--- Title: Integrate application URL Source: https://company-skill.com/p/idaas/idaas-integrate-application Language: en Description: You want to enable single sign-on (SSO) for your application using Alibaba Cloud IDaaS, either by connecting an external identity provider (like ADFS or Google Workspace) or by integrating an Alibaba… --- # Integrate application Part of **IDaaS (Identity as a Service)**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to enable single sign-on (SSO) for your application using Alibaba Cloud IDaaS, either by connecting an external identity provider (like ADFS or Google Workspace) or by integrating an Alibaba Cloud service (like Grafana or Bastionhost). **Typical User Questions**: - How to set up SSO from Lark or WeCom to my app? - Can I use ADFS as an identity provider for IDaaS? - Where do I set up multiple redirect URLs for SSO? ## Decision Tree Pick the best path for your situation: - **If** your application is a third-party SaaS (e.g., Salesforce) or you are using an external identity provider such as ADFS, Google Workspace, or Okta → Use IdP SSO (go to *idaas/idaas-federation*) - **If** your application is an Alibaba Cloud service such as Grafana, Bastionhost, or Elastic Desktop Service → Use SSOGrafanaBastionhost (go to *idaas/idaas-access*) - **Otherwise (default)** → Start with IdP SSO if your app supports SAML 2.0 or OIDC and you have an external IdP; otherwise use the Alibaba Cloud service path if your app runs within Alibaba Cloud’s ecosystem. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | IdP SSO | ADFSGoogle WorkspaceLarkSSO | medium | No | No | Free tier allows up to 100 federation trust sources per account per month | `idaas/guide/idaas-federation` | | SSOGrafanaBastionhost | RedashGrafanaECSIDaaS SSO | medium | No | No | M2M applications limited to 2 in free trial | `idaas/guide/idaas-access` | ## Path Details ### Path 1: IdP SSO **Best For**: ADFSGoogle WorkspaceLarkSSO **Brief Description**: This path configures external identity providers (IdPs) like ADFS or Google Workspace as SAML Identity Provider or OIDC identity sources in IDaaS. You use the Console > Identity Management > Identity Source > Inbound flow to input the Metadata URL, perform Field Mapping, and choose between Manual Account Binding or Automatic Account Binding. The setup establishes a federation trust source between your IdP and IDaaS. **Key technical facts**: - Billing: SSOIDaaS100 **When to Use**: - ADFSGoogle WorkspaceOkta - SAML 2.0OIDC - automation_friendly=false ### Path 2: SSOGrafanaBastionhost **Best For**: RedashGrafanaECSIDaaS SSO **Brief Description**: This path configures SSO for Alibaba Cloud services using the OIDC Protocol or SAML protocol. You create an application in IDaaS Console > IDaaS > Application > Add Application, define Redirect URI and Scopes, and optionally set up Alibaba Cloud role SSO with Role Mapping Expression. For Grafana, you’ll reference settings like Application ID, Client ID, and Client Secret in your grafana.ini file. **Key technical facts**: - Billing: IDaaSM2MEIAM **When NOT to Use**: - ADFSGoogle Workspace - automation_friendly=false - 'All'IPM2M ## FAQ Q: Which path should I start with? A: If your app is hosted outside Alibaba Cloud and uses an external identity provider like ADFS or Okta, start with IdP SSO. If your app is Grafana, Bastionhost, or another Alibaba Cloud service, use SSO. Q: What if I need to connect ADFS as an identity provider but chose the Alibaba Cloud service path? A: You’ll hit a dead end—you cannot configure external IdPs like ADFS in the idaas-access path, which is designed for registering applications, not inbound identity sources. Q: What if I’m setting up Grafana SSO but used the external IdP federation path? A: You’ll miss critical configuration steps like defining Redirect URI, Client ID, and Client Secret required by Grafana’s OIDC integration, and won’t be able to complete the setup. Q: Can I use both SAML and OIDC for the same application? A: No—each federation trust source or application SSO configuration supports only one protocol at a time (either SAML 2.0 or OIDC), per the limitations in both paths. Q: Are there cost differences between the two paths? A: Both are included in IDaaS core pricing, but note: the federation path allows 100 free federation trust sources/month, while the access path limits M2M applications to 2 in the free trial. Q: Do I need to write code for either path? A: No—both paths are configured entirely through the IDaaS console and require no code or CLI usage. Q: What key terms should I recognize when following instructions? A: For federation: look for SAML Identity Provider, Metadata URL, Field Mapping, Manual Account Binding, Automatic Account Binding, and federation trust source. For Alibaba Cloud apps: watch for OIDC Protocol, Redirect URI, Scopes, Alibaba Cloud role SSO, Application ID, M2M application, Client ID, and Client Secret. ## Related queries integrate sso, configure sso, setup sso, enable single sign on, sso integration, how to set up sso, where to configure sso, can i use sso, saml sso setup, oidc sso setup, add identity provider, connect adfs to app, lark sso, wecom sso, salesforce sso via idaas, grafana sso alibaba, bastionhost sso --- Part of [IDaaS (Identity as a Service)](https://company-skill.com/p/idaas.md) · https://company-skill.com/llms.txt