You need to enable JavaScript to run this app.
IAM

IAM

  • Documentation
    • IAMUser GuideIdentitiesSingle Sign-onUser SSOUser SSO based on SAMLSAML response from user SSO
Copy page
Download PDF
User SSO based on SAML
SAML response from user SSO
Copy page
Download PDF
SAML response from user SSO

This article introduces the basic requirements for Volcano Engine to configure SAML Response parameters at the IDP when completing user SSO based on SAML 2.0.

SSO basic process

SSO basic process please refer to: User SSO Overview .
The SAML response is sent by the IDP to Volcano Engine when the user logs into the IDP and requests to log into Volcano Engine. Volcano Engine realizes safe and fast SAML SSO login for users by verifying the signature in the SAML response and parsing the current user identity information passed in the SAML response.

SAML response parameter requirements

The basic format for SAML is as follows. Please ensure that your SAML response is in the same format as the example below, with no missing elements.

<samlp:Response> 
    <saml:Issuer>${Issuer}</saml:Issuer> 
    <ds:Signature> 
        ... 
    </ds:Signature> 
    <samlp:Status> 
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode> 
    </samlp:Status> 
    <saml:Assertion> 
        <saml:Issuer>...</saml:Issuer> 
        <ds:Signature> 
            ... 
        </ds:Signature> 
        <saml:Subject> 
            <saml:NameID>${NameID}</saml:NameID> 
            <saml:SubjectConfirmation> 
                ... 
            </saml:SubjectConfirmation> 
        </saml:Subject> 
        <saml:Conditions> 
            <saml:AudienceRestriction> 
                <saml:Audience>${Audience}</saml:Audience> 
            </saml:AudienceRestriction> 
        </saml:Conditions> 
        <saml:AuthnStatement> 
            ... 
        </saml:AuthnStatement> 
    </saml:Assertion> 
</samlp:Response>
ElementExplain
IssuerThe Issuer value must be the same as the EntityID element in the user SSOSAML metadata file that you upload in the Volcano Engine console settings. Volcano Engine needs to validate this field to ensure that the identity provider requesting login is one that has completed the trust configuration.
SignatureBased on the protocol specification, Volcano Engine requires that SAML responses must be signed and can be validated based on the security certificate information in the IDP metadata file to ensure the security and trustworthiness of the response content. Please sign in the corresponding position of the Response example. The Signature must contain the signature value, signature algorithm, and other information.

Subject

Subject must contain the following elements:

  1. There is one and only one **NameID ** element that specifies the Volcano Engine IAM user that needs to log in. The NameID value needs to be the username of the IAM user, please make sure that the corresponding user exists.

  2. In the SubjectConfirmation element, the following fields need to contain unique valid values:

    1. NotOnOrAfter: used to specify the assertion valid period, UTC time.

    2. Recipient: Volcano Engine needs to verify that it is indeed the recipient of the current response based on Recipient, which must be https://signin.volcengine.com/saml/sso

Example of Subject element:

<saml:Subject>
   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">user1</saml:NameID>
   <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2022-11-28T12:26:14Z" Recipient="https://signin.volcengine.com/saml/sso"></saml:SubjectConfirmationData>
   </saml:SubjectConfirmation>
  </saml:Subject>

Conditions

Within the Conditions element, you must include an AudienceRestriction element that contains a uniquely valid Audience element that specifies the audience for the response. It must contain a fixed value that matches the EntityID in the user SSO SAML metadata file provided by Volcano Engine in the format https://signin.volcengine.com/${accountId}/saml_user/sso
Example of Conditions element:

<saml:Conditions NotBefore="2022-11-28T12:20:14Z" NotOnOrAfter="2022-11-28T12:26:14Z">
 <saml:AudienceRestriction>
  <saml:Audience>https://signin.volcengine.com/${accountId}/saml_user/sso</saml:Audience>
 </saml:AudienceRestriction>
</saml:Conditions>

Next step

You can try to log in to Volcano Engine. For specific login methods, please refer to: Multiple login methods for single sign-on .

Last updated: 2025.06.30 10:38:46