This topic describes the scenarios for two single sign-on (SSO) methods supported by Alibaba Cloud: role-based SSO and user-based SSO. You can select an SSO method based on your needs.
Scenarios of role-based SSO
You do not want to create or manage users on Alibaba Cloud. This reduces costs and eliminates the need to synchronize users.
You want to implement SSO to Alibaba Cloud while managing some users on Alibaba Cloud. Users managed on Alibaba Cloud can test new features and log on if your network or identity provider (IdP) encounters exceptions.
You want to manage permissions on Alibaba Cloud based on user groups in your local IdP or a specific user attribute. This lets you manage user permissions by grouping users in your local IdP or changing user attributes.
You have multiple Alibaba Cloud accounts and only one IdP. You want to implement SSO to multiple Alibaba Cloud accounts by configuring your IdP only once.
You have multiple IdPs and only one Alibaba Cloud account. You want to implement SSO from multiple IdPs to one Alibaba Cloud account by configuring IdPs in the Alibaba Cloud account.
You want to implement SSO using the console or by calling API operations.
Scenarios of user-based SSO
You want to initiate logon from Alibaba Cloud rather than from your IdP.
Some of your Alibaba Cloud services cannot be accessed by roles (that is, through STS). For more information, see Services that work with STS.
Your IdP does not support complex configuration of attributes.
You want to simplify IdP configuration.