You can configure the logon authentication and security settings in the Elastic Desktop Service (EDS) console to manage the methods to authenticate logons of end users and improve security. The logon authentication methods, such as single sign-on (SSO), multi-factor authentication (MFA), and client logon verification, can help you authenticate user identity before end users connect to cloud computers. The timeout-triggered automatic logout feature can also prevent unexpected data leaks. This topic describes logon authentication and the methods to configure logon authentication.
Organization IDs
Organization IDs in EDS are 8-digit identifiers used by end users to connect to cloud computers in organizations. Initial organization IDs are randomly generated by the EDS system, which include uppercase letters and digits. However, letters which may be confused with digits are not included in organization IDs. Examples: I and O. When end users use an organization ID to log on to Alibaba Cloud Workspace terminals, they can access all cloud computers reside in office networks of an organization.
Compare office network IDs and organization IDs
End users can log on to Alibaba Cloud Workspace terminals by using office network IDs or organization IDs. End users who use organization IDs can access cloud computers in office networks of organizations. To use organization IDs for logon, take note of the following items:
If end users use convenience accounts, organization IDs are available for all Alibaba Cloud Workspace terminals.
If end users use enterprise Active Directory (AD) accounts, organization IDs are available only for the Windows client and macOS client of Alibaba Cloud Workspace V6.4.0 or later.
You can enable multiple authentication methods for logon by using organization IDs and office network IDs to improve security. However, the authentication settings are different. The following table compares the authentication method differences. In this table, a convenience office network is used as an example.
Enterprise AD office networks support MFA and SSO.
Item | Organization ID | Office network ID |
Basic concept | An organization ID is the unique enterprise identifier in EDS. When you activate EDS, the system generates an organization ID for your enterprise. If your Alibaba Cloud account passes real-name verification, you can modify the generated organization ID. For more information, see Modify an organization ID. | An office network ID is a unique office network identifier, which is automatically generated by the system and cannot be modified. |
Effective scope | Logon and security settings take effect for all cloud computers in the organization. | Logon and security settings take effect for cloud computers in the office network. |
Username-password logon of convenience accounts | Supported | Supported |
Username-password logon of enterprise AD accounts | Supported | Supported |
SSO | Supported | Supported |
MFA | Supported | Supported |
Client logon verification | Supported | Supported |
Trusted device authentication | Supported | Supported |
Organization ID skipping | Supported | Not supported |
Timeout-triggered automatic logout | Supported | Not supported |
Short Message Service (SMS) logon | Supported | Not supported |
Configure logon authentication methods
You can configure authentication methods separately for logons by using organization IDs and office network IDs. The configurations do not conflict with each other.
If end users use organization IDs to log on to Alibaba Cloud Workspace terminals, the system uses the authentication methods configured for organizations.
If end users use office network IDs to log on to Alibaba Cloud Workspace terminals, the system uses the authentication methods configured for office networks.
Manage authentication methods
If multiple authentication methods are configured for an organization ID, you can perform the following steps to adjust the visibility and authentication order when end users log on to Alibaba Cloud Workspace terminals.
Log on to the EDS console.
In the left-side navigation pane, choose .
On the General tab of the Logon Settings page, turn on authentication options displayed in the Authentication Method section, or click Move Up or Move Down in the Actions column to adjust the authentication order on Alibaba Cloud Workspace terminals.
Modify an organization ID
If your Alibaba Cloud account passes real-name verification, you can apply to modify your organization ID. For more information about enterprise real-name verification, see Account Verification FAQs
Log on to the EDS console.
Choose an entry to proceed:
Overview page
In the left-side navigation pane, click Overview.
On the right side of the Overview page, find the Organization ID parameter and click Modify.
Logon Settings page
In the left-side navigation pane, choose .
On the General tab of the Logon Settings page, click Modify next to your organization ID.
In the Modify Organization ID dialog box, enter a valid organization ID based on your business requirements.
NoteFormat: An organization ID can be 5 to 15 characters in length, and can contain letters, digits, and special characters. The organization ID cannot start with a special character.
Click Submit and proceed as prompted.
An organization ID can be modified only once within 15 days. After you submit the modification for approval, you can view the approval progress on the Overview page. If you no longer want to modify the current organization ID before the new ID passes approval, revoke the submission.
General logon settings
Timeout-triggered automatic logout
By default, this feature is disabled. If you enable the feature, the following situation occurs: When end users log on to the Windows or macOS client of Alibaba Cloud Workspace but do not connect to cloud computers, the client automatically logs out when the timeout interval that you configured for the feature is reached.
The timeout-triggered automatic logout feature takes effect the next time end users log on to the client.
Log on to the EDS console.
In the left-side navigation pane, choose .
On the General tab of the Logon Settings page, set the Timeout-triggered Automatic Logout parameter to Enable and then specify a timeout period as prompted.
NoteBefore the specified timeout period is reached, the system notifies end users that the client is about to log out. If the end users ignore the notification, the client is automatically logged out when the specified timeout period elapses.
Automatic client logon
This feature can help prevent repeated operations of entering logon credentials in a period of time after end users log on to Alibaba Cloud Workspace terminals. You can set the Automatic Logon parameter to Configure by End User or Configure by Administrator. Then, specify a period of time for the feature to take effect.
Log on to the EDS console.
In the left-side navigation pane, choose .
On the General tab of the Logon Settings page, set the Automatic Logon parameter to Configure by Administrator.
In the Configure Automatic Logon dialog box, specify a valid period and click Confirm.
ImportantIf you specify the password validity period of a convenience account to a value ranging from 30 or 365 days and the automatic client logon period is greater than the remaining password validity period, the end user that uses the convenience account may fail to automatically log on to the client. For more information about how to configure the password validity period of a convenience account, see Create a convenience account.
Logon authentication settings
MFA
MFA is a simple and effective authentication method designed to enhance security. After you enable MFA for office networks or organization IDs, end users must associate their accounts to virtual MFA devices the first time they log on to Alibaba Cloud Workspace terminals. Then, the next time they log on to the terminals, the system authenticates user identities based on the following factors:
First factor: the username and password
Second factor: the verification code generated by the virtual MFA device
Time-based One-Time Password (TOTP) is a widely used multi-factor authentication protocol. Applications on mobile phones or other devices that support TOTP are called virtual MFA devices. For example, the Alibaba Cloud app and the Google Authenticator app are virtual MFA devices. If end users associate their accounts to virtual MFA devices, Alibaba Cloud requires them to present a 6-digit verification code generated by the virtual MFA devices upon their logon to verify their identities. This effectively prevents unauthorized access caused by password theft.
Elastic Desktop Service (EDS) supports software-based virtual MFA devices. You can install virtual MFA devices such as the Alibaba Cloud app on your mobile phone.
MFA for office networks
Log on to the EDS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click its ID.
In the Other Information section of the office network details page, turn on MFA.
NoteThe SSO, MFA, and Client Logon Verification options are exclusive with each other. You can turn on only one of the options for an office network within a period of time. For organization IDs, the options are not exclusive with each other. You can turn on all of them.
MFA for organization IDs
Log on to the EDS console.
In the left-side navigation pane, choose .
On the Security tab of the Logon Settings page, turn on MFA.
Client logon verification
By default, this feature is disabled. After you turn on Client Logon Verification, identity verification based on a verification code is required when an end user logs on to an Alibaba Cloud Workspace terminal from a new device. The verification code is sent to the specified email address. The logon is allowed after the verification is complete.
This parameter takes effect only for convenience accounts, and end users use the accounts to access cloud computers over the Internet.
Client logon verification for office networks
Log on to the EDS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click its ID.
In the Other Information section of the office network details page, turn on Client Logon Verification.
NoteThe SSO, MFA, and Client Logon Verification options are exclusive with each other. You can turn on only one of the options for an office network within a period of time. For organization IDs, the options are not exclusive with each other. You can turn on all of them.
Client logon verification for organization IDs
Log on to the EDS console.
In the left-side navigation pane, choose .
On the Security tab of the Logon page, turn on Client Logon Verification.
SSO
Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.
The following terms are frequently used in SSO scenarios:
Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.
Common IdPs:
On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.
Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.
Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.
SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.
After you enable and configure SSO, end users log on to Alibaba Cloud Workspace terminals in SSO mode. By default, SSO is disabled for office networks. By default, SSO is enabled for an organization ID. You cannot disable SSO.
Procedure
You can perform the following steps to enable SSO:
Log on to the EDS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click its ID.
In the Other Information section of the office network details page, turn on SSO.
NoteThe SSO, MFA, and Client Logon Verification options are exclusive with each other. You can turn on only one of the options for an office network within a period of time. For organization IDs, the options are not exclusive with each other. You can turn on all of them.
References
For more information about how to configure SAML-based SSO, see Configure SAML-based SSO.
For more information about the best practices between EDS and identity providers (IdPs), see Single sign-on (SSO).