To implement Security Assertion Markup Language (SAML)-based single sign-on (SSO) between Elastic Desktop Service (EDS) and identity providers (IdPs), you must establish mutual trust between Elastic Desktop Service, which acts as a service provider (SP), and IdPs. In this case, you must configure SAML settings on both the Elastic Desktop Service side and the IdP side. After that, SSO can be implemented after end users log on to EDS terminals. This topic describes how to configure SAML 2.0-based SSO.
Background information
Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.
For more information, see Configure logon methods.
Configure SSO in an office network
Step 1: Configure Elastic Desktop Service as a trusted SAML SP in an IdP
Obtain the SAML SP metadata file in the Elastic Desktop Service console.
Log on to the Elastic Desktop Service (EDS) console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the desired office network for which you have enabled SSO and click the office network ID.
On the office network details page, find the Other Information section, click Show to unfold the section, and click Download Metadata File to the right of Application Metadata.
Create an SAML SP in an IdP and use the downloaded metadata file to configure Elastic Desktop Service as a trusted SAML SP.
Step 2: Configure the IdP as a trusted SAML IdP in Elastic Desktop Service
In the Other Information section, turn on SSO. Then, SSO for the office network is enabled.
After you enable SSO, the logon page on EDS terminals is replaced with the logon page of the IdP.
Click Upload File to the right of IdP Metadata and upload the IdP metadata file to the EDS console.
NoteThe metadata file is in the XML format and includes the logon address of an IdP and the X.509 certificate. The certificate is used to verify the validity of SAML assertion issued by the IdP.
Step 3: Create a user that matches an IdP user
Create a user that matches an IdP user in the Elastic Desktop Service console. For more information, see Create a convenience account or the Create enterprise AD accounts section of the "Create and manage enterprise AD accounts" topic.
When you create a user, you can specify a password for the user. The password of the user can be different from that of the IdP user with the same name.
Configure SSO in an organization
Step 1: Configure the IdP as a trusted SAML IdP in Elastic Desktop Service
In the left-side navigation pane, choose .
On the Enterprise Identity Sources page, perform the following operations based on your business requirements:
If you have not added an enterprise identity source, click SAML to add an enterprise identity source.
If you have added an enterprise identity source, click Add Enterprise Identity Source in the upper-left corner. In the Add Enterprise Identity Source panel, click SAML.
In the Add Enterprise Identity Source panel, configure the following parameters and click Confirm.
Parameter
Description
Enterprise Identity Source Name
The name of the enterprise identity source, which is used to identify the IdP.
Enterprise Identity Source Type
The type of the enterprise identity source. Select SAML.
IdP Metadata
The IdP metadata. Click Upload File to upload the metadata file of the IdP.
User Account Type
The type of the account. Valid values: Convenience Account and Enterprise AD Account. If you select Enterprise AD Account, you must also select an AD domain name.
Step 2: Configure Elastic Desktop Service as a trusted SAML SP in the IdP
Obtain the SAML SP metadata file in the Elastic Desktop Service console.
In the left-side navigation pane, choose .
On the Enterprise Identity Sources page, find the enterprise identity source that you want to manage and click Edit in the Actions column.
In the Edit Enterprise Identity Source panel, click Download File below Application Metadata.
Create an SAML SP in the IdP and use the downloaded metadata file to configure Elastic Desktop Service as a trusted SAML SP.
Step 3: Create a user that matches an IdP user
Create a user that matches an IdP user in the Elastic Desktop Service console. For more information, see Create a convenience account or the Create enterprise AD accounts section of the "Create and manage enterprise AD accounts" topic.
When you create a user, you can specify a password for the user. The password of the user can be different from that of the IdP user with the same name.
References
For more information about the best practices for SSO between Elastic Desktop Service and IdPs, see the following topics: