This topic describes how to implement single sign-on (SSO) between Alibaba Cloud Elastic Desktop Service (EDS) and identity providers (IdPs) such as Active Directory Federation Services (AD FS). After you configure SSO for an AD user, the AD user needs only to pass logon authentication at the IdP before the AD user can log on to the EDS client.

Background information

SSO (also known as identity federation) is a secure communications technology that helps you access multiple application systems in a quick manner. It allows you to use a single logon to log on to multiple mutually trusted systems. The following section describes the terms related to SSO:
  • IdP: provides identity management services, collects and stores user identity information such as usernames and passwords, and authenticates user identities on user logons. AD FS and Shibboleth are two of the well-known IdPs.
  • service provider (SP): establishes mutual trust relationships with IdPs and uses the identity management services provided by IdPs to provide services to users.
  • Security Assertion Markup Language (SAML): a standard protocol that implements enterprise-level user identity authentication and that is used to exchange identity authentication and authorization data between IdPs and SPs.

Alibaba Cloud supports SAML 2.0-based SSO. You can implement SSO between Alibaba Cloud EDS and your IdP such as AD FS based on SAML 2.0. After SSO is configured, you can securely log on to the EDS client by using the access credentials of your IdP.

This topic describes how to configure SSO for AD users. In the examples, the AD FS in Windows Server 2012 R2 is used. After SSO is configured, AD users need only to pass identity authentication at the AD FS before they can log on to the EDS client.

Step 1: Enable SSO in the EDS console

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Overview.
  4. On the Overview page, find the workspace for which you want to configure SSO and click the workspace ID.
    You can search by region, workspace name, or workspace ID.
  5. On the workspace details page, enable SSO.
    1. Select Enable for SSO.
    2. In the Modify Workspace message, click OK.

Step 2: Configure AD FS as a trusted SAML-based IdP in the EDS console

  1. Obtain the IdP metadata file.
    1. Enter the following URL in the address bar of your browser to obtain the IdP metadata file.
      The URL used to obtain the IdP metadata file is in the following format: https://<AD server>/FederationMetadata/2007-06/FederationMetadata.xml. <AD Server> indicates the domain name or IP address of AD FS.
    2. Download the IdP metadata file to your computer.
  2. Upload the IdP metadata file in the EDS console.
    1. On the Overview page, find the workspace and click the workspace ID.
    2. On the workspace details page, click Upload File in the Metadata File section.
    3. Double-click the IdP metadata file and click OK.

Step 3: Configure EDS as a trusted SAML-based SP in AD FS

  1. Download the SP metadata file in the EDS console.
    1. On the Overview page, find the workspace and click the workspace ID.
    2. On the workspace details page, click Download File in the Metadata File section.
  2. Log on to the server of AD FS and open the Server Manager.
  3. In the upper-right corner, choose Tools > AD FS Management.
  4. In the left-side navigation pane of the AD FS window, choose Trust Relationships > Relying Party Trusts.
  5. Add the relying party trust.
    1. In the Actions section on the right, click Add Relying Party Trust.
    2. Add the relying party trust by following the wizard.
      In the Select Data Source step, select Import data about the relying party from a file and import the obtained SP metadata file. ADFS1
  6. Edit claim rules.
    1. In the list of relying party trusts, right-click the relying party trust that you added in the previous step and select Edit Claim Rules.
    2. In the dialog box that appears, click Add Rule.
    3. Configure the claim rules.
      Make the following configurations:
      • In the Choose Rule Type step, select Send LDAP Attributes as Claims from the Claim rule template drop-down list.
      • In the Configure Claim Rule step, select Active Directory from the Attribute store drop-down list. In the Mapping of LDAP attributes to outgoing claim types section, select SAM-Account-Name in the LDAP Attribute column and select Name ID in the Outgoing Claim Type column. Alternatively, select UPN in the LDAP Attribute column and select Name ID in the Outgoing Claim Type column.
      ADFS2

Step 4: Log on to the EDS client by using the SSO feature

Notice Before you use the SSO feature to log on to the EDS client, make sure that you can access the domain name server of AD FS.
After the SSO feature is enabled, the browser is automatically opened to direct you to the AD FS page for authentication when you want to log on to a cloud desktop from the EDS client. You must enter the identity information such as the username and password of the AD user for authentication. After the identity passes authentication, you can log on to the EDS client. sso1sso2
If the logon fails after you have entered the AD username and password, the authentication at the AD FS has failed. The following section describes the possible causes and solutions to the failure:
  • The AD username or password is invalid. In this case, you can log on to the AD domain server to obtain the AD username or reset the password. When you reset the password, do not specify to change the password on the next logon.
    Note If you specify to change the password on the next logon when you create a user or reset a password, you must change the password before you can use the SSO feature.
  • AD FS is incorrectly configured. In this case, you can log on to the AD FS server to check the relying party trusts and rule configurations.