All Products
Search

This Product

    Elastic Desktop Service:Configure logon settings

    Document Center

    Elastic Desktop Service:Configure logon settings

    Last Updated:Dec 13, 2024

    You can configure the logon authentication and security settings in the Elastic Desktop Service (EDS) Enterprise console to manage the methods used to authenticate logons of end users and improve security. The logon authentication methods, such as single sign-on (SSO), multi-factor authentication (MFA), and client logon verification, can help you authenticate user identity before end users connect to cloud computers. The timeout-triggered automatic logoff feature can also prevent unexpected data leaks. This topic describes logon authentication and the methods used to configure logon authentication.

    Organization IDs

    Organization IDs in EDS Enterprise are eight-digit identifiers used by end users to connect to cloud computers in organizations. Initial organization IDs are randomly generated by the EDS Enterprise system, which include uppercase letters and digits. However, letters which may be confused with digits are not included in organization IDs. Examples: I and O. When end users use an organization ID to log on to Alibaba Cloud Workspace terminals, the end users can access all cloud computers that reside in office networks.

    Compare office network IDs with organization IDs

    End users can log on to Alibaba Cloud Workspace terminals by using office network IDs or organization IDs. End users who use organization IDs can access cloud computers in office networks of organizations. To use organization IDs for logon, take note of the following items:

    • If end users use convenience accounts, organization IDs can be used for logon to all Alibaba Cloud Workspace terminals.

    • If end users use enterprise Active Directory (AD) accounts, organization IDs can be used only for logon to the Windows client and macOS client of Alibaba Cloud Workspace V6.4.0 or later.

    You can enable multiple authentication methods for logon by using organization IDs and office network IDs to improve security. However, the authentication settings are different. The following table describes the differences among the authentication methods. In this table, a convenience office network is used as an example.

    Note

    Enterprise AD office networks support MFA and SSO.

    Item

    Organization ID

    Office network ID

    Concept

    An organization ID is the unique enterprise identifier in EDS Enterprise. When you activate EDS Enterprise, the system generates an organization ID for your enterprise.

    If your Alibaba Cloud account passes real-name verification, you can modify the generated organization ID. For more information, see Modify an organization ID.

    An office network ID is a unique office network identifier, which is automatically generated by the system and cannot be modified.

    Effective scope

    Logon and security settings take effect for all cloud computers in the organization.

    Logon and security settings take effect for cloud computers in the office network.

    Username-password logon of convenience accounts

    Supported

    Supported

    Username-password logon of enterprise AD accounts

    Supported

    Supported

    SSO

    Supported

    Supported

    MFA

    Supported

    Supported

    Client logon verification

    Supported

    Supported

    Trusted device authentication

    Supported

    Supported

    Organization ID skipping

    Supported

    Not supported

    Timeout-triggered automatic logoff

    Supported

    Not supported

    Short Message Service (SMS) logon

    Supported

    Not supported

    Configure logon authentication methods

    You can separately configure authentication methods for logons by using organization IDs and office network IDs. The configurations do not conflict with each other.

    • If end users use organization IDs to log on to Alibaba Cloud Workspace terminals, the system uses the authentication methods configured for organizations.

    • If end users use office network IDs to log on to Alibaba Cloud Workspace terminals, the system uses the authentication methods configured for office networks.

    image

    Manage authentication methods

    If multiple authentication methods are configured for an organization ID, you can perform the following steps to adjust the visibility and authentication order when end users log on to Alibaba Cloud Workspace terminals:

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, turn on authentication options displayed in the Authentication Method section, or click Move Up or Move Down in the Actions column to adjust the authentication order on Alibaba Cloud Workspace terminals.

    Modify an organization ID

    If your Alibaba Cloud account passes real-name verification, you can apply to modify your organization ID. For more information about enterprise real-name verification, see Account Verification FAQs

    1. Log on to the EDS Enterprise console.

    2. Select an entry to proceed:

      Overview page

      1. In the left-side navigation pane, click Overview.

      2. On the Overview page, find the Organization ID parameter and click the question mark on the right side. In the pop-up window, click Modify Organization ID.

      Logon Settings page

      1. In the left-side navigation pane, choose Users > Logon Settings.

      2. On the General tab of the Logon Settings page, click Modify next to your organization ID.

    3. In the Modify Organization ID dialog box, enter a valid organization ID.

      Note

      Format: An organization ID can be 5 to 15 characters in length, and can contain letters, digits, and special characters. The organization ID cannot start with a special character.

    4. Click Submit and proceed as prompted.

      5. Note

      An organization ID can be modified only once within 15 days. After you submit the modification for review, you can view the review progress in the Message Center section on the Overview page. If you no longer want to modify the current organization ID before the new ID is approved, revoke the submission.

    General logon settings

    Automatic logon

    This setting specifies whether end users can enable automatic logon on the logon page of Alibaba Cloud Workspace terminals. Enabling automatic logon can save time by avoiding repetitive logon credential entries. You can set the Automatic Logon parameter to Customized by End User or Managed by Administrator. Then, specify an effective period for the feature.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters based on your business requirements and click Confirm.

      Parameter

      Description

      Automatic Logon

      Valid values:

      • Customized by End User: End users can enable or disable automatic logon on Alibaba Cloud Workspace terminals. If end users enable automatic logon, the end users must also specify the effective period of automatic logon.

      • Managed by Administrator: The administrator configures automatic logon in the EDS Enterprise console. End users are prohibited from modifying the automatic logon settings on their Alibaba Cloud Workspace terminals.

      Automatic Logon

      This switch is available only if you set the Automatic Logon parameter to Managed by Administrator. You can turn on or turn off this switch.

      Note

      This feature is in invitational preview. If you want to use this feature, submit a ticket.

      Validity Period

      This parameter is available only if you set the Automatic Logon parameter to Managed by Administrator and turn on the Automatic Logon switch.

      Important

      If the password validity period of a convenience account is set 30 days to 365 days and the automatic client logon period exceeds the remaining password validity period, the end user that uses the convenience account may fail to automatically log on to the client. For more information about how to configure the password validity period of a convenience account, see Create a convenience account.

    Timeout-triggered Automatic Logoff

    By default, this feature is disabled. After you enable this feature, Alibaba Cloud Workspace terminals are automatically logged off to protect the security of data if end users do not connect to cloud resources, such as cloud computers, cloud applications, cloud phones, or enterprise drives, within a specific timeframe after logging on to the terminals.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters based on your business requirements and click Confirm.

      Parameter

      Description

      Timeout-triggered Automatic Logout

      You can turn on or turn off this switch.

      Timeout Period:

      The timeframe within which end users do not connect to cloud resources after logging on to Alibaba Cloud Workspace terminals. This parameter is available only if you turn on the Timeout-triggered Automatic Logout switch.

      Terminal

      The Alibaba Cloud Workspace terminals on which this feature takes effect.

      Note

      If you select Alibaba Cloud Workspace Hardware Terminal, make sure that the terminal version is 7.5 or later. If password-free logon is enabled for the specified hardware terminals, this feature does not take effect.

      Note

      • If you specify clients, this feature takes effect in subsequent logons of end users to the specified terminals.

      • The system notifies end users before the timeout period expires. If the end users ignore the notification, their clients are automatically logged off when the timeout period ends.

    Limits on the number of logon terminals

    By default, end users can log on to any number of Alibaba Cloud Workspace terminals at the same time. You can configure a limit on the number of Alibaba Cloud Workspace terminals to which end users can log on. If the actual number exceeds this limit, the first terminal to which end users logged on is automatically logged off.

    Note

    This feature is in invitational preview. If you want to use this feature, submit a ticket.

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the General tab of the Logon Settings page, click Modify Logon Configurations next to Logon Settings.

    4. In the Modify Logon Configurations panel, configure the following parameters based on your business requirements and click Confirm.

      Parameter

      Description

      Max. Terminals

      You can turn on or turn off this switch.

      Available Terminals

      The maximum number of Alibaba Cloud Workspace terminals to which end users can log on at the same time. Valid values: 1 to 10. This parameter is available only if you turn on the Max. Terminals switch.

    Logon authentication settings

    MFA

    MFA adds an extra layer of protection to the authentication process. After you configure MFA, end users must provide the usernames, passwords, and dynamic codes sent by virtual MFA devices when the end users log on to Alibaba Cloud Workspace terminals. For more information, see Configure MFA.

    Client logon verification

    By default, this feature is disabled. After you turn on the Client Logon Verification switch, identity verification based on a verification code is required when an end user logs on to an Alibaba Cloud Workspace terminal from a new device. The verification code is sent to the specified email address. The logon is allowed after the verification is complete.

    Note

    This parameter takes effect only if end users use convenience accounts to access cloud computers over the Internet.

    Client logon verification for organization IDs

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Users > Logon Settings.

    3. On the Security tab of the Logon page, turn on the Client Logon Verification switch.

    Client logon verification for office networks

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the office network that you want to manage and click its ID.

    5. In the Other Information section of the office network details page, turn on Client Logon Verification.

      Note

      The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, the features are not mutually exclusive. You can enable all of them at the same time.

    SSO

    Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

    The following terms are frequently used in SSO scenarios:

    • Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.

      Common IdPs:

      • On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

      • Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.

    • Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.

    • SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.

    After you enable SSO, end users log on to Alibaba Cloud Workspace terminals in SSO mode. By default, SSO is disabled for office networks. By default, SSO is enabled for organization IDs. You cannot disable SSO.

    Procedure

    To enable SSO, perform the following steps:

    1. Log on to the EDS Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the office network that you want to manage and click its ID.

    5. In the Other Information section of the office network details page, turn on the SSO switch.

      Note

      The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, the features are not mutually exclusive. You can enable all of them at the same time.

    References