All Products
Search

This Product

    Elastic Desktop Service:Configure logon methods

    Document Center

    Elastic Desktop Service:Configure logon methods

    Last Updated:Feb 06, 2025

    You can configure the logon authentication and security settings in the Elastic Desktop Service (EDS) Enterprise console to manage the methods used for authenticating logons of end users and improving security. The logon authentication methods, including single sign-on (SSO), multi-factor authentication (MFA), and client logon verification, ensure that user identities are authenticated before access to cloud computers is granted. Additionally, the automatic logout feature, triggered by timeouts, is implemented to prevent potential data leaks. This topic describes logon authentication methods and their usage.

    Use and manage organization IDs

    Organization IDs in EDS Enterprise are eight-character identifiers used to connect end users to cloud computers within organizations. These IDs are randomly generated by the EDS Enterprise system and consist of uppercase letters and digits. To prevent confusion, letters resembling digits, such as I and O, are excluded from the IDs. When an organization ID is used by end users to log on to Alibaba Cloud Workspace terminals, access to all cloud computers residing in all office networks is granted to the end users.

    Differences between office network IDs and organization IDs

    End users can log on to Alibaba Cloud Workspace terminals by using office network IDs or organization IDs. End users who log on to Alibaba Cloud Workspace terminals by using organization IDs can access cloud computers in all office networks. Logons by using organization IDs are subject to the following limits:

    • If convenience accounts are used by end users, organization IDs can be used for logging onto all Alibaba Cloud Workspace terminals.

    • If enterprise Active Directory (AD) accounts are used by end users, organization IDs can be used for logging onto only the Windows client and the macOS client of Alibaba Cloud Workspace V6.4 or later.

    Security can be enhanced by enabling multiple authentication methods for logons by using organization IDs and logons by using office network IDs. Take note that authentication settings for each method are different. The following table compares the different authentication methods. A convenience office network is used as an example.

    Note

    Enterprise AD office networks support MFA and SSO.

    Item

    Organization ID

    Office network ID

    Concept

    An organization ID is a unique identifier assigned to each enterprise by EDS Enterprise. It is automatically generated upon the activation of EDS Enterprise.

    If real-name verification is successfully completed for your Alibaba Cloud account, the generated organization ID can be modified to a custom ID. For more information, see Modify an organization ID.

    An office network ID is automatically generated by the system as a unique identifier for each office network and cannot be modified.

    Effective scope

    Logon and security settings are applied to all cloud computers within the organization.

    Logon and security settings are applied to cloud computers within the office network.

    Logon by using convenience accounts

    Supported

    Supported

    Logon by using enterprise AD accounts

    Supported

    Supported

    Automatic Logon

    Supported

    Not supported

    Timeout-triggered automatic logout

    Supported

    Not supported

    Limitations on terminals

    Supported

    Not supported

    Short Message Service (SMS) logon

    Supported

    Not supported

    MFA

    Supported

    Supported

    Client logon verification

    Supported

    Supported

    Trusted device authentication

    Supported

    Supported

    SSO

    Supported

    Supported

    Configure logon authentication methods

    You can configure authentication methods separately for organization IDs and office network IDs, and these configurations do not conflict.

    • When logons are made to Alibaba Cloud Workspace terminals by using organization IDs, the authentication methods associated with those organization IDs are applied by the system.

    • Similarly, when logons are made to Alibaba Cloud Workspace terminals by using office network IDs, the authentication methods associated with those office network IDs are applied by the system.

    image

    Manage authentication methods for organization IDs

    If multiple authentication methods are configured for an organization ID, perform the following steps to modify their visibility and display order on Alibaba Cloud Workspace terminals:

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, turn on authentication options displayed in the Authentication Method section, or click Move Up or Move Down in the Actions column to adjust the display order on Alibaba Cloud Workspace terminals.

    Modify an organization ID

    If your Alibaba Cloud account successfully passes real-name verification, you can request to modify your organization ID. For more information about enterprise real-name verification, see Account Verification FAQs

    1. Log on to the EDS Enterprise console.

    2. Select an entry to proceed:

      Modify on the Overview page

      1. In the left-side navigation pane, click Overview.

      2. In the My Cloud Computer section of the Overview page, click Modify next to the current organization ID.

      Modify on the Logon Settings page

      1. In the left-side navigation pane, choose Users > Logon Settings.

      2. On the General tab of the Logon Settings page, click Modify next to the current organization ID.

    3. In the Organization ID dialog box, follow the on-screen instructions to enter a custom ID and click Confirm.

      Note

      • An organization ID can be 5 to 15 characters in length, and can contain letters, digits, and special characters. The organization ID cannot start with a special character.

      • An organization ID can only be modified once within a 15-day period.

    General logon settings

    Automatic logon

    This setting determines whether end users can enable automatic logon on Alibaba Cloud Workspace terminals. When enabled, automatic logon bypasses the need for users to repeatedly enter their credentials, streamlining the logon process within a specified duration. You can set the Automatic Logon parameter to Customized by End User or Managed by Administrator. Then, specify an effective period for the feature.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

      Parameter

      Description

      Automatic Logon

      Valid values:

      • Customized by End User: End users can enable or disable automatic logon on Alibaba Cloud Workspace terminals. When automatic logon is enabled, end users must specify its effective period.

      • Managed by Administrator: The administrator configures automatic logon in the EDS Enterprise console. End users are restricted from modifying the automatic logon settings on their Alibaba Cloud Workspace terminals.

      Automatic Logon

      This switch is available only if you set the Automatic Logon parameter to Managed by Administrator. You can turn on or turn off this switch.

      Note

      This feature is in invitational preview. If you want to use the feature, submit a ticket.

      Validity Period

      This parameter is available only if you set the Automatic Logon parameter to Managed by Administrator and turn on the Automatic Logon switch.

      Important

      If the password validity period for a convenience account is set between 30 to 365 days, and the validity period for automatic logon exceeds the remaining password validity period, automatic logon may fail. For more information about how to configure the password validity period of a convenience account, see Create a convenience account.

    Timeout-triggered automatic logout

    By default, this feature is disabled. When this feature is enabled, Alibaba Cloud Workspace terminals automatically log off users if they do not connect to cloud resources, such as cloud computers, applications, phones, or enterprise drives, within the specified timeout period. This feature enhances data security by ensuring inactive sessions are terminated promptly.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

      Parameter

      Description

      Timeout-triggered Automatic Logout

      You can turn on or turn off this switch.

      Timeout Period

      The duration during which end users are disconnected from cloud resources after logging onto Alibaba Cloud Workspace terminals. This parameter is available only if you turn on the Timeout-triggered Automatic Logout switch.

      Terminal

      The Alibaba Cloud Workspace terminals on which this feature takes effect.

      Note

      If you select Alibaba Cloud Workspace Hardware Terminal, make sure that the terminal version is V7.5 or later. If password-free logon is enabled for the hardware terminals, this feature does not take effect.

      Note

      • If you select software clients, this feature will apply to subsequent logons of end users.

      • The system notifies end users prior to the expiration of the timeout period. End users may choose to terminate the process. If the notification is ignored, clients are automatically logged off once the timeout period concludes.

    Limitations on logon terminals

    By default, end users are allowed to log on to multiple Alibaba Cloud Workspace terminals simultaneously. You can set a limit on the number of terminals to which end users can log on. If this limit is exceeded, the first terminal that is logged into will automatically log off to ensure compliance with the configured limit.

    Note

    This feature is in invitational preview. If you want to use the feature, submit a ticket.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters as needed and click Confirm.

      Parameter

      Description

      Max. Terminals

      You can turn on or turn off this switch.

      Available Terminals

      The maximum number of Alibaba Cloud Workspace terminals to which end users can log on at the same time. Valid values: 1 to 10. This parameter is available only if you turn on the Max. Terminals switch.

    Logon authentication settings

    MFA

    MFA enhances authentication security by requiring end users to provide additional verification. After MFA is configured, end users must enter their username, password, and a dynamic code or verification code from a virtual MFA device when logging onto Alibaba Cloud Workspace terminals. For more information, see Configure MFA.

    Client logon verification

    By default, this feature is disabled. When this feature is enabled, end users are required to verify their identity by entering a verification code sent to their email addresses. This occurs when end users logging on to Alibaba Cloud Workspace from new devices. Logon access is granted only after the verification is successfully completed.

    Note

    This parameter takes effect only if end users use convenience accounts to access cloud computers over the Internet.

    Enable for organization IDs

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the Security tab of the Logon page, turn on the Client Logon Verification switch.

    Enable for office networks

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the desired office network and click its ID.

    5. In the Other Information section of the office network details page, turn on Client Logon Verification.

      Note

      The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, these features are not mutually exclusive. You can enable all of them at the same time.

    Trusted device authentication

    By default, this feature is disabled. When this feature is enabled, cloud computers are accessible only from trusted terminals.

    Note

    This feature applies exclusively to convenience accounts.

    Prerequisites

    An Alibaba Cloud Workspace terminal is added in the EDS Enterprise console, and bound to a user. For more information, see Manage software clients.

    Procedure

    Enable for organization IDs

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the Security tab of the Logon Settings page, set the Trusted Device Authentication parameter to Enable.

    Enable for office networks

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the desired office network and click its ID.

    5. In the Other Information section of the office network details page, turn on the Trusted Device Authentication switch.

    SSO

    Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

    The following terms are frequently used in SSO scenarios:

    • Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.

      Common IdPs:

      • On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

      • Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.

    • Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.

    • SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.

    After you enable SSO, end users log on to Alibaba Cloud Workspace terminals in SSO mode. By default, SSO is disabled for office networks. By default, SSO is enabled for organization IDs. You cannot disable SSO.

    Procedure

    To enable SSO, perform the following steps:

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the desired office network and click its ID.

    5. In the Other Information section of the office network details page, turn on the SSO switch.

      Note

      The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, these features are not mutually exclusive. You can enable all of them at the same time.

    References

    • For more information about how to configure Security Assertion Markup Language (SAML)-based SSO, see Configure SAML-based SSO.

    • For more information about the best practices between EDS Enterprise and identity providers (IdPs), see Single sign-on (SSO).