All Products
Search
Document Center

Elastic Desktop Service:Implement SSO for EDS convenience accounts by using AD FS

最終更新日:Aug 06, 2024

If you use Active Directory (AD) domains to manage user accounts, you can use Elastic Desktop Service (EDS) as the service provider (SP) and Active Directory Federation Services (AD FS) as the identity service provider (IdP). Security Assertion Markup Language (SAML) is the protocol basis for the SP and IdP to exchange metadata files with each other to implement single sign-on (SSO). This topic describes how to implement SSO by using AD FS.

Background information

Single sign-on (SSO) is a secure communication technology that allows you to efficiently access multiple trusted application systems with a single sign-on. SSO implements logon based on identity federation.

The following terms are frequently used in SSO scenarios:

  • Identity provider (IdP): an entity that contains the metadata of an external identity provider. An IdP provides identity management services, collects and stores user identity information such as usernames and passwords, and verifies user identities on user logons.

    Common IdPs:

    • On-premises IdPs: use on-premises architecture, such as Microsoft Active Directory Federation Service (AD FS) and Shibboleth.

    • Cloud IdP: Azure AD, Google Workspace, Okta, and OneLogin.

  • Service provider (SP): an application that uses the identity management feature of an IdP to provide users with specific services based on trust relationships with IdPs. In specific identity systems that do not comply with the Security Assertion Markup Language (SAML) protocol, such as OpenID Connect (OIDC), SP is the relying party of an IdP.

  • SAML 2.0: a standard protocol for user identity authentication for enterprises. It is one of the technical implementations for communication between SPs and IdPs. SAML is a de facto standard that is used by enterprises to implement SSO.

If you create enterprise AD office networks in the EDS console to connect to your AD system, the EDS system collects your AD system information. If you do not want to do so, you can create convenience accounts whose information is the same as AD users in the EDS console to implement SSO.

Note

If an enterprise AD office network is created and connected to your AD system, implement SSO by configuring AD users. For more information, see Implement SSO for EDS for AD users by using AD FS.

Preparations

To create convenience accounts in the EDS console, choose one of the following methods:

  • Manual entry: Enter user information to create a convenience account one by one. This method is suitable for scenarios in which a few users exist.

    Important

    When you enter user information, make sure that the usernames of convenience accounts that you are creating are the same as those of AD users. Usernames are not case-sensitive.

  • Batch entry: Use a .csv file to import user information and create multiple convenience accounts at a time. This method is suitable for scenarios in which a large number of users exist.

If you use the batch entry method, perform the following steps to prepare a valid .csv file.

  1. Create a .csv file that contains AD user information on the AD domain server.

    1. Check whether existing user information meet format requirements.

      Important

      The usernames of AD users must meet the format requirements of usernames for EDS convenience accounts. Otherwise, you cannot create the conveniences accounts that correspond to AD users. For more information, see Username conventions of convenience accounts.

    2. Run the Get-ADUser command in PowerShell to export the .csv file that contains AD users.

      You can modify parameters in the command to export a .csv file based on your business requirements. For example, if you want to export a .csv file that contains all AD user information and save the file to a specific path, run the following command:

      Get-ADUser -filter * | export-csv <File path> -Encoding utf8

      If you want to save the file to the C:\Users directory and name the file test.csv, run the following command:

      Get-ADUser -filter * |export-csv C:\Users\test.csv -Encoding utf8
  2. Use the spreadsheet software to open the file, modify the format of user information based on the username conventions of convenience accounts, and then save the file.

    When you modify user information, take note of the following username conventions:

    • Formats:

      • User-activated convenience users: The first column is Username, the second column is Email address, and the third column is Phone. The third column is optional.

      • Administrator-activated convenience users: The first column is Username, the second column is Email, the third column is Phone, and the fourth column is Password. The second and third columns are optional.

    • In the exported .csv file, the SamAccountName column is considered as the username column and the UserPrincipalName column is considered as the email address column. If the actual email address of an AD user is different from that specified in the UserPrincpleName column, replace the current email address with a new one.

Step 1: Create convenience accounts

  1. Log on to the Elastic Desktop Service (EDS) console.

  2. In the left-side navigation pane, choose Users & Logons > Users & Organizations.

  3. On the Users & Organizations page, click the User tab and click Create User. Then, use one of the following methods to create a convenience account:

    Manually create a user

    1. Click the Manual Entry tab.

    2. Select a user type based on your business requirements.

      Valid values: User-activated and Administrator-activated.

    3. Enter the account information based on the user type.

      Important

      Email addresses are used for end users to receive notifications such as cloud computer assignment, logon information, initial passwords, or password reset links. Make sure that you specify correct email addresses.

      • User-activated: Enter a username and an email address for the convenience user that you want to create.

      • Administrator-activated: Enter a username and a password for the convenience user that you want to create.

    4. (Optional) Enter supplementary information about the convenience user based on your business requirements.

    5. (Optional) Select the organization to which you want to add the convenience user.

      You can select an organization in this step or add the convenience user to an organization after you create the user.

    6. (Optional) Specify whether to grant local administrator permissions to the user. By default, the Grant Admin Permission parameter is set to Yes. If you do not want to grant the permissions, select No.

      Note

      Local administrators can install software and modify system settings in cloud computers.

    7. (Optional) Configure the password validity period. By default, the password is permanently valid. You can also enter a validity period ranging from 30 to 365 days. When the password expires, you must change the password before you can proceed to log on.

      Note

      The feature is in invitational preview. If you want to use this feature, submit a ticket.

    8. (Conditional) Specify a point in time to lock the user if you want to create an administrator-activated user.

      After the user is locked, end users cannot use this account to log on to Alibaba Cloud Workspace terminals.

    Batch create users

    1. Click the Batch Entry tab.

    2. Select a user type based on your business requirements.

      Valid values: User-activated and Administrator-activated.

    3. (Optional) Configure the password validity period. By default, the password is permanently valid. You can also enter a validity period ranging from 30 to 365 days. When the password expires, you must change the password before you can proceed to log on.

      Note

      The feature is in invitational preview. If you want to use this feature, submit a ticket.

    4. Select one of the following methods to create a user information file:

      • Click Download to download a template for importing users. Open the template, enter user information in the format that is provided by the template, and then save the template.

        Note
        • If you want to create user-activated users, specify values in the first column Username and the second column Email in the template.

        • If you want to create administrator-activated users, specify the first column Username and the fourth column Password in the template.

      • Use Excel to open the template, enter user information, and then save the template as a .csv file.

    5. Click Select File to select the .csv file and follow the on-screen instructions to import users.

      After the file is imported to the EDS console, a message indicating that users are created appears in the Create User panel. Then, you can click View Account to check whether all users that you entered are imported. If you fail to import the file, check whether the user information in the file is in a valid format.

  4. Click Close.

    After you create the convenience user, you can view the user information on the User tab. The user is in the Normal state.

    Note

    The system does not send notifications when convenience users are created. It sends notifications to specified email addresses when you assign cloud computers or cloud computer pools to the users.

Step 2: Configure AD FS as the trusted SAML IDP in the EDS console

  1. Obtain IdP metadata file of AD FS and download the file to your local device.

    IdP metadata file URL: https://<AD FS server>/FederationMetadata/2007-06/FederationMetadata.xml. <AD FS Server> indicates the domain name or IP address of your AD FS server.

  2. Upload the IdP metadata file to the EDS console.

    1. Log on to the Elastic Desktop Service (EDS) console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the office network for which you want to enable SSO and click the office network ID.

    5. On the office network details page, click Show in the upper-right corner of Other Information section, and then turn on SSO.

    6. Click Upload File next to IdP Metadata and upload the IdP metadata file.

Step3: Configure EDS as the trusted SAML SP in AD FS

  1. Obtain the metadata file in the Elastic Desktop Service (Enterprise Edition) console.

    1. Log on to the Elastic Desktop Service (EDS) console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. On the Office Network (Formerly Workspace) page, find the office network for which you want to enable SSO and click the office network ID.

    4. In the left-side navigation pane of the office network details page, click the Other tab.

    5. On the Other tab, click Download Application Metadata File to the right of Application Metadata.

      The downloaded metadata file is automatically saved to the Download folder of your local computer.

  2. Upload the SP metadata file of EDS to AD FS.

    1. Log on to the server of AD FS and open Server Manager.

    2. In the upper-right corner, choose Tools > AD FS Management.

    3. In the left-side navigation pane of the AD FS window, choose Trust Relationships > Relying Party Trusts.

    4. In the Actions section on the right, click Add Relying Party Trust.

    5. Complete the subsequent operations as prompted.

      In the Select Data Source step, select Import data about the relying party from a file and import the SP metadata file of EDS. Retain the default settings in next steps.ADFS1

  3. Modify the claim issuance policy of the relying party trust and configure SAML assertion attributes for EDS.

    1. In the list of relying party trusts, right-click the relying party trust that you added in the previous step and select Edit Claim Issuance Policy.

    2. In the dialog box that appears, click Add Rule.

    3. Configure claim rules.

      Take note of the following items when you configure claim rules:

      • In the Choose Rule Type step, select Transform an Incoming Claim from the Claim rule template drop-down list.

      • In the Configure Claim Rule step, select UPN from the Incoming claim type drop-down list and Name ID from the Outgoing claim type drop-down list.

Step 4: Check whether SSO is configured

Note

In this example, the Windows client V7.2.2 of Alibaba Cloud Workspace is used.

  1. Launch the Windows client, select Enterprise Edition, select I have read and agree to Privacy Policy in the lower part of the page, enter the office network ID, and then click . pg_enter_orgid_or_networkid.png

  2. On the AD FS logon page, enter the username of a convenience account that you created. Then, the AD FS system verifies the user identity.

    After the identity verification is passed, you can find the desired cloud computer after logging on to the client. Then, hover the pointer on the card of the cloud computer, click Start and Connect Cloud Computer to use the cloud computer.