You need to enable JavaScript to run this app.
IAM

IAM

  • Documentation
    • IAMUser GuideIdentitiesSingle Sign-onRole SSOSAML Response for Role SSO
Copy page
Download PDF
Role SSO
SAML Response for Role SSO
Copy page
Download PDF
SAML Response for Role SSO

This article introduces the basic requirements for Volcano Engine to configure SAML Response parameters at the IDP when completing SAML 2.0-based role SSO.

SSO basic process

SSO basic flow Please refer to: Roles SSO Overview .
The SAML response is sent by the IDP to Volcano Engine when the user logs into the IDP and requests to log into Volcano Engine. Volcano Engine realizes safe and fast SAML SSO login for users by verifying the signature in the SAML response and parsing the current user identity information passed in the SAML response.

SAML response parameter requirements

The basic format for SAML is as follows. Please ensure that your SAML response is in the same format as the example below, with no missing elements.

<samlp:Response> 
    <saml:Issuer>...</saml:Issuer> 
    <ds:Signature> 
        ... 
    </ds:Signature> 
    <samlp:Status> 
        ... 
    </samlp:Status> 
    <saml:Assertion > 
        <saml:Issuer>...</saml:Issuer> 
        <ds:Signature> 
            ... 
        </ds:Signature> 
        <saml:Subject> 
            <saml:NameID>${NameID}</saml:NameID> 
            <saml:SubjectConfirmation> 
                ... 
            </saml:SubjectConfirmation> 
        </saml:Subject> 
        <saml:Conditions> 
            <saml:AudienceRestriction> 
                <saml:Audience>${Audience}</saml:Audience> 
            </saml:AudienceRestriction> 
        </saml:Conditions> 
        <saml:AuthnStatement AuthnInstant="2022-11-28T12:23:13Z" SessionNotOnOrAfter="2022-11-29T12:23:14Z" SessionIndex="_843836cf-be88-4b39-8aac-29be31ad7894"> 
            ... 
        </saml:AuthnStatement> 
        <saml:AttributeStatement> 
            <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/SessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 
                ... 
            </saml:Attribute> 
            <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/Identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 
                ... 
            </saml:Attribute> 
            <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/SessionDuration" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 
                ... 
            </saml:Attribute> 
        </saml:AttributeStatement> 
    </saml:Assertion> 
</samlp:Response>
ElementExplain
IssuerThe Issuer value must be the same as the EntityID element in the user SSO SAML metadata file that you upload in the Volcano Engine console settings. Volcano Engine needs to verify this field to ensure that the identity provider requesting login is an identity provider that has completed the trust configuration.
SignatureBased on the protocol specification, Volcano Engine requires that SAML responses must be signed and can be validated based on the security certificate information in the IDP metadata file to ensure the security and trustworthiness of the response content. Please sign in the corresponding position of the Response example. The Signature must contain the signature value, signature algorithm, and other information.

Subject

Subject must contain the following elements:

  1. There is one and only one NameID element, and the Volcano Engine role SSO has no requirement for the NameID value, which is usually used to identify the identity of the enterprise user. You can specify the NameID value according to the SAML protocol specification.

  2. In the SubjectConfirmation element, the following fields need to contain unique valid values:

    1. NotOnOrAfter: used to specify the assertion valid period, UTC time.

    2. Recipient:Volcano Engine needs to verify that it is indeed the recipient of the current response based on Recipient, which must be https://signin.volcengine.com/saml/sso

Example of Subject element:

<saml:Subject>
   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">user1@company.com</saml:NameID>
   <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData NotOnOrAfter="2022-11-28T12:26:14Z" Recipient="https://signin.volcengine.com/saml/sso"></saml:SubjectConfirmationData>
   </saml:SubjectConfirmation>
  </saml:Subject>

Conditions

Within the Conditions element, you must include an AudienceRestriction element that contains a uniquely valid Audience element that specifies the audience for the response. It must contain a fixed value that matches the value of the EntityID in the role SSO SAML metadata file provided by Volcano Engine in the format https://www.volcengine.com/
Example of the Conditions element:

<saml:Conditions NotBefore="2022-11-28T12:20:14Z" NotOnOrAfter="2022-11-28T12:26:14Z">
 <saml:AudienceRestriction>
  <saml:Audience>https://www.volcengine.com/</saml:Audience>
 </saml:AudienceRestriction>
</saml:Conditions>

AttributeStatement

In the AttributeStatement element, the following two Attribute elements must be included:

  1. Identity attributes

    1. The Name of the property is a fixed value https://www.volcengine.com/SAML/Attributes/Identity

    2. The value of the attribute is used to declare information about the IAM role used for SSO login. Contains at least one attribute value and can contain multiple attribute values, that is, an enterprise user can map multiple roles, and if there are more, they will be listed on the login page for selection. The value is the character Trn, and the format is:

      trn:iam::${AccountID}:role/${RoleName},trn:iam::${AccountID}:saml-provider/${SAMLProviderName}。
         Where AccountID is your Volcano Engine account ID, RoleName is the IAM role name, and SAMLProviderName is the identity provider name.

  2. Session name property. This property must be included.

    1. The Name of the property is a fixed value https://www.volcengine.com/SAML/Attributes/SessionName

    2. The value of the property is used to specify the session name. You must include a property value that can be customized for name display and auditing after login.

    1. Session duration properties. Optionally include this attribute, and at most one.

    2. The Name of the property is a fixed value https://www.volcengine.com/SAML/Attributes/SessionDuration

    3. The value of the property is used to specify the duration of the role login. If this attribute is not passed, the maximum login time for the default role is 3600 seconds. If you pass this property, you must include a property value between 900 and 43200 seconds, which is used to specify the login time of the role.

Example of the AttributeStatement element:

<saml:AttributeStatement>
   <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/Identity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">trn:iam::${AccountID}:role/role1,trn:iam::${AccountID}:saml-provider/onelogin</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/SessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sessionNameForRole</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute Name="https://www.volcengine.com/SAML/Attributes/SessionDuration" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">7200</saml:AttributeValue>
   </saml:Attribute>
  </saml:AttributeStatement>

Next step

You can try to log in to Volcano Engine. For specific login methods, please refer to: Multiple login methods for single sign-on .

Last updated: 2025.06.30 10:38:46