All Products
Search

This Product

    Elastic Desktop Service:Implement SSO for IDaaS users and convenience accounts

    Document Center

    Elastic Desktop Service:Implement SSO for IDaaS users and convenience accounts

    Last Updated:Dec 03, 2025

    Implement single sign-on (SSO) by exchanging metadata files between Alibaba Cloud Identity as a Service and WUYING Workspace based on the SAML protocol. This process enables end users to use IDaaS access credentials to securely log on to WUYING Terminals. This topic describes how to complete this configuration.

    Background information

    Identity as a Service (IDaaS) is a cloud-native, cost-effective, and convenient identity and permission management system from Alibaba Cloud for enterprise users. For more information, see What is IDaaS EIAM?.

    This topic uses Alibaba Cloud Identity as a Service (IDaaS) as an example to describe how to configure SSO for a convenience office network or an organization ID. You can adapt these steps to configure SAML-based SSO with your specific identity provider (IdP).

    Configure SSO for an office network

    Step 1: Enable the SSO feature for an office network

    Perform the following steps to enable the SSO feature for the destination office network.

    1. Log on to the Elastic Desktop Service Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the desired office network and click its ID.

    5. In the Other Information section of the office network details page, turn on the SSO switch.

      Note

      The SSO, MFA, and Client Logon Verification features are mutually exclusive. You can enable only one of the features for an office network within a period of time. For organization IDs, these features are not mutually exclusive. You can enable all of them at the same time.

    Step 2: In the IDaaS console, configure WUYING Workspace as a trusted SP

    1. Log on to the Alibaba Cloud IDaaS console.

    2. On the EIAM page, on the IDaaS tab, create an IDaaS instance. For more information, see Create a free instance.

    3. Create an account. For more information, see Create an account.

      Note

      The account name that you create in the IDaaS console must be the same as the username of the convenience account in WUYING Workspace.

    4. Click the ID of the IDaaS instance. Then, in the EIAM console, add the EDS application.

      1. In the navigation pane on the left, click Applications.

      2. On the Applications page, click Add Application.

      3. On the Marketplace tab, enter EDS in the search box.

      4. On the card that appears, click Add Application.

      5. In the confirmation dialog box, click Add.

        The application is successfully added when its status is Enabled on the Applications page.

    5. Enable SSO for IDaaS.

      1. On the Applications page, find the application and click Manage in the Actions column.

      2. On the application details page, choose Sign-In > SSO.

      3. Set the SSO switch to Enabled.

    6. Configure EDS as a trusted service provider (SP).

      1. Enter the office network ID from Step 1.

      2. Select an application account as needed. For example, select IDaaS account.

        Note

        • By default, the IDaaS account name is used as the application logon identifier.

        • If you select Application Account, the application account name must be the same as the IDaaS logon account name to complete SSO. For more information, see Configure Application User for SAML.

      3. Select an authorization scope as needed. For example, select Accessible To All.

        Note

        If you want to allow only specific IDaaS accounts to access the application, select Manual Authorization. You must then add application authorization. For more information, see Authorization.

      4. Click Save.

    7. In the Application Settings section, find IdP Metadata and click Download to obtain the SAML metadata file.

    Step 3: In the WUYING Workspace console, configure IDaaS as a trusted IdP

    1. Log on to the Elastic Desktop Service Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, find the office network for which you want to enable SSO and click its office network ID.

    5. On the office network details page, in the Other Information section at the bottom, turn on the SSO switch.

    6. To the right of IdP Metadata, click Upload File and upload the SAML metadata file that you obtained in the previous step.

    Configure SSO for an organization ID

    The following procedure describes how to configure SSO for an organization ID, using an Employee Identity and Access Management (EIAM) account in IDaaS as an example.

    Step 1: Add a SAML application and obtain the SAML metadata file

    1. Log on to the Alibaba Cloud IDaaS console.

    2. On the EIAM page, on the IDaaS tab, create an IDaaS instance. For more information, see Create a free instance.

    3. Create an account. For more information, see Create an account.

      Note

      The account name that you create in the IDaaS console must be the same as the username of the convenience account in WUYING Workspace.

    4. Add a SAML application.

      1. In the navigation pane on the left, click Applications.

      2. On the Applications page, click Add Application.

      3. On the Standard Protocols tab, click Add Application on the SAML 2.0 card.

        Important

        You can add applications that use standard protocols in IDaaS Enterprise Edition. If you are using the Free Edition of IDaaS, upgrade to the Enterprise Edition as prompted. For more information, see Instance Management. IDaaS Enterprise Edition is a paid service. For more information about billing, see Product Billing.

      4. In the dialog box that appears, enter an application name and click Add.

        The application is successfully added when its status is Enabled on the Applications page.

    5. Obtain the SAML metadata file.

      1. On the Applications page, find the application and click Manage in the Actions column.

      2. On the application details page, choose Sign-In > SSO.

      3. In the Application Settings section, find IdP Metadata and click Download to obtain the SAML metadata file.

    Step 2: In the WUYING Workspace console, configure IDaaS as a trusted IdP

    1. In the left-side navigation pane, choose Users > Users & Organizations. On the Users & Organizations page, click the Enterprise Identity Source tab.

    2. On the Enterprise Identity Sources page, perform the following operations based on your business requirements:

      • If you have not added an enterprise identity source, click SAML to add an enterprise identity source.

      • If you have added an enterprise identity source, click Add Enterprise Identity Source in the upper-left corner. In the Add Enterprise Identity Source panel, click SAML.

    3. In the Add Enterprise Identity Source panel, configure the following parameters and click Confirm.

      Parameter

      Description

      Enterprise Identity Source Name

      The name of the enterprise identity source, which is used to identify the IdP.

      Enterprise Identity Source Type

      The type of the enterprise identity source. Select SAML.

      IdP Metadata

      The IdP metadata. Click Upload File to upload the metadata file of the IdP.

      User Account Type

      The type of the account. Valid values: Convenience Account and Enterprise AD Account. If you select Enterprise AD Account, you must also select an AD domain name.

    4. On the Enterprise Identity Sources page, find the enterprise identity source that you want to manage and click Edit in the Actions column.

    5. In the Edit Enterprise Identity Source panel, click Download File below Application Metadata.

    Step 3: In the IDaaS console, configure WUYING Workspace as a trusted SP

    1. In the Alibaba Cloud IDaaS console, on the Applications page, find the SAML application that you created in Step 1 and click Manage in the Actions column.

    2. On the application details page, click Upload Metadata and select the application metadata file that you downloaded in Step 2.

      If a URL is automatically populated in the input box to the right of Upload Metadata, the upload is successful.

    3. To the right of Upload Metadata, click Parse.

      If URLs are automatically populated in the ACS URL and SP Entity ID fields, the parsing is successful. For more information about the fields for SSO configuration, see SAML 2.0 SSO configuration.

    4. Select the application account and authorization scope. For example, select IDaaS Account and Accessible to All.

      Note

      For more information about application accounts, see Configure Application User for SAML.

    5. Click Save.

    Create users that match the enterprise IdP

    Create a user that matches an IdP user in the Elastic Desktop Service console. For more information, see Create a convenience account or the Create and manage enterprise AD accounts section of the "Create and manage enterprise AD accounts" topic.

    Note

    When you create a user, you can specify a password for the user. The password of the user can be different from that of the IdP user with the same name.

    What to do next

    After you configure SSO, end users can log on to WUYING Terminals using their IDaaS identity.

    Note

    The following steps use Windows client V7.2.2 as an example.

    1. Open the Windows client, select Enterprise Edition in the upper part of the page, select the check box next to the privacy policy, enter an organization ID or office network ID from the received logon credentials, and then click the icon. pg_enter_orgid_or_networkid.png

    2. On the IDaaS page, enter the IDaaS account name, mobile number, or email address, and then enter the password to log on to the client.

    3. (Conditional) If secondary authentication is enabled in the IDaaS console, complete the secondary authentication as prompted during logon.

      1. Select a secondary authentication method.

      2. Obtain a verification code from your selected notification method, enter the code, and then click Yes.

    After you log on, find the card for the destination cloud desktop on the cloud resources page of the client. On the card, click Start and then Connect Cloud Computer.

    References