Elastic Desktop Service supports single sign-on (SSO) by using Azure Active Directory (AD) and Active Directory Federation Service (AD FS) as identity providers (IdPs) to accelerate access to cloud computers in Elastic Desktop Service for users.
Introduction
Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.
The following terms are frequently used in SSO scenarios:
Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.
Common IdPs:
On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.
Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.
SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.
To implement SSO between Elastic Desktop Service and IdPs, you must establish a trust relationship between Elastic Desktop Service and the IdPs by exchanging metadata files between them. For specific operations on how to configure Security Assertion Markup Language (SAML)-based SSO, see Configure SAML-based SSO.
Limits on Alibaba Cloud Workspace terminals
The following Alibaba Cloud Workspace terminals support SSO:
Windows clients
macOS clients
web clients
Scenarios
You want to initiate logon on the logon page of the Elastic Desktop Service client, instead of the logon page of an IdP. In this scenario, you can configure SSO based on your business requirements. The following table describes the scenarios and the configurations that are required to implement SSO between Elastic Desktop Service and common IdPs.
Scenario | Description | Reference |
Users can quickly log on to Alibaba Cloud Workspace terminals to access cloud computers after their logon credentials are authenticated in Azure AD. | If you use Azure AD to manage users, you can create convenience users whose usernames are the same as those of AD users in Azure AD to implement SSO for Elastic Desktop Service. In this case, Elastic Desktop Service acts as an SP, and Azure AD acts as an IdP. The providers exchange metadata files to enable SAML-based SSO. After you configure SSO, users can access cloud computers by using the same credentials in Azure AD. | |
If you want to connect to enterprise AD systems, you can create convenience users based on the information about AD users in AD FS to implement SSO for Elastic Desktop Service. After you create the convenience users, the users can quickly log on to Alibaba Cloud Workspace terminals to access cloud computers after their logon credentials are authenticated in AD FS. | If your enterprise uses Active Directory Domain Services (AD DS) to manage users, you can configure SSO for Elastic Desktop Service by using AD FS. In this scenario, Elastic Desktop Service acts as an SP and AD FS acts as an IdP. The providers exchange metadata files to implement SAML-based SSO. After you configure SSO, users can access cloud computers by using the same credentials as in AD FS. |