All Products
Search
Document Center

Elastic Desktop Service:Configure logon methods

Last Updated:Feb 06, 2025

You can configure the logon authentication and security settings in the Elastic Desktop Service (EDS) Enterprise console to manage the methods used for authenticating logons of end users and improving security. The logon authentication methods, including single sign-on (SSO), multi-factor authentication (MFA), and client logon verification, ensure that user identities are authenticated before access to cloud computers is granted. Additionally, the automatic logout feature, triggered by timeouts, is implemented to prevent potential data leaks. This topic describes logon authentication methods and their usage.

Use and manage organization IDs

Organization IDs in EDS Enterprise are eight-character identifiers used to connect end users to cloud computers within organizations. These IDs are randomly generated by the EDS Enterprise system and consist of uppercase letters and digits. To prevent confusion, letters resembling digits, such as I and O, are excluded from the IDs. When an organization ID is used by end users to log on to Alibaba Cloud Workspace terminals, access to all cloud computers residing in all office networks is granted to the end users.

Differences between office network IDs and organization IDs

End users can log on to Alibaba Cloud Workspace terminals by using office network IDs or organization IDs. End users who log on to Alibaba Cloud Workspace terminals by using organization IDs can access cloud computers in all office networks. Logons by using organization IDs are subject to the following limits:

  • If convenience accounts are used by end users, organization IDs can be used for logging onto all Alibaba Cloud Workspace terminals.

  • If enterprise Active Directory (AD) accounts are used by end users, organization IDs can be used for logging onto only the Windows client and the macOS client of Alibaba Cloud Workspace V6.4 or later.

Security can be enhanced by enabling multiple authentication methods for logons by using organization IDs and logons by using office network IDs. Take note that authentication settings for each method are different. The following table compares the different authentication methods. A convenience office network is used as an example.

Note

Enterprise AD office networks support MFA and SSO.

Item

Organization ID

Office network ID

Concept

An organization ID is a unique identifier assigned to each enterprise by EDS Enterprise. It is automatically generated upon the activation of EDS Enterprise.

If real-name verification is successfully completed for your Alibaba Cloud account, the generated organization ID can be modified to a custom ID. For more information, see Modify an organization ID.

An office network ID is automatically generated by the system as a unique identifier for each office network and cannot be modified.

Effective scope

Logon and security settings are applied to all cloud computers within the organization.

Logon and security settings are applied to cloud computers within the office network.

Logon by using convenience accounts

Supported

Supported

Logon by using enterprise AD accounts

Supported

Supported

Automatic Logon

Supported

Not supported

Timeout-triggered automatic logout

Supported

Not supported

Limitations on terminals

Supported

Not supported

Short Message Service (SMS) logon

Supported

Not supported

MFA

Supported

Supported

Client logon verification

Supported

Supported

Trusted device authentication

Supported

Supported

SSO

Supported

Supported

Configure logon authentication methods

You can configure authentication methods separately for organization IDs and office network IDs, and these configurations do not conflict.

  • When logons are made to Alibaba Cloud Workspace terminals by using organization IDs, the authentication methods associated with those organization IDs are applied by the system.

  • Similarly, when logons are made to Alibaba Cloud Workspace terminals by using office network IDs, the authentication methods associated with those office network IDs are applied by the system.

image

Manage authentication methods for organization IDs

If multiple authentication methods are configured for an organization ID, perform the following steps to modify their visibility and display order on Alibaba Cloud Workspace terminals:

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the General tab of the Logon Settings page, turn on authentication options displayed in the Authentication Method section, or click Move Up or Move Down in the Actions column to adjust the display order on Alibaba Cloud Workspace terminals.

Modify an organization ID

If your Alibaba Cloud account successfully passes real-name verification, you can request to modify your organization ID. For more information about enterprise real-name verification, see Account Verification FAQs

  1. Log on to the EDS Enterprise console.

  2. Select an entry to proceed:

    Modify on the Overview page

    1. In the left-side navigation pane, click Overview.

    2. In the My Cloud Computer section of the Overview page, click Modify next to the current organization ID.

    Modify on the Logon Settings page

    1. In the left-side navigation pane, choose Users > Logon Settings.

    2. On the General tab of the Logon Settings page, click Modify next to the current organization ID.

  3. In the Organization ID dialog box, follow the on-screen instructions to enter a custom ID and click Confirm.

    Note
    • An organization ID can be 5 to 15 characters in length, and can contain letters, digits, and special characters. The organization ID cannot start with a special character.

    • An organization ID can only be modified once within a 15-day period.

General logon settings

Automatic logon

This setting determines whether end users can enable automatic logon on Alibaba Cloud Workspace terminals. When enabled, automatic logon bypasses the need for users to repeatedly enter their credentials, streamlining the logon process within a specified duration. You can set the Automatic Logon parameter to Customized by End User or Managed by Administrator. Then, specify an effective period for the feature.

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

  4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

    Parameter

    Description

    Automatic Logon

    Valid values:

    • Customized by End User: End users can enable or disable automatic logon on Alibaba Cloud Workspace terminals. When automatic logon is enabled, end users must specify its effective period.

    • Managed by Administrator: The administrator configures automatic logon in the EDS Enterprise console. End users are restricted from modifying the automatic logon settings on their Alibaba Cloud Workspace terminals.

    Automatic Logon

    This switch is available only if you set the Automatic Logon parameter to Managed by Administrator. You can turn on or turn off this switch.

    Note

    This feature is in invitational preview. If you want to use the feature, submit a ticket.

    Validity Period

    This parameter is available only if you set the Automatic Logon parameter to Managed by Administrator and turn on the Automatic Logon switch.

    Important

    If the password validity period for a convenience account is set between 30 to 365 days, and the validity period for automatic logon exceeds the remaining password validity period, automatic logon may fail. For more information about how to configure the password validity period of a convenience account, see Create a convenience account.

Timeout-triggered automatic logout

By default, this feature is disabled. When this feature is enabled, Alibaba Cloud Workspace terminals automatically log off users if they do not connect to cloud resources, such as cloud computers, applications, phones, or enterprise drives, within the specified timeout period. This feature enhances data security by ensuring inactive sessions are terminated promptly.

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

  4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

    Parameter

    Description

    Timeout-triggered Automatic Logout

    You can turn on or turn off this switch.

    Timeout Period

    The duration during which end users are disconnected from cloud resources after logging onto Alibaba Cloud Workspace terminals. This parameter is available only if you turn on the Timeout-triggered Automatic Logout switch.

    Terminal

    The Alibaba Cloud Workspace terminals on which this feature takes effect.

    Note

    If you select Alibaba Cloud Workspace Hardware Terminal, make sure that the terminal version is V7.5 or later. If password-free logon is enabled for the hardware terminals, this feature does not take effect.

    Note
    • If you select software clients, this feature will apply to subsequent logons of end users.

    • The system notifies end users prior to the expiration of the timeout period. End users may choose to terminate the process. If the notification is ignored, clients are automatically logged off once the timeout period concludes.

Limitations on logon terminals

By default, end users are allowed to log on to multiple Alibaba Cloud Workspace terminals simultaneously. You can set a limit on the number of terminals to which end users can log on. If this limit is exceeded, the first terminal that is logged into will automatically log off to ensure compliance with the configured limit.

Note

This feature is in invitational preview. If you want to use the feature, submit a ticket.

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

  4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

    Parameter

    Description

    Max. Terminals

    You can turn on or turn off this switch.

    Available Terminals

    The maximum number of Alibaba Cloud Workspace terminals to which end users can log on at the same time. Valid values: 1 to 10. This parameter is available only if you turn on the Max. Terminals switch.

Logon authentication settings

MFA

MFA enhances authentication security by requiring end users to provide additional verification. After MFA is configured, end users must enter their username, password, and a dynamic code or verification code from a virtual MFA device when logging onto Alibaba Cloud Workspace terminals. For more information, see Configure MFA.

Client logon verification

By default, this feature is disabled. When this feature is enabled, end users are required to verify their identity by entering a verification code sent to their email addresses. This occurs when end users logging on to Alibaba Cloud Workspace from new devices. Logon access is granted only after the verification is successfully completed.

Note

This parameter takes effect only if end users use convenience accounts to access cloud computers over the Internet.

Enable for organization IDs

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Security tab of the Logon page, turn on the Client Logon Verification switch.

Enable for office networks

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Networks page, find the desired office network and click its ID.

  5. In the Other Information section of the office network details page, turn on Client Logon Verification.

    Note

    The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, these features are not mutually exclusive. You can enable all of them at the same time.

Trusted device authentication

By default, this feature is disabled. When this feature is enabled, cloud computers are accessible only from trusted terminals.

Note

This feature applies exclusively to convenience accounts.

Prerequisites

An Alibaba Cloud Workspace terminal is added in the EDS Enterprise console, and bound to a user. For more information, see Manage software clients.

Procedure

Enable for organization IDs

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Users > Logon Settings.

  3. On the Security tab of the Logon Settings page, set the Trusted Device Authentication parameter to Enable.

Enable for office networks

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Networks page, find the desired office network and click its ID.

  5. In the Other Information section of the office network details page, turn on the Trusted Device Authentication switch.

SSO

Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

The following terms are frequently used in SSO scenarios:

  • Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.

    Common IdPs:

    • On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

    • Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.

  • Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.

  • SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.

After you enable SSO, end users log on to Alibaba Cloud Workspace terminals in SSO mode. By default, SSO is disabled for office networks. By default, SSO is enabled for organization IDs. You cannot disable SSO.

Procedure

To enable SSO, perform the following steps:

  1. Log on to the EDS Enterprise console.

  2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

  3. In the upper-left corner of the top navigation bar, select a region.

  4. On the Office Networks page, find the desired office network and click its ID.

  5. In the Other Information section of the office network details page, turn on the SSO switch.

    Note

    The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, these features are not mutually exclusive. You can enable all of them at the same time.

References

  • For more information about how to configure Security Assertion Markup Language (SAML)-based SSO, see Configure SAML-based SSO.

  • For more information about the best practices between EDS Enterprise and identity providers (IdPs), see Single sign-on (SSO).