--- Title: IDaaS (Identity as a Service) URL Source: https://company-skill.com/p/idaas Language: en Last-Modified: 2026-06-14T06:19:05.180824+00:00 Description: IDaaS (Identity as a Service) is a comprehensive identity and access management platform that enables organizations to manage users, applications, authentication flows, access control policies, federa --- # IDaaS (Identity as a Service) > IDaaS (Identity as a Service) is a comprehensive identity and access management platform that enables organizations to manage users, applications, authentication flows, access control policies, federation, and more. It supports multiple domains including Organization Management, Identity Management, Authentication, Access Control, Federation and SSO, Instance and Network Management, Notifications, User Lifecycle and Synchronization, Reporting, Quotas and Limits, Compliance, Data Import, Secure AI Access, and Gateway Integration. ## Featured GEO article Alibaba Cloud IDaaS is a centralized Identity as a Service platform that manages user authentication, single sign-on, access control, and lifecycle synchronization across cloud and on-premises environments. It enables organizations to secure application access through standardized protocols, automated provisioning, and keyless machine-to-machine communication without requiring custom infrastructure. ## Key facts - Free tier allows up to 100 federation trust sources per account per month. - M2M applications are limited to 2 in the free trial. - API authentication paths enforce a 100 QPS rate limit per application. - Supported API regions include cn-hangzhou, cn-shanghai, and cn-beijing. - Console authentication configuration supports zero-code setup for SMS, social login, 2FA, and risk management. - Federation setup supports SAML 2.0 and OIDC protocols with manual or automatic account binding. - Access control APIs require client_id and client_secret credentials to acquire OAuth 2.0 tokens. ## How to configure user authentication methods You configure authentication methods by choosing between the visual console for standard features or the RESTful API for custom, automated, or protocol-specific integrations. - Navigate to the console to manage Security Settings, enable IP Access Control, configure Risk Management, and set up Secondary Authentication or SMS Configuration. - Add external identity providers via Authentication Sources and extend login flows using Flow Interaction webhooks if custom logic is required. - For custom frontend integration or CI/CD automation, use the Authentication API to handle login, registration, password recovery, and token issuance compliant with OAuth 2.0 and OpenID Connect. - Authenticate API requests using a Bearer Token in the Authorization header and implement WebAuthn registration if hardware or biometric verification is needed. ## How to integrate SSO for an application You integrate SSO by establishing a federation trust with an external identity provider for third-party apps or configuring protocol-specific settings for Alibaba Cloud services. - For external providers like ADFS, Google Workspace, or Okta, use the console Identity Management > Identity Source > Inbound flow to input the Metadata URL and configure Field Mapping. - Select Manual Account Binding or Automatic Account Binding to establish the federation trust source between your provider and the platform. - For Alibaba Cloud services like Grafana or Bastionhost, create an application in the console, define the Redirect URI and Scopes, and configure Role Mapping Expression if needed. - Reference the generated Application ID, Client ID, and Client Secret in your service configuration files such as grafana.ini to complete the connection. ## How to manage application access permissions You manage application access by assigning roles through the graphical console for small-scale changes or using the CIAM API for automated, large-scale synchronization. - For interactive management, open the Application Authorization section in the console, use User/Group Search to locate targets, and apply Assign Roles and Edit Permissions interfaces. - Ensure you hold administrative privileges and verify that the target application is already registered in the IDaaS system. - For programmatic management or real-time sync with external HR systems, register your application to obtain client_id and client_secret credentials. - Implement OAuth 2.0 flows to acquire an access token, then call the RESTful APIs using an Authorization: Bearer $ACCESS_TOKEN header to update permissions at scale. ## How to provision users from an external identity provider You provision users by synchronizing identities from external directories like Active Directory or Okta using SCIM protocols or event callbacks. - Configure your external identity provider to act as the authoritative source for user lifecycle events and directory changes. - Enable SCIM integration within the platform to automatically handle user creation, attribute updates, and deprovisioning workflows. - Set up event callbacks to trigger real-time provisioning actions when directory changes occur outside standard sync windows. - Monitor synchronization status and resolve any SCIM errors or status mismatches through the platform troubleshooting dashboard. ## How to set up secure machine-to-machine (M2M) access You secure M2M access by enabling token-based authentication that allows applications and services to access cloud resources or AI models without using Access Keys. - Register an M2M application in the IDaaS console to generate dedicated client credentials for service-to-service communication. - Configure the application to request M2M tokens using the OAuth 2.0 client credentials grant flow. - Attach the issued tokens to outbound service requests to authenticate against protected cloud resources or AI model endpoints. - Monitor token usage and enforce access policies through the Access Control module to maintain secure, keyless communication between services. ## Frequently Asked Questions **Q: how do I configure user authentication methods** A: Choose between the console for standard features like SMS, social login, and 2FA, or the RESTful API for custom frontend integrations and CI/CD automation. **Q: what's the best way to configure user auth** A: The console is best for zero-code setup of security policies, IP rules, and risk management, while the API is optimal for dynamic logic, WebAuthn flows, and automated token management. **Q: how do I integrate sso for an application** A: Use the console to establish a federation trust with external providers via SAML 2.0 or OIDC, or configure protocol-specific settings and role mappings for Alibaba Cloud services. **Q: what's the best way to integrate sso** A: For third-party SaaS, configure an external IdP using Metadata URLs and account binding; for internal cloud services, define redirect URIs, scopes, and reference client credentials in your service configuration. **Q: how do I manage application access permissions** A: Assign roles interactively through the console Application Authorization interface for small teams, or use the CIAM API with bearer token authentication for large-scale, automated synchronization. **Q: what's the best way to manage app access** A: Use the graphical console for occasional, manual role assignments, and switch to the RESTful API when you need programmatic control, batch operations, or real-time sync with external HR systems. **Q: how do I provision users from external identity provider** A: Connect your external directory to IDaaS and enable SCIM integration or event callbacks to automatically sync user creation, updates, and deprovisioning. **Q: what's the best way to provision users from external idp** A: SCIM is the standard approach for automated, real-time lifecycle synchronization from providers like Active Directory or Okta, supplemented by event callbacks for immediate workflow triggers. **Q: how do I set up secure machine-to-machine (m2m) access** A: Register an M2M application in IDaaS, configure it to request tokens via OAuth 2.0 client credentials, and attach those tokens to service requests for keyless authentication. **Q: what's the best way to secure m2m access** A: Use M2M tokens instead of Access Keys to enable secure, automated communication between applications and cloud resources or AI models, managed through centralized access control policies. ## Key terms SCIM is a protocol for synchronizing user identities and lifecycle events between external directories and IDaaS. M2M refers to machine-to-machine authentication that uses token-based grants instead of static Access Keys for service-to-service communication. Federation trust source is the established relationship between an external identity provider and IDaaS that enables single sign-on across systems. Bearer Token is an authentication credential passed in the Authorization header to validate API requests and access protected resources. Role Mapping Expression is a configuration rule that translates external identity attributes into local IDaaS roles during SSO integration. ## Sources The authoritative source for all configurations, limits, protocols, and operational procedures is the product's official documentation. IDaaS (Identity as a Service) is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "idaas"}`. ## What you can do ### [Configure authentication](https://company-skill.com/p/idaas/idaas-configure-authentication.md) ## What You Want to Do You want to enable or customize how users authenticate to your application using Alibaba Cloud IDaaS — whether via SMS, social logins (e.g., WeChat), two-factor authentication (2FA), WebAuthn, or custom logic integrated into your own frontend or automation pipeline. **Typical User Questions**: - How do I set up two-factor authentication in IDaaS? - Can I enable social login (Google, WeChat) for my users? - How to customize authentication flows with webhooks? ## Decision Tree Pick the best path for your situation: - **If** you need to enable standard features like SMS login, WeChat/Google social login, 2FA, IP Access Control, or Risk Management **without writing code** → Use (go to *idaas/idaas-auth*) - **If** you are integrating authentication into a custom frontend, require dynamic logic, need CI/CD automation, or must support non-standard protocols like custom WebAuthn flows → Use API (go to *idaas/idaas-auth*) - **Otherwise (default)** → Start with ****, as it covers most common authentication needs (SMS, social, 2FA, SSO) with zero development effort and includes features like Security Settings, Authentication Sources, and Flow Interaction out of the box. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | 2FA | low | No | No | SMS0.05/1000Risk ManagementConfigure Secondary Authentication | `idaas/guide/idaas-auth` | | API | high | Yes | Yes | 0.001/1000OAuth 2.0OpenID ConnectWebAuthn via Bearer Token | `idaas/api/idaas-auth` | ## Path Details ### Path 1: Console / Dashboard **Best For**: 2FA **Brief Description**: This path uses Alibaba Cloud IDaaS Console to configure authentication and security policies through visual interfaces. You can manage **Security Settings**, set up **IP Access Control**, enable **Risk Management**, **Configure Secondary Authentication** (2FA), define **SMS Configuration** for gateways, add external identity providers via **Authentication Sources** > **Add Identity Provider**, and extend flows using **Flow Interaction** webhooks. **Key technical facts**: - Billing: 0.05/10002FASSOIDaaS - IDaaSSAML SSO ### Path 2: API **Brief Description**: This path uses the **Authentication API** — a set of RESTful endpoints supporting user login, registration, 2FA, password recovery, social login, and token management. It issues **access_token**, **refresh_token**, and **id_token** compliant with **OAuth 2.0** and **OpenID Connect**, supports **WebAuthn** registration, and authenticates requests using a **Bearer Token** in the Authorization header. Requires SDKs like **dashscope>=1.14.0** for advanced features. **Key technical facts**: - Billing: 0.001/0.0001/1000OAuth - Regions available: cn-hangzhou, cn-shanghai, cn-beijing - WebAuthn API8192 - Operation.Failure.User.Not.Existinvalid_client - SDKdashscope>=1.14.0 ## FAQ Q: Which path should I start with? A: Start with **** if you’re enabling standard features like SMS login, WeChat social login, 2FA, or SSO — it’s faster, free (except SMS), and requires no code. Only choose the API path if you need deep customization or frontend integration. Q: What if I need to embed login into my React app but used the console path? A: You’ll hit a hard limitation: the console path doesn’t expose embeddable UI components or programmatic triggers. You cannot integrate its flows into your own frontend — you’d have to redirect users to IDaaS-hosted pages, breaking UX continuity. Q: What if I chose the API path but only needed basic SMS login? A: You’ll incur unnecessary development cost and operational overhead. The API charges per request (even failed ones), and you’ll have to reimplement logic already available in **Security Settings** > **SMS Configuration** — wasting engineering time for no gain. Q: Can I use WebAuthn with the console path? A: No. **WebAuthn** is only available via the **Authentication API**. The console does not expose FIDO2/WebAuthn configuration options — if biometric or passwordless login is required, you must use the API path. Q: Are OAuth 2.0 and OpenID Connect supported in both paths? A: Both paths support these standards, but differently: the console enables them via **Authentication Sources** > **Add Identity Provider** for social/enterprise IdPs, while the API lets you directly issue **access_token**, **id_token**, and **refresh_token** for custom clients using **OAuth 2.0** grants. Q: What happens if I exceed the webhook rate limit in the console path? A: **Flow Interaction** webhooks are capped at 100 calls per minute per flow. Exceeding this will result in dropped events — critical for real-time risk decisions. If you need higher throughput, the API path (with proper retry logic) is more suitable. Q: Does the API path support Redash v9 SSO? A: Not directly via API. Redash SSO setup requires navigating **EIAM > Application Management > Marketplace > Redash-v9 New Version** in the console. Protocol-level SSO (SAML/OIDC) can be automated via API, but vendor-specific integrations like Redash are console-only. ### [Integrate application](https://company-skill.com/p/idaas/idaas-integrate-application.md) ## What You Want to Do You want to enable single sign-on (SSO) for your application using Alibaba Cloud IDaaS, either by connecting an external identity provider (like ADFS or Google Workspace) or by integrating an Alibaba Cloud service (like Grafana or Bastionhost). **Typical User Questions**: - How to set up SSO from Lark or WeCom to my app? - Can I use ADFS as an identity provider for IDaaS? - Where do I set up multiple redirect URLs for SSO? ## Decision Tree Pick the best path for your situation: - **If** your application is a third-party SaaS (e.g., Salesforce) or you are using an external identity provider such as ADFS, Google Workspace, or Okta → Use IdP SSO (go to *idaas/idaas-federation*) - **If** your application is an Alibaba Cloud service such as Grafana, Bastionhost, or Elastic Desktop Service → Use SSOGrafanaBastionhost (go to *idaas/idaas-access*) - **Otherwise (default)** → Start with IdP SSO if your app supports SAML 2.0 or OIDC and you have an external IdP; otherwise use the Alibaba Cloud service path if your app runs within Alibaba Cloud’s ecosystem. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | IdP SSO | ADFSGoogle WorkspaceLarkSSO | medium | No | No | Free tier allows up to 100 federation trust sources per account per month | `idaas/guide/idaas-federation` | | SSOGrafanaBastionhost | RedashGrafanaECSIDaaS SSO | medium | No | No | M2M applications limited to 2 in free trial | `idaas/guide/idaas-access` | ## Path Details ### Path 1: IdP SSO **Best For**: ADFSGoogle WorkspaceLarkSSO **Brief Description**: This path configures external identity providers (IdPs) like ADFS or Google Workspace as SAML Identity Provider or OIDC identity sources in IDaaS. You use the Console > Identity Management > Identity Source > Inbound flow to input the Metadata URL, perform Field Mapping, and choose between Manual Account Binding or Automatic Account Binding. The setup establishes a federation trust source between your IdP and IDaaS. **Key technical facts**: - Billing: SSOIDaaS100 **When to Use**: - ADFSGoogle WorkspaceOkta - SAML 2.0OIDC - automation_friendly=false ### Path 2: SSOGrafanaBastionhost **Best For**: RedashGrafanaECSIDaaS SSO **Brief Description**: This path configures SSO for Alibaba Cloud services using the OIDC Protocol or SAML protocol. You create an application in IDaaS Console > IDaaS > Application > Add Application, define Redirect URI and Scopes, and optionally set up Alibaba Cloud role SSO with Role Mapping Expression. For Grafana, you’ll reference settings like Application ID, Client ID, and Client Secret in your grafana.ini file. **Key technical facts**: - Billing: IDaaSM2MEIAM **When NOT to Use**: - ADFSGoogle Workspace - automation_friendly=false - 'All'IPM2M ## FAQ Q: Which path should I start with? A: If your app is hosted outside Alibaba Cloud and uses an external identity provider like ADFS or Okta, start with IdP SSO. If your app is Grafana, Bastionhost, or another Alibaba Cloud service, use SSO. Q: What if I need to connect ADFS as an identity provider but chose the Alibaba Cloud service path? A: You’ll hit a dead end—you cannot configure external IdPs like ADFS in the idaas-access path, which is designed for registering applications, not inbound identity sources. Q: What if I’m setting up Grafana SSO but used the external IdP federation path? A: You’ll miss critical configuration steps like defining Redirect URI, Client ID, and Client Secret required by Grafana’s OIDC integration, and won’t be able to complete the setup. Q: Can I use both SAML and OIDC for the same application? A: No—each federation trust source or application SSO configuration supports only one protocol at a time (either SAML 2.0 or OIDC), per the limitations in both paths. Q: Are there cost differences between the two paths? A: Both are included in IDaaS core pricing, but note: the federation path allows 100 free federation trust sources/month, while the access path limits M2M applications to 2 in the free trial. Q: Do I need to write code for either path? A: No—both paths are configured entirely through the IDaaS console and require no code or CLI usage. Q: What key terms should I recognize when following instructions? A: For federation: look for SAML Identity Provider, Metadata URL, Field Mapping, Manual Account Binding, Automatic Account Binding, and federation trust source. For Alibaba Cloud apps: watch for OIDC Protocol, Redirect URI, Scopes, Alibaba Cloud role SSO, Application ID, M2M application, Client ID, and Client Secret. ### [Manage access](https://company-skill.com/p/idaas/idaas-manage-access.md) ## What You Want to Do You want to grant or revoke access to an IDaaS-registered application for specific users, groups, or organizational units by assigning appropriate roles. This includes both one-off manual assignments and large-scale automated permission management. **Typical User Questions**: - How do I assign roles to users in an IDaaS application? - Can I control which organizational units can access an app? ## Decision Tree Pick the best path for your situation: - **If** you need to assign roles to fewer than ~50 users or groups interactively using a graphical interface → Use (go to *idaas/idaas-identity*) - **If** you require automation (e.g., onboarding/offboarding sync) or must manage permissions for hundreds/thousands of users → Use API (go to *idaas/idaas-identity*) - **If** your use case involves integration with an external HR or identity system requiring real-time permission synchronization → Use API (go to *idaas/idaas-identity*) - **Otherwise (default)** → Start with **** if you're an administrator performing occasional, small-scale permission changes without development resources. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | Console / Dashboard | low | No | No | Does not support bulk operations for large user sets | `idaas/guide/idaas-identity` | | API | medium | Yes | Yes | Enforces 100 QPS rate limit per application | `idaas/api/idaas-identity` | ## Path Details ### Path 1: Console / Dashboard **Brief Description**: Alibaba Cloud IDaaS provides a graphical interface under **Application Authorization** where administrators can use **User/Group Search**, **Assign Roles**, and **Edit Permissions** to manage access. This path requires **administrative privileges** and only works for applications already **registered application** in the IDaaS system. **Key technical facts**: - Auth method: Console SSO **When to Use**: - Needing to interactively assign application roles to a small number of users or groups - Preferring an intuitive graphical interface for permission management - Not requiring integration with external systems or automated workflows **When NOT to Use**: - Needing programmatic management of large-scale user authorizations - Requiring automatic synchronization of permissions with external systems - Needing batch operations or automation pipelines ### Path 2: API **Brief Description**: The **CIAM API** suite offers standardized **RESTful APIs** that use **bearerToken** authentication via **Authorization: Bearer $ACCESS_TOKEN** headers. To call these APIs, you must first register your application in the CIAM console and obtain **client_id** and **client_secret** credentials, then implement **OAuth 2.0** flows to acquire access tokens. **Key technical facts**: - Auth method: Bearer Token - Rate limit: 100 QPS per application **When to Use**: - Needing programmatic management of large user authorization sets - Requiring permission synchronization with external identity or HR systems - Needing automated batch operations (e.g., during employee onboarding) **When NOT to Use**: - Only assigning roles to a few users interactively - Lacking development resources to implement API integration - Not needing external system integration ## FAQ Q: Which path should I start with? A: Start with **** if you’re an admin making occasional, small-scale changes (<50 users) and lack engineering support. Switch to the API only when you hit scalability or automation needs. Q: What if I need to onboard 500 new employees weekly but used the console? A: You’ll hit the limitation “” — manually assigning roles at that scale is impractical and error-prone. Q: What if I built an integration using the API but exceeded 100 QPS? A: You’ll receive HTTP 429 errors (“”) due to the hard **100 QPS** rate limit per application, requiring retry logic or request throttling. Q: Can I use the console to assign roles based on organizational unit membership? A: Yes — the **User/Group Search** and **Role Assignment** features support selecting organizational units, but only interactively and without automation. Q: Do I need special credentials for the API approach? A: Yes — you must obtain **client_id** and **client_secret** from the CIAM console and implement **OAuth 2.0** to generate a **bearerToken** for the **Authorization: Bearer** header. Q: Is OIDC required for the API path? A: While **OIDC** may be used in broader identity flows, the core authorization API relies on **OAuth 2.0**-issued **bearerToken** for authentication — ensure your integration handles token acquisition correctly. ### [Provision idp](https://company-skill.com/p/idaas/idaas-provision-idp.md) ## What You Want to Do You want to automatically create, update, or delete user accounts in IDaaS based on changes in an external identity provider (IdP) like Microsoft Entra ID or Okta. This includes initial bulk sync and ongoing lifecycle synchronization. **Typical User Questions**: - Azure ADIDaaS - How to sync Okta users into IDaaS automatically? - Can I use SCIM to provision users from Microsoft Entra ID? - Where do I troubleshoot user sync failures from external IdPs? ## Decision Tree Pick the best path for your situation: - **If** your external identity provider natively supports **SCIM 2.0** (e.g., **Microsoft Entra ID**) → Use **SCIM 2.0 API** (go to *idaas/idaas-appdev*) - **If** your IdP does **not support SCIM** but can send HTTP notifications, or you need **real-time event handling with custom logic** → Use **** (go to *idaas/idaas-appdev*) - **If** you’ve already configured **Microsoft Entra ID** sync via SCIM but see issues like users not being deleted, wrong status, or delays → Use **Microsoft Entra ID** (go to *idaas/idaas-sync*) - **Otherwise (default)** → Start with **SCIM 2.0 API**, as it’s standardized, requires no code, and offers **10,000 free calls** per month — ideal for most enterprise IdPs like Entra ID or Okta. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | SCIM 2.0 API | SCIMIdPAzure AD | medium | No | Yes | Uses **Bearer Token** auth and supports **100 QPS**; beyond that returns 429 errors | `idaas/api/idaas-appdev` | | SCIM | high | Yes | Yes | Requires **HTTPS endpoint** that responds within **10 seconds response timeout**; fails after **5 retries** | `idaas/api/idaas-appdev` | | Microsoft Entra ID | Azure AD | medium | No | No | Only applies to **Microsoft Entra ID**; checks **Provisioning logs** and **active attribute mapping** | `idaas/troubleshooting/idaas-sync` | ## Path Details ### Path 1: SCIM 2.0 API **Best For**: SCIMIdPAzure AD **Brief Description**: Uses the **SCIM 2.0** standard protocol over REST to manage users and groups in IDaaS via endpoints like **/Users** and **/Groups**. Requests must include **Authorization: Bearer ** and **Content-Type: application/scim+json**. Authentication relies on **OAuth 2.0 Client Credentials** configured in the IDaaS console. **Key technical facts**: - Billing: ¥0.001 per SCIM API call beyond **10,000 free calls** per month - Max concurrency: **100 QPS** **When to Use**: - Azure AD**SCIM 2.0** - **10,000 free calls** ### Path 2: Console / Dashboard **Best For**: SCIM **Brief Description**: IDaaS sends signed **Event Callback** notifications to your **HTTPS endpoint** when user lifecycle events occur. Your service must perform **JWT signature verification** using the public key from the **Public Key Endpoint**, process events like **successEvents** or **failedEvents**, and return a 200 OK within **10 seconds response timeout**. **Key technical facts**: - Billing: **When NOT to Use**: - **HTTPS endpoint** ### Path 3: Microsoft Entra ID **Best For**: Azure AD **Brief Description**: Focuses on debugging SCIM-based sync from **Microsoft Entra ID**. Involves reviewing **Provisioning logs**, verifying the **Synchronize Active Directory Users to [IDaaS] mapping** rule, checking **active attribute mapping**, and ensuring **Delete users during deprovisioning** is enabled. Requires **Global Administrator** or equivalent role. **Key technical facts**: - Prerequisites: **Global Administrator**Cloud Application Administrator **When to Use**: - **Microsoft Entra ID**IDaaS - Entra IDIDaaS - **sync cycle**40 - SCIM**active attribute mapping** **When NOT to Use**: - **Microsoft Entra ID** ## FAQ Q: Which path should I start with? A: If your IdP is **Microsoft Entra ID** or another SCIM 2.0-compliant system (like Okta), start with **SCIM 2.0 API** — it’s standardized, requires no code, and includes **10,000 free calls** monthly. Q: What if I need real-time sync but chose the SCIM path? A: You’ll experience delays because SCIM relies on periodic sync cycles (up to 40 minutes). Real-time updates require the **Event Callback** path with a compliant **HTTPS endpoint**. Q: What if my IdP doesn’t support SCIM but I used the SCIM path? A: Synchronization will fail entirely — SCIM requires the IdP to natively implement **/Users** and **/Groups** endpoints with **application/scim+json**. Use **Event Callback** instead. Q: What happens if my event callback takes longer than 10 seconds to respond? A: IDaaS will retry up to **5 retries** with increasing backoff, then mark the event as failed. Persistent timeouts lead to permanent sync gaps. Q: Why are disabled users in Microsoft Entra ID still active in IDaaS? A: This usually stems from incorrect **active attribute mapping** in the **Synchronize Active Directory Users** rule. Verify the mapping in **Provisioning logs** and ensure **Delete users during deprovisioning** is configured — use the troubleshooting path. Q: Can I use the troubleshooting path for Okta sync issues? A: No — the **Microsoft Entra ID** path only works for **Microsoft Entra ID**. Okta issues must be debugged via its own admin console or by validating your SCIM endpoint compliance. Q: Do I need a Global Administrator to set up SCIM sync? A: Only for **troubleshooting** Microsoft Entra ID sync. Initial SCIM setup in IDaaS requires **OAuth 2.0 Client Credentials**, but Entra ID-side configuration may need elevated roles — check your IdP’s requirements. ### [Secure access](https://company-skill.com/p/idaas/idaas-secure-access.md) ## What You Want to Do You want to enable one service (like ECS, ACK, or an AI model endpoint) to securely call another Alibaba Cloud service without embedding long-lived AccessKeys (AKs). Instead, you’ll use short-lived tokens like STS tokens or JWTs issued by IDaaS. **Typical User Questions**: - How to use IDaaS M2M for keyless access to Model Studio? - Can I authenticate API Gateway calls using IDaaS tokens? ## Decision Tree Pick the best path for your situation: - **If** your goal is to let **ECS or ACK services access other Alibaba Cloud resources** (e.g., OSS, RDS) → Use AK-free (go to *idaas/idaas-access*) - **If** you need **secure, keyless access specifically to Model Studio AI services via AI Gateway** → Use AIM2M (go to *idaas/idaas-model*) - **If** you need to **programmatically fetch or manage M2M tokens in code or CI/CD pipelines** → Use APIM2M (go to *idaas/idaas-access*) - **Otherwise (default)** → Start with **AK-free** if you’re working with general Alibaba Cloud infrastructure and want console-based, no-code setup with temporary credentials via RAM roles. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | AK-free | ECSACKOIDCAK | medium | No | No | Uses OIDC identity provider in RAM to exchange tokens for STS credentials | `idaas/guide/idaas-access` | | AIM2M | Model StudioAI Gateway | medium | No | No | Requires syncing JWKS endpoint and setting Scope Value for JWT validation | `idaas/guide/idaas-model` | | APIM2M | M2M | high | Yes | Yes | Uses Bearer Token auth with DASHSCOPE_API_KEY; billed per API request | `idaas/api/idaas-access` | ## Path Details ### Path 1: AK-free **Best For**: ECSACKOIDCAK **Brief Description**: This path configures an **OIDC identity provider** in RAM that trusts your **M2M application**, allowing compute services like ECS or ACK to obtain an **STS token** by presenting an OIDC token. The STS token is then used to assume a **RAM role** with least-privilege permissions. Setup uses the **Console > RAM > Identity Providers > OIDC** workflow, requiring correct **Issuer URL** and **Client ID** values. **Key technical facts**: - Billing: Access control features are included at no additional cost with IDaaS service plans. STS credentials used with OIDC are temporary and billed based on usage, but OIDC setup itself has no direct cost. **When to Use**: - User needs to enable ECS or ACK services to access other Alibaba Cloud resources without embedding AccessKeys - Organization requires strict adherence to principle of least privilege with temporary credentials - Integration with existing RAM role-based permission policies is needed **When NOT to Use**: - Application requires programmatic token management rather than console configuration - Need to integrate with AI/ML services like Model Studio specifically - Automation or CI/CD pipeline integration is required (this path is not automation-friendly) **Known Limitations**: - Requires creating an OIDC identity provider in RAM console with specific parameters matching the M2M application - Network Zones Type set to 'All' allows access from any IP address, posing security risks in production - Limited to 50 client IDs per OIDC identity provider ### Path 2: AIM2M **Best For**: Model StudioAI Gateway **Brief Description**: This path enables **keyless access** to **Model Studio** by configuring **M2M authentication** in IDaaS and integrating with **AI Gateway**. You must sync the **JWKS endpoint** from IDaaS into AI Gateway and define a **Resource Server Identifier** and **Scope Value**. The resulting **JWT token** is validated by AI Gateway using the public keys from the **JWKS endpoint**. **Key technical facts**: - Billing: Per-request pricing based on Model Studio usage. The integration itself does not incur additional costs beyond standard Model Studio API usage. AI Gateway instance pricing depends on the selected specification and region. **When to Use**: - User needs secure, keyless access specifically to Alibaba Cloud Model Studio AI services - Integration with AI Gateway for JWT-based authentication is preferred - Testing environment setup with default AI Gateway domain is sufficient for initial validation **When NOT to Use**: - Need to access general Alibaba Cloud services beyond Model Studio - Programmatic token management via API is required - Production deployment requiring custom domains and higher call limits **Known Limitations**: - Default AI Gateway domain has a daily call limit of 1,000 and is intended for testing only - Scope Value is required when creating permissions; leaving it empty prevents successful token validation - Requires administrative access to both IDaaS console and AI Gateway console ### Path 3: APIM2M **Best For**: M2M **Brief Description**: This path uses the IDaaS Access Control API to programmatically manage **M2M Client Tokens** via the **client_credentials** flow. Authentication requires a **Bearer Token** derived from **DASHSCOPE_API_KEY**, and each call must include **InstanceId** and **ApplicationId**. Proper **eiam:* permissions** must be granted to the calling RAM user or role. **Key technical facts**: - Billing: Per-request billing model where each API call counts as one request regardless of success or failure. Monthly free quotas ranging from 1,000 to 10,000 free calls depending on the specific API operation. - Regions available: cn-hangzhou, cn-shanghai, cn-beijing **When to Use**: - User needs to programmatically manage M2M tokens in automation scripts or CI/CD pipelines - Integration with custom applications requiring dynamic token management - Bulk operations on multiple applications or tokens are needed **When NOT to Use**: - User prefers console-based configuration without coding - Simple one-time setup for AK-free access to Alibaba Cloud services is sufficient - Specific integration with Model Studio AI services is required (use idaas-model path instead) **Known Limitations**: - Requires Bearer Token authentication with proper RAM permissions for each API operation - Common rate limits include 100 QPS per account, with some APIs having lower limits of 10 QPS - Each API operation requires specific parameters like InstanceId and ApplicationId that must be correctly formatted - Failed requests may still be counted toward quotas and billing depending on the specific API ## FAQ Q: Which path should I start with? A: If you're running workloads on ECS or ACK and need to call other Alibaba Cloud APIs securely, start with **AK-free**—it’s the standard for infrastructure-level AK-free access using RAM roles and STS tokens. Q: What if I need to call Model Studio but chose the OIDC/STS path? A: You’ll hit a dead end—Model Studio doesn’t accept STS tokens from RAM roles. It requires **JWT tokens** validated through **AI Gateway** with a properly configured **JWKS endpoint** and **Scope Value**, which only the idaas-model path provides. Q: What if I try to automate M2M token issuance using the console-based paths? A: You’ll fail—the **AK-free** and **AIM2M** paths require manual console steps and aren’t automation-friendly. Only the **APIM2M** path supports programmatic control via **DASHSCOPE_API_KEY** and **eiam:* permissions**. Q: Can I use the API path to access Model Studio? A: Not directly—the API path issues generic **M2M Client Tokens**, but Model Studio requires integration with **AI Gateway** and JWT validation using a **Resource Server Identifier**. Use the idaas-model path instead. Q: What happens if I leave Scope Value empty in the AI Gateway setup? A: Token validation will fail—even if the JWT is otherwise valid, **Scope Value is required** when creating permissions in IDaaS for Model Studio access. Q: Is there a cost difference between these paths? A: The OIDC path has no direct cost (only indirect STS usage fees). The AI path incurs **Model Studio per-request charges** and **AI Gateway instance fees**. The API path uses **per-request billing** with monthly free tiers. ## Frequently asked questions ### When should I use the API vs. the console? Use the **console** for one-off administrative tasks, initial setup, or visual workflows. Use the **API** for automation, integration into CI/CD pipelines, or managing large-scale operations programmatically. ### How do I get started with IDaaS APIs? First, create an application in the console to obtain `client_id` and `client_secret`. Then, use these credentials to request an access token via the OAuth 2.0 token endpoint. Refer to the `idaas-identity` or `idaas-auth` API skills for specific endpoints. ### Why can’t I see certain features in the console? Feature visibility depends on your IDaaS instance type (CIAM vs. EIAM), license tier, and RAM permissions. Contact support if you believe a feature should be available. ### My SSO integration isn’t working—where do I start troubleshooting? Check the **troubleshooting** skill for your domain (e.g., `idaas-federation` or `idaas-access`). Common issues include misconfigured redirect URIs, certificate mismatches, or incorrect attribute mappings. ### Can I automate user provisioning from my HR system? Yes. Use SCIM (via `idaas-appdev` API) or event-based callbacks (`idaas-sync`) to synchronize users. Pre-built connectors exist for AD, Okta, and DingTalk. ### How do I configure user authentication methods? You can configure user authentication methods by setting up login options such as SMS, two-factor authentication (2FA), or social login. This is managed through the dedicated authentication intent skill or by adjusting policies and risk controls in the console UI. ### How do I integrate single sign-on (SSO) for an application? You integrate single sign-on for an application by configuring SAML, OIDC, or custom SSO protocols. These setups are accessible via the application integration intent skill or through the console's access control settings. ### How do I manage application access permissions? You manage application access permissions by granting or revoking access for users and groups while assigning specific roles. This is handled through the access management intent skill or by configuring authorization rules and RBAC/ABAC policies in the console or API. ### How do I provision users from an external identity provider? You provision users from an external identity provider by syncing accounts from directories like Active Directory or Okta via SCIM or event callbacks. This workflow is supported through the provisioning intent skill or by utilizing the relevant SCIM and provisioning APIs. ## Cross-product integrations - [AI Content Engine with Public Site and Enterprise Search](https://company-skill.com/p/_combos/ai-content-engine-with-public-site-and-enterpris-9db7c8.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform on Managed Infrastructure](https://company-skill.com/p/_combos/ai-content-platform-on-managed-infrastructure-265158.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform with Search and Frontend](https://company-skill.com/p/_combos/ai-content-platform-with-search-and-frontend-d3ca31.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform with Site and Search](https://company-skill.com/p/_combos/ai-content-platform-with-site-and-search-7bf25b.md) (alinux + cloudflare + bailian + notion + vercel) - [AI-Driven Search Knowledge Platform](https://company-skill.com/p/_combos/ai-driven-search-knowledge-platform-803ad0.md) (alinux + cloudflare + bailian + notion + vercel) - [App User Auth with Database Backend](https://company-skill.com/p/_combos/app-user-auth-with-database-backend-294893.md) (rds) - [Authenticated Embedded Documentation Portal](https://company-skill.com/p/_combos/authenticated-embedded-documentation-portal-a64abf.md) (gitbook) - [Authenticated SaaS with embedded docs](https://company-skill.com/p/_combos/authenticated-saas-with-embedded-docs-3db922.md) (gitbook) ## Use with an AI agent ```bash curl -s https://company-skill.com/api/route \ -H 'Content-Type: application/json' \ -d '{"query": "...", "product": "idaas"}' ``` MCP server: https://company-skill.com/api/mcp/idaas.py --- Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml