globally unique and properly configured with DNS and proxy settings. Q: Do I need to synchronize users manually for Bastionhost SSO? A: No, once SSO is configured using the pre-integrated "Alibaba Cloud - Bastionhost" template, user synchronization is handled automatically based on your IDaaS directory. ## Pricing & Billing ### Billing Model - **Legacy Instances**: Billed per instance hour for Standard and Enterprise Editions; Free Edition is free. - **M2M Applications**: Included in IDaaS Enterprise Edition; standard billing applies for downstream services accessed via STS tokens. - **Custom Domains**: Available at no extra cost for Trial and Enterprise Edition instances. - **SSO Integrations**: No additional charge for configuring SSO with Elastic Desktop or Bastionhost. ### Price Reference | Tier | Input Price | Output Price | Other Price | |------|-------------|--------------|-------------| | Free Edition | | | Standard Edition | | | Enterprise Edition | | ### Free Tier - New IDaaS 2.0 offers a free tier that can be activated at no cost. - Free Edition legacy instances can be renewed in 3-month increments until December 30, 2025. ### Billing Notes - Legacy 1.x Standard Edition will be discontinued; migration is strongly recommended. - Upgrading or renewing requires advance planning to avoid service interruption. - SSO configuration itself is free; actual usage of Bastionhost or Elastic Desktop is billed separately by those services. - Only Trial and Enterprise Edition instances support the custom domain feature.